From fc65fa480bbcc791ff66954e87bc120b4b37bdb5 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 22 Dec 2022 09:31:45 -0600 Subject: [PATCH 001/255] Bumped .CFVERSION to 3.21.1 Signed-off-by: Craig Comstock --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index 6075c9a9ff..4c5e482b21 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.0 +3.21.1 From 6caf2166f2ebfa7367b7b9d6e370d7c372295cfe Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Thu, 29 Dec 2022 13:25:22 -0600 Subject: [PATCH 002/255] Added --help option to cf-support and aligned output with other components This change simply added an explicit --help option and aligned output with other components. Ticket: ENT-9740 Changelog: Title (cherry picked from commit 470d3a64a6272b5352cc78127d47ea9a85b5d9fd) --- misc/cf-support | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/misc/cf-support b/misc/cf-support index b8b92c7655..f4f49ccd48 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -4,9 +4,15 @@ export WORKDIR=/var/cfengine export BINDIR="$WORKDIR/bin" export non_interactive=0 -if [ $# -gt 1 ]; then - echo "usage: $(basename "$0") [--yes]" - echo ' --yes - Non-interactive use. Assume no ticket number and assume include masterfiles.' +if [ $# -gt 1 ] || [ "$1" = "--help" ] || ["$1" = "-h" ]; then + echo "usage: $(basename "$0") [OPTIONS]" + echo '' + echo 'Options:' + echo ' --yes, -y - Non-interactive use. Assume no ticket number and assume include masterfiles.' + echo ' --help, -h - Print the help message' + echo '' + echo 'Website: http://www.cfengine.com' + echo 'This software is Copyright (C) 2008,2010-present Northern.tech AS.' exit 1 fi From 2e012b86481516740feeb9df70f94da9a040fe11 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Tue, 20 Dec 2022 16:42:33 -0600 Subject: [PATCH 003/255] Added condition to runalerts service to require stamp directory The directory really needs to exist in order for the service to update time-stamps. There is policy managing it's existence, so if we wait for it, it will appear. Ticket: ENT-9711 Changelog: Title (cherry picked from commit f9636ca357fdc9c4166c681675df91f623d30e10) (cherry picked from commit db498ea4cca73faa106f82bf63c47e60bb30d08c) --- misc/systemd/cf-runalerts.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/systemd/cf-runalerts.service.in b/misc/systemd/cf-runalerts.service.in index 989614c8d4..9a79480e02 100644 --- a/misc/systemd/cf-runalerts.service.in +++ b/misc/systemd/cf-runalerts.service.in @@ -3,6 +3,7 @@ Description=CFEngine Enterprise SQL Alerts After=syslog.target ConditionPathExists=@bindir@/runalerts.php ConditionFileIsExecutable=@workdir@/httpd/php/bin/php +ConditionPathIsDirectory=@workdir@/httpd/php/runalerts-stamp PartOf=cfengine3.service After=cf-postgres.service From 2e24612def66fd1b36c50ab40fc44df9e18409ef Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 4 Jan 2023 14:43:14 -0600 Subject: [PATCH 004/255] Updated getusers() example to illustrate the filtering capabilities Ticket: CFE-4127 Changelog: None (cherry picked from commit 5bf7c24fd9383bdfe12d53b5b4f505916f32f783) --- examples/getusers.cf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/examples/getusers.cf b/examples/getusers.cf index 97119aa92c..faa37a0450 100644 --- a/examples/getusers.cf +++ b/examples/getusers.cf @@ -29,6 +29,25 @@ body common control bundle agent example { vars: + + # The getusers function takes two filtering arguments: exclude_names and + # exclude_ids, both a comma separated list of usernames and user IDs + # respectively. + + # To get users with a uid 1000 and greater we generate a list of uids from + # 0 to 999 and convert it into a comma separated string used to filter the + # list of users. + + "users_with_uid_gt_999" + slist => getusers( "", join( ",", expandrange( "[0-999]", 1 ) ) ); + + # Here we get a list of users except usernames nfsnobody and vagrant as + # well as any users with uid 8 or 9 + + "users_except_nfsnobody_and_vagrant_and_uid_8_and_9" + slist => getusers( "nfsnobody,vagrant", "8,9" ); + + # Here we get a list of all users by not filtering any "allusers" slist => getusers("",""); "root_list" slist => { "root" }; # this will get just the root users out of the full user list From 6c7d4e6643921969a23477be06cff7a534b1f6cb Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 11 Jan 2023 09:45:09 -0600 Subject: [PATCH 005/255] Fixed syntax description of validjson() This change simply clarifies that the input to the function is a string and not a data container. Ticket: ENT-9759 Changelog: Title (cherry picked from commit daa2e78724ac26ba91159fc6a46aa506ce0c2ef9) --- libpromises/evalfunction.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 52c4c544bc..503237aca8 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -9589,7 +9589,7 @@ static const FnCallArg READDATA_ARGS[] = static const FnCallArg VALIDDATA_ARGS[] = { - {CF_ANYSTRING, CF_DATA_TYPE_STRING, "Data to validate"}, + {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"}, {"JSON", CF_DATA_TYPE_OPTION, "Type of data to validate"}, {NULL, CF_DATA_TYPE_NONE, NULL} }; From 70ec17e78d19f8ed75dd3c5bd64885b286854fcd Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 29 Dec 2022 16:22:21 -0600 Subject: [PATCH 006/255] Enabled install-time selinux policy compiling by installing the .te and .fc files as well as the build .pp file buildscripts repo will need install scripts changes to take advantage of this change. Ticket: ENT-9685 Changelog: title (cherry picked from commit 773cba7efb47d3efe61edd9cbf8a19ec7492d1ad) (cherry picked from commit 6fca8ed97576696b048aecb211fe90db260da1e8) --- misc/selinux/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index 8598e7667b..b0639ef52f 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -4,6 +4,8 @@ cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc selinuxdir = $(prefix)/selinux selinux_DATA = cfengine-enterprise.pp +selinux_DATA += cfengine-enterprise.te +selinux_DATA += cfengine-enterprise.fc clean-local: rm -rf tmp From 63330620dd4cf502fd075e9c32d8fce4ec33b38c Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 5 Jan 2023 11:31:11 -0600 Subject: [PATCH 007/255] Added needed selinux class lockdown for latest rhel-9 hosts Ticket: ENT-9685 Changelog: title (cherry picked from commit 428e1e6c34c69c2d1665d2bbd09bc4636272ec1a) --- misc/selinux/cfengine-enterprise.te | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index 37b721b6e4..d44339de6d 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -89,6 +89,7 @@ require { type ssh_exec_t; type ssh_home_t; type rpm_script_t; + class lockdown { confidentiality integrity }; class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind }; class udp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown node_bind }; class sock_file { create write getattr setattr unlink }; From 44dead926cf9270c2330967233567d7f6dd80fd7 Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Thu, 12 Jan 2023 13:33:26 +0100 Subject: [PATCH 008/255] Add valgrind tests to github actions Ticket: ENT-9158 (cherry picked from commit b6e67f89a8291b893e8a133b862ed38213d0e01e) --- .github/workflows/ci.yml | 3 +++ .github/workflows/valgrind.yml | 46 ++++++++++++++++++++++++++++++++++ travis-scripts/valgrind.sh | 46 +--------------------------------- 3 files changed, 50 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/valgrind.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d0993c0dd..0c6e303d46 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,3 +28,6 @@ jobs: cifuzz_tests: needs: unit_tests uses: ./.github/workflows/cifuzz.yml + valgrind_tests: + needs: unit_tests + uses: ./.github/workflows/valgrind.yml diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml new file mode 100644 index 0000000000..9d81aed2d4 --- /dev/null +++ b/.github/workflows/valgrind.yml @@ -0,0 +1,46 @@ +name: Valgrind Tests + +on: + workflow_call + +jobs: + valgrind_tests: + runs-on: ubuntu-20.04 + defaults: + run: + working-directory: core + steps: + - uses: actions/checkout@v3 + with: + path: core + submodules: recursive + - name: Clone masterfiles (master) + uses: actions/checkout@v3 + with: + repository: cfengine/masterfiles + ref: master + path: masterfiles + submodules: recursive + - name: Install dependencies + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libyaml-dev valgrind + - name: Run autotools / configure + run: ./autogen.sh --enable-debug --with-systemd-service + - name: Compile and link (make) + run: make -j8 CFLAGS="-Werror -Wall" + - name: Install CFEngine + run: sudo make install + - name: Generate masterfiles + run: ./autogen.sh + working-directory: masterfiles + - name: Install masterfiles + run: sudo make install + working-directory: masterfiles + - name: Reload systemd + run: sudo systemctl daemon-reload + + - name: See if cf-agent runs at all + run: /var/cfengine/bin/cf-agent --version + + - name: Run valgrind.sh + run: sudo bash travis-scripts/valgrind.sh + diff --git a/travis-scripts/valgrind.sh b/travis-scripts/valgrind.sh index a36b1ce975..f510166130 100644 --- a/travis-scripts/valgrind.sh +++ b/travis-scripts/valgrind.sh @@ -1,48 +1,6 @@ #!/usr/bin/env bash set -e -if [ -d /var/cfengine ]; then - rm -rf /var/cfengine -fi - -# Test assumes we start in core or masterfiles directory -cd ../ - -if [ ! -d core ]; then - echo "Cloning core (master)" - git clone --recursive https://github.com/cfengine/core.git -fi - -if [ ! -d masterfiles ]; then - echo "Cloning masterfiles (master)" - git clone --recursive https://github.com/cfengine/masterfiles.git -fi - -echo "Checking for systemctl" -systemctl --version - -cd core/ -echo "Building CFEngine core" -set +e -git fetch --unshallow 2>&1 >> /dev/null -git remote add upstream https://github.com/cfengine/core.git \ - && git fetch upstream 'refs/tags/*:refs/tags/*' 2>&1 >> /dev/null -set -e - -./autogen.sh --enable-debug --with-systemd-service -make - -echo "Installing CFEngine core" -make install -cd ../ - -cd masterfiles/ -./autogen.sh -echo "Installing CFEngine masterfiles" -make install - -systemctl daemon-reload - function print_ps { set +e echo "CFEngine processes:" @@ -118,10 +76,8 @@ function check_masterfiles_and_inputs { diff /var/cfengine/inputs/promises.cf /var/cfengine/masterfiles/promises.cf } -/var/cfengine/bin/cf-agent --version - VG_OPTS="--leak-check=full --track-origins=yes --error-exitcode=1" -BOOTSTRAP_IP="$(ifconfig | grep -A1 Ethernet | sed '2!d;s/.*addr:\([0-9.]*\).*/\1/')" +BOOTSTRAP_IP="$(ifconfig | grep -C1 Ethernet | sed 's/.*inet \([0-9.]*\).*/\1/;t;d')" valgrind $VG_OPTS /var/cfengine/bin/cf-key 2>&1 | tee cf-key.txt check_output cf-key.txt From 1c229cb6fb25facfd028e388ae39418f304ecdc1 Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Thu, 12 Jan 2023 16:37:20 +0100 Subject: [PATCH 009/255] move valgrind.sh to .github/workflows (cherry picked from commit 7322c4b18f300f8dce5fa1d229411e726c60894a) --- {travis-scripts => .github/workflows}/valgrind.sh | 0 .github/workflows/valgrind.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename {travis-scripts => .github/workflows}/valgrind.sh (100%) diff --git a/travis-scripts/valgrind.sh b/.github/workflows/valgrind.sh similarity index 100% rename from travis-scripts/valgrind.sh rename to .github/workflows/valgrind.sh diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index 9d81aed2d4..122390cfa5 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -42,5 +42,5 @@ jobs: run: /var/cfengine/bin/cf-agent --version - name: Run valgrind.sh - run: sudo bash travis-scripts/valgrind.sh + run: sudo bash .github/workflows/valgrind.sh From 377b060e0cb31a23a5000031dacc011780ebacc6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 14 Oct 2022 16:49:52 -0500 Subject: [PATCH 010/255] Adjust cf-support for exotic/legacy POSIX systems Adjust for use on HP-UX, AIX, Solaris. Ticket: ENT-9340 Changelog: title (cherry picked from commit 97406008353b638f683643921ef8e17ddc5cd363) --- misc/Makefile.am | 4 + misc/cf-support | 240 +++++++++++++++++++++++++++++++++++++---------- 2 files changed, 192 insertions(+), 52 deletions(-) diff --git a/misc/Makefile.am b/misc/Makefile.am index ef2460fbd8..46db4fd6c6 100644 --- a/misc/Makefile.am +++ b/misc/Makefile.am @@ -36,3 +36,7 @@ install-data-hook: endif dist_bin_SCRIPTS = cf-support + +check-local: + command -v shellcheck 2>/dev/null && shellcheck --version + command -v shellcheck 2>/dev/null && shellcheck cf-support diff --git a/misc/cf-support b/misc/cf-support index f4f49ccd48..045217b85b 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -1,11 +1,18 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh +# this script works with plain old POSIX sh so have to allow legacy subshell `command` instead of using $(command) +# shellcheck disable=SC2006 -export WORKDIR=/var/cfengine -export BINDIR="$WORKDIR/bin" -export non_interactive=0 +# be double-certain that we have needed PATH entries regardless of execution environment +PATH=/usr/contrib/bin:$PATH; export PATH # hpux +PATH=/usr/sbin:$PATH; export PATH # solaris +PATH=/usr/bin:$PATH; export PATH # sol10sparc has showrev in /usr/bin -if [ $# -gt 1 ] || [ "$1" = "--help" ] || ["$1" = "-h" ]; then - echo "usage: $(basename "$0") [OPTIONS]" +WORKDIR=/var/cfengine; export WORKDIR +BINDIR="$WORKDIR/bin"; export BINDIR +non_interactive=0; export non_interactive + +if [ $# -gt 1 ] || [ "$1" = "--help" ] || [ "$1" = "-h" ]; then + echo "usage: `basename "$0"` [OPTIONS]" echo '' echo 'Options:' echo ' --yes, -y - Non-interactive use. Assume no ticket number and assume include masterfiles.' @@ -42,7 +49,7 @@ if [ "$1" = "-M" ]; then e COSL.txt. .TH CF-SUPPORT 8 "2022-08-10" "CFEngine" "System Administrator" .SH NAME -cf-support \- create tarball of information to submit for support tickets. +cf-support \\- create tarball of information to submit for support tickets. .SH SYNOPSIS .B cf-support .RI [ OPTION ] @@ -53,7 +60,7 @@ cf-support gathers various details about the system and creates a tarball in the .IP "--yes" Non-interactive use. Assume no ticket number and assume include masterfiles. .SH CFENGINE -CFEngine provides automated configuration management of large-scale computer systems. A system administrator describes the desired state of a system using CFEngine policy code. The program \fBcf-agent\fR reads policy code and attempts to bring the current system state to the desired state described. Policy code is downloaded by \fBcf-agent\fR from a \fBcf-serverd\fR daemon. The daemon \fBcf-execd\fR is responsible for running \fBcf-agent\fR periodically. +CFEngine provides automated configuration management of large-scale computer systems. A system administrator describes the desired state of a system using CFEngine policy code. The program \\fBcf-agent\\fR reads policy code and attempts to bring the current system state to the desired state described. Policy code is downloaded by \\fBcf-agent\\fR from a \\fBcf-serverd\\fR daemon. The daemon \\fBcf-execd\\fR is responsible for running \\fBcf-agent\\fR periodically. .br Documentation for CFEngine is available at https://docs.cfengine.com/. .SH PROMISE THEORY @@ -86,7 +93,9 @@ fi [ "$1" = "--yes" ] || [ "$1" = "-y" ] && non_interactive=1 -if [ "$EUID" -ne 0 ]; then +# POSIX friendly version of bash $EUID +euid=`id | sed -n 's/uid=\([0-9]*\).*/\1/p'` +if [ "$euid" -ne 0 ]; then echo "$0 must be run as root" exit 1 fi @@ -97,13 +106,27 @@ if ! command -v gzip >/dev/null; then fi if [ $non_interactive -eq 0 ]; then - read -rp "If you have it, please enter your support case number: " case_number + printf "If you have it, please enter your support case number: " + read -r case_number fi case_number="${case_number:-NA}" -timestamp=$(date +%F-%H%M) -collection="cfengine_support_case_$case_number-$(hostname -f)-$timestamp" +timestamp=`date +%Y-%m-%d-%H%M` +collection="cfengine_support_case_$case_number-`hostname`-$timestamp" + +make_temp_dir() +{ + if command -v mktemp >/dev/null; then + mktemp -d + else + # shellcheck disable=SC2021 + # ^^ legacy/POSIX requires square brackets + _tmp="/tmp/`tr -dc "[A-Z][a-z][0-9]" /dev/null; then echo "Using coredumpctl to analyze CFEngine core dumps" - coredumpctl info /var/cfengine/bin/cf-* 2>/dev/null >> "$_core_log" + coredumpctl info /var/cfengine/bin/cf-* 2>/dev/null >> "$_core_log" || true elif command -v apport-unpack >/dev/null; then echo "Using apport-unpack to analyze CFEngine core dumps" # each crash report has a line with ExecutablePath: which tells us if it is a CFEngine core dump - crash_reports=$(grep -H "ExecutablePath: /var/cfengine/bin" /var/crash/* | sed "s/:ExecutablePath.*$//") + crash_reports=`grep -H "ExecutablePath: /var/cfengine/bin" /var/crash/* | sed "s/:ExecutablePath.*$//"` if [ -n "$crash_reports" ]; then if ! command -v gdb >/dev/null; then echo "CFEngine related core dumps were found but gdb is not installed. Please install gdb and retry the cf-support command." @@ -123,9 +146,9 @@ elif command -v apport-unpack >/dev/null; then fi # process crash reports with tmp dirs and all for report in $crash_reports; do - tmp=$(mktemp -d) + tmp=`make_temp_dir` apport-unpack "$report" "$tmp" - exe=$(cat "$tmp/ExecutablePath") + exe=`cat "$tmp/ExecutablePath"` # print out report up to the embedded core dump file # --null-data separate lines by NUL characters sed --null-data 's/CoreDump:.*$//' "$report" >> "$_core_log" @@ -135,13 +158,14 @@ elif command -v apport-unpack >/dev/null; then fi else if [ "$non_interactive" -eq 0 ]; then - read -r -p "Analyze coredumps found under /var/cfengine/bin? [Y//n]: " response + printf "Analyze coredumps found under /var/cfengine/bin? [Y//n]: " + read -r response fi response=${response:-/var/cfengine/bin} if [ "$response" != "n" ]; then # file command on core files results in lines like the following which we parse for cf-* binaries # core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/var/cfengine/bin/cf-key', real uid: 0, effective uid: 0, realgid: 0, effective gid: 0, execfn: '/var/cfengine/bin/cf-key', platform: 'x86_64' - cf_core_files=$(find "$response" -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//') + cf_core_files=`find "$response" -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//'` if [ -n "$cf_core_files" ]; then if ! command -v gdb >/dev/null; then echo "Please install gdb. This is required in order to analyze core dumps." @@ -149,8 +173,8 @@ else fi for core_file in $cf_core_files; do file "$core_file" >> "$_core_log" - execfn=$(file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g") - exe="$(realpath "$execfn")" + execfn=`file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g"` + exe="`realpath "$execfn"`" gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 done fi @@ -158,12 +182,12 @@ else fi -export info_file="$tmpdir/system-info.txt" +info_file="$tmpdir/system-info.txt" +export info_file -function file_add +file_add() { - local filename - filename="$(basename "$1")" + filename="`basename "$1"`" if [ -f "$1" ]; then cp "$1" "$tmpdir"/"$filename" echo "Added file $1" @@ -171,12 +195,10 @@ function file_add echo "$1 file not found" >> "$info_file" fi } -export -f file_add -function gzip_add +gzip_add() { - local filename - filename="$(basename "$1")" + filename="`basename "$1"`" if [ -f "$1" ]; then gzip -c "$1" > "$tmpdir"/"$filename".gz echo "Added compressed copy of file $1" @@ -184,51 +206,164 @@ function gzip_add echo "$1 file not found" >> "$info_file" fi } -export -f gzip_add -function log_cmd +log_cmd() { - echo "=== $1 ===" >> "$info_file" - eval "$1" >> "$info_file" 2>&1 || true - echo >> "$info_file" # one newline for easier to read output - echo "Captured output of command $1" + cmd="`echo "$1" | awk '{print $1}'`" + if command -v "$cmd" 2>/dev/null >/dev/null; then + echo "** $1" >> "$info_file" + sh -c "$1" >> "$info_file" 2>&1 || true + echo >> "$info_file" # one newline for easier to read output + echo "Captured output of command $1" + else + echo "Command not found: $cmd" + fi } -export -f log_cmd -log_cmd "hostname -f" +# determine operating system flavor +if command -v swlist 2>/dev/null; then + OS="hpux" +elif command -v oslevel 2>/dev/null; then + OS=aix +elif [ -f /etc/release ]; then + OS=solaris + OS_VERSION=$(uname -r) +elif [ -f /etc/redhat-release ] || [ -f /etc/os-release ] || [ -f /etc/lsb-release ]; then + OS=linux +elif command -v system_profiler 2>/dev/null; then + OS=macos +else + echo "unable to determine operating system, will try generic unix commands." + OS=unix +fi + +# first, collect basic information about the system log_cmd "uname -a" -[ -f "/etc/os-release" ] && log_cmd "cat /etc/os-release" log_cmd "$BINDIR/cf-promises -V" -log_cmd "free -m" -log_cmd "df -h" -log_cmd "ps auwwx" -log_cmd "top -b -H -c -n1" -log_cmd "netstat -ie" -log_cmd "ifconfig" + +if [ "$OS" = "solaris" ]; then + log_cmd "prtconf" # system configuration, memory size, peripherals + log_cmd "psrinfo -v" # verbose information about each processor, on-line since, type, speed + if [ "$OS_VERSION" = "5.10" ]; then + log_cmd "showrev" # hostname, hostid, release, kernel architecture, application architecutre, kernel version + fi + log_cmd "vmstat" # equivalent of free -h + log_cmd "zonename" # either global, or a named zone + if command -v zonestat 2>/dev/null; then + log_cmd "zonestat 1 1" # get information about memory/cpu in this zone + fi +elif [ "$OS" = "hpux" ]; then + if [ -x /opt/ignite/bin/print_manifest ]; then + log_cmd "/opt/ignite/bin/print_manifest" # contains info provided by other commands below + else + log_cmd "swlist" # list of bundles installed, includes HPUX-OE base os version + log_cmd "model" # type of machine + # machinfo provides cpu, speed, memory, firmware, platform, id, serial, OS, nodename/hostname, release, sysname + if command -v machinfo 2>/dev/null; then + log_cmd "machinfo" + fi + fi + # regardless, report status of interfaces/volumes and memory + log_cmd "dmesg" # not syslog related like on linux +elif [ "$OS" = "aix" ]; then + log_cmd "prtconf" # model, type, cpus, speed, memory, firmware, network info, volume groups, peripherals/resources + log_cmd "oslevel -s" # OS version +else # linux and "generic" unices like macos/bsds? + log_cmd "lscpu" + log_cmd "free -m" + log_cmd "hostname" + [ -f "/etc/os-release" ] && log_cmd "cat /etc/os-release" +fi + +# filesystems and usage +if [ "$OS" != "solaris" ] && [ "$OS" != "aix" ]; then + file_add "/etc/fstab" +fi +log_cmd "mount" +if [ "$OS" != "hpux" ] && [ "$OS" != "aix" ]; then + log_cmd "df -h" +else + log_cmd "df -g" # only needed on hpux/aix, -h is not available +fi + +# processes +# shellcheck disable=SC2166 +# ^^ allow grouping in test expression +if [ "$OS" = "hpux" ] || [ \( "$OS" = "solaris" -a "$OS_VERSION" = "5.10" \) ]; then + ps -efl >processes.log 2>&1 +else + ps auwwx >processes.log 2>&1 +fi + +# top procs +if [ "$OS" = "hpux" ]; then + # use -f option to force -d1 and include no console codes + top -f /tmp/top.log + file_add /tmp/top.log + rm /tmp/top.log +elif [ "$OS" = "aix" ] || [ "$OS" = "solaris" ]; then + log_cmd "ps aux | head -1; ps aux | sed '1d' | sort -rn +2 | head -10" +else + log_cmd "top -b -H -c -n1" +fi + +# network interfaces +if [ "$OS" = "hpux" ] || [ "$OS" = "solaris" ] || [ "$OS" = "aix" ]; then + log_cmd "netstat -in" +else + log_cmd "netstat -ie" +fi +if [ "$OS" = "aix" ] || [ "$OS" = "solaris" ]; then + log_cmd "ifconfig -a" +elif [ "$OS" = "hpux" ]; then + lanscan -p | while read -r lan + do + log_cmd "ifconfig lan${lan}" + done 2>/dev/null +else + log_cmd "ifconfig" +fi + +# open file handles if command -v lsof 2>/dev/null >/dev/null; then lsof > "$tmpdir/lsof.txt" echo "Captured output of command lsof" fi -log_cmd "mount" -file_add "/etc/fstab" + +# CFEngine specific log_cmd "$BINDIR/cf-key -p $WORKDIR/ppkeys/localhost.pub" log_cmd "grep 'version =' $WORKDIR/inputs/promises.cf" -log_cmd "$BINDIR/cf-key -s" +log_cmd "$BINDIR/cf-key -s -n" log_cmd "$BINDIR/cf-check diagnose" if command -v systemctl >/dev/null; then log_cmd "systemctl status cfengine3" -else +elif [ -x /etc/init.d/cfengine3 ]; then log_cmd "/etc/init.d/cfengine3 status" +else + echo "No way to check on cfengine service status" fi for f in /var/log/CFEngine-Install*; do gzip_add "$f" done + +# system log [ -f /var/log/messages ] && syslog_cmd="cat /var/log/messages" [ -f /var/log/syslog ] && syslog_cmd="cat /var/log/syslog" -[ "$(command -v journalctl >/dev/null)" ] && syslog_cmd="journalctl" +command -v journalctl >/dev/null && syslog_cmd="journalctl" [ -z "$syslog_cmd" ] && syslog_cmd="dmesg" +if [ "$OS" = "solaris" ]; then + syslog_cmd="cat /var/adm/messages*" +fi _syslog_filtered="$tmpdir"/syslog-filtered-for-cfengine.log.gz -$syslog_cmd | grep -E 'cf-|CFEngine' | gzip -c > "$_syslog_filtered" || true + +if [ "$OS" = "aix" ]; then + syslog_cmd="errpt -a" + # error report can reference cfengine, reports are delimitted by bars of `-` characters + echo "r !errpt -a +g/cfengine/?---?,/---/p" | ed > "$_syslog_filtered" || true +else + $syslog_cmd | sed -n '/cfe/p;/cf-/p' | gzip -c > "$_syslog_filtered" || true +fi echo "Captured output of $syslog_cmd filtered for cf-|CFEngine" gzip_add $WORKDIR/outputs/previous @@ -236,12 +371,13 @@ file_add $WORKDIR/policy_server.dat if [ -f $WORKDIR/share/cf-support-nova-hub.sh ]; then # shellcheck source=/dev/null - source $WORKDIR/share/cf-support-nova-hub.sh + . $WORKDIR/share/cf-support-nova-hub.sh fi # Here we create the tarball one directory up # to preserve a top-level of $collection in the tarball. # This gives a nice context of timestamp, hostname and support ticket # if provided. (see $collection definition above) -tar czf "$collection.tar.gz" --directory "$tmpdir/../" . && rm -rf "$tmpdir" +tar cvf - -C "$tmpdir"/.. "$collection" | gzip > "$collection.tar.gz" +rm -rf "$tmpdir" echo "Please send $collection.tar.gz to CFEngine support staff." From 30e98ad0cee140f8ec70f0e618e996c4bb9e53d0 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 19 Jan 2023 10:27:48 -0600 Subject: [PATCH 011/255] Added shellcheck cf-support to github actions Ideally we add any other scripts we care about in core repo. Ticket: ENT-9340 Changelog: none (cherry picked from commit 4f637ff9c7c7a7e402311bdeed3f894a1e726ca3) --- .github/workflows/ci.yml | 2 ++ .github/workflows/shellcheck.yml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 .github/workflows/shellcheck.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c6e303d46..458882809a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,8 @@ on: jobs: unit_tests: uses: ./.github/workflows/unit_tests.yml + shellcheck_tests: + uses: ./.github/workflows/shellcheck.yml asan_unit_tests: needs: unit_tests uses: ./.github/workflows/asan_unit_tests.yml diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000000..fd1e2e2523 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,18 @@ +on: + workflow_call + +jobs: + unit_tests: + name: Run shellcheck on shell scripts + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v3 + with: + submodules: recursive + - name: Install dependencies + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl shellcheck + - name: Run autotools / configure + run: ./autogen.sh --enable-debug + - name: Run shellcheck +# todo: add more places to run shellcheck besides misc/cf-support + run: make -C misc check From 5e738eb5543ca4ccc57473f9c40dc8336aca63a8 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 23 Jan 2023 07:32:27 -0600 Subject: [PATCH 012/255] Fixed cf-support shellcheck check target Needed to check shellcheck command differently. Ticket: ENT-9340 Changelog: none (cherry picked from commit 999b930e6ba97f17a272d769a08730f05d9c4717) --- misc/Makefile.am | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/misc/Makefile.am b/misc/Makefile.am index 46db4fd6c6..5fb39a2adc 100644 --- a/misc/Makefile.am +++ b/misc/Makefile.am @@ -38,5 +38,9 @@ endif dist_bin_SCRIPTS = cf-support check-local: - command -v shellcheck 2>/dev/null && shellcheck --version - command -v shellcheck 2>/dev/null && shellcheck cf-support + @if command -v shellcheck 2>/dev/null; then \ + shellcheck --version; \ + shellcheck cf-support; \ + else \ + echo "Install shellcheck to check cf-support script."; \ + fi From b8b214cbbdda6710f7dd6331e3e50c2179609b7a Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Tue, 24 Jan 2023 14:08:43 -0600 Subject: [PATCH 013/255] Started checking status of all cf- prefixed systemd services in cf-support Ticket: ENT-9804 Changelog: Title (cherry picked from commit b3fd4d4aa2b8c9eb25de875ea950aa22db5e8223) --- misc/cf-support | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/cf-support b/misc/cf-support index 045217b85b..51a8d8dc20 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -337,6 +337,7 @@ log_cmd "$BINDIR/cf-key -s -n" log_cmd "$BINDIR/cf-check diagnose" if command -v systemctl >/dev/null; then log_cmd "systemctl status cfengine3" + log_cmd "systemctl status cf-*" elif [ -x /etc/init.d/cfengine3 ]; then log_cmd "/etc/init.d/cfengine3 status" else From 9ad4e79f2f0c9895eeb57d4225a511211f0057b3 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 27 Jan 2023 10:56:44 -0600 Subject: [PATCH 014/255] Fixed --with-libxml2=no case in configure.ac The CF3_WITH_LIBRARY and AC_CHECK_HEADERS were moved to outside of the check for with-libxml2=no Ticket: CFE-4023 Changelog: title (cherry picked from commit e72fa5cb8e65bced37bb125774836f3f6bad069f) --- configure.ac | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index e189b10f4c..f6b8226ab0 100644 --- a/configure.ac +++ b/configure.ac @@ -659,19 +659,20 @@ if test "x$with_libxml2" != "xno"; then LIBXML2_CPPFLAGS=-I$with_libxml2/include/libxml2 fi fi -fi -CF3_WITH_LIBRARY(libxml2, - [AC_CHECK_LIB(xml2, xmlFirstElementChild, - [], - [if test "x$with_libxml2" != xcheck; then - AC_MSG_ERROR(Cannot find libxml2); fi] - ) - AC_CHECK_HEADERS([libxml/xmlwriter.h], [break], + CF3_WITH_LIBRARY(libxml2, + [AC_CHECK_LIB(xml2, xmlFirstElementChild, + [], [if test "x$with_libxml2" != xcheck; then AC_MSG_ERROR(Cannot find libxml2); fi] - )] -) + ) + AC_CHECK_HEADERS([libxml/xmlwriter.h], [break], + [if test "x$with_libxml2" != xcheck; then + AC_MSG_ERROR(Cannot find libxml2); fi] + )] + ) + +fi AM_CONDITIONAL([HAVE_LIBXML2], [test "x$with_libxml2" != xno && From f5d78df6bc218a3aee93cd8ed43d4dab1c214d99 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 30 Jan 2023 11:22:04 -0600 Subject: [PATCH 015/255] Updated libntech submodule for autotools fix Fixed --with-libxml2=no case in configure.ac Ticket: CFE-4023 Changelog: none --- libntech | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libntech b/libntech index 522ec6b324..da3d5194da 160000 --- a/libntech +++ b/libntech @@ -1 +1 @@ -Subproject commit 522ec6b3240a332884d0f67059268edd8cf30cba +Subproject commit da3d5194da7fa072f73d7289375edbbb7d77f635 From b3a80ea24f63f4d8c4c357904e40327e118db48a Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 28 Dec 2022 13:18:01 -0600 Subject: [PATCH 016/255] Fixed debug module expand logging for scalars This change makes the log message less confusing as it used to look like a variable expansion. Ticket: CFE-4122 Changelog: Title Signed-off-by: Lars Erik Wik Co-authored-by: Nick Anderson (cherry picked from commit fa903e9b03d05aa863df89be8ab5f56781b344fa) --- libpromises/expand.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libpromises/expand.c b/libpromises/expand.c index 6a92ab9b72..b4845306fc 100644 --- a/libpromises/expand.c +++ b/libpromises/expand.c @@ -607,8 +607,10 @@ char *ExpandScalar(const EvalContext *ctx, const char *ns, const char *scope, BufferDestroy(current_item); - LogDebug(LOG_MOD_EXPAND, "ExpandScalar( %s : %s . %s ) => %s", - SAFENULL(ns), SAFENULL(scope), string, BufferData(out)); + LogDebug(LOG_MOD_EXPAND, + "Expanded scalar '%s' to '%s' using %s namespace and %s scope.", + string, BufferData(out), (ns == NULL) ? "current" : ns, + (scope == NULL) ? "current" : scope); return out_belongs_to_us ? BufferClose(out) : BufferGet(out); } From ccceca707071c89921a3148bf3328e7312024fba Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 2 Mar 2023 10:11:10 -0600 Subject: [PATCH 017/255] Adjust configure.ac to better recognize openssl with macos homebrew Also include same change from libntech Ticket: ENT-9363 Changelog: none (cherry picked from commit a5fc7d08e27dfdced90ad11400fc6f1f63f7d889) --- .github/workflows/macos_unit_tests.yml | 4 ++-- INSTALL | 2 +- configure.ac | 4 ++-- libntech | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index 7e624a6510..ac3eab2c84 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -11,9 +11,9 @@ jobs: with: submodules: recursive - name: Install dependencies - run: brew install lmdb automake openssl@1.1 pcre + run: brew install lmdb automake openssl pcre - name: Run autotools / configure - run: ./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl@1.1)" + run: ./autogen.sh --enable-debug - name: Compile and link run: make -j8 CFLAGS="-Werror -Wall" - name: Run unit tests diff --git a/INSTALL b/INSTALL index f78f8f7ed8..1e97343b38 100644 --- a/INSTALL +++ b/INSTALL @@ -144,5 +144,5 @@ $ ./autogen.sh --without-pam * OSX (2021-10-20) -brew install openssl@1.1 lmdb autoconf automake libtool bison flex pcre m4 gcc make +brew install openssl lmdb autoconf automake libtool bison flex pcre m4 gcc make ./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl@1.1)" diff --git a/configure.ac b/configure.ac index f6b8226ab0..42f231c3f8 100644 --- a/configure.ac +++ b/configure.ac @@ -455,10 +455,10 @@ if test x"$with_openssl" = xno ; then AC_MSG_ERROR([This release of CFEngine requires OpenSSL >= 0.9.7]) fi -if test -d /usr/local/Cellar/openssl/ && \ +if test -d /usr/local/Cellar/ && \ test -d /usr/local/opt/openssl/ && \ test "x$with_openssl" = "xyes" ; then - with_openssl="/usr/local/opt/openssl" + with_openssl=$(brew --prefix openssl) echo "OS X Homebrew detected" echo "Defaulting to: --with-openssl=$with_openssl" fi diff --git a/libntech b/libntech index da3d5194da..0c2de6fa25 160000 --- a/libntech +++ b/libntech @@ -1 +1 @@ -Subproject commit da3d5194da7fa072f73d7289375edbbb7d77f635 +Subproject commit 0c2de6fa259b5cbff2d915cd044bb0fc72972a85 From 4126f228989229af67fda0ee08d24877cc81e9f8 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 2 Mar 2023 10:12:01 -0600 Subject: [PATCH 018/255] Fixed unused variable warning in unix_iface.c Ticket: ENT-9363 Changelog: none (cherry picked from commit cd66bf7fc7aa5d98df3fa06b6854cf2c80994a99) --- libenv/unix_iface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index 0d8724a2ad..e6e0b5b849 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -713,7 +713,7 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h // We know there was more data, at least a colon: assert(src_length == bytes_to_copy); - const size_t dst_length = src_length - 1; + NDEBUG_UNUSED const size_t dst_length = src_length - 1; // We copied everything up to, but not including, the colon: assert(ifconfig_line[dst_length] == ':'); From 8c1180f3627c486c6a34f29083d5817fd79662e2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 2 Mar 2023 14:24:16 -0600 Subject: [PATCH 019/255] Adjusted INSTALL instructions for MacOS Ticket: ENT-9363 Changelog: none (cherry picked from commit 9151f94dd4a90e725bee06a98740bfddf54797d8) --- INSTALL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 1e97343b38..80437b6a20 100644 --- a/INSTALL +++ b/INSTALL @@ -145,4 +145,4 @@ $ ./autogen.sh --without-pam * OSX (2021-10-20) brew install openssl lmdb autoconf automake libtool bison flex pcre m4 gcc make -./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl@1.1)" +./autogen.sh --enable-debug From aefe0275cdbc1fa638c287d0a063d4502fb9cffa Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 2 Mar 2023 15:27:32 -0600 Subject: [PATCH 020/255] Fix 3.21.x github actions to run Missed an update to run on 3.21.x --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 458882809a..dc7e487e4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,13 +4,13 @@ on: # run this workflow on pull_request activity # this includes opening and pushing more commits pull_request: - branches: [ master, 3.18.x, 3.15.x ] + branches: [ master, 3.21.x, 3.18.x ] # run this workflow on push/merge activity # pull_request activity won't detect changes # in the upstream branch before we merge push: - branches: [ master, 3.18.x, 3.15.x ] + branches: [ master, 3.21.x, 3.18.x ] jobs: From ba2a4e5115d051d9c6202f3acd8fd061ffe69b6a Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 2 Mar 2023 18:03:28 +0100 Subject: [PATCH 021/255] Fixed segfault caused by empty array in CMDB class specification Now an error message is emitted instead, when array is empty: ``` error: Empty class specification '[]' in CMDB data not allowed, only '["any::"]' ``` Also added an error message when array contains more than one element: ``` error: Too many elements in class specification in CMDB data, only '["any::"]' allowed ``` And the old error message is now only emitted when array contains one element that is not "any::": ``` error: Invalid class specification '["linux::"]' in CMDB data, only '["any::"]' allowed ``` Ticket: CFE-4145 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 75c4040c7a4f7b76bc3e8e429b7651e2542375be) Signed-off-by: Lars Erik Wik --- libpromises/cmdb.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libpromises/cmdb.c b/libpromises/cmdb.c index ddab5b2763..5bcccf33e0 100644 --- a/libpromises/cmdb.c +++ b/libpromises/cmdb.c @@ -414,12 +414,25 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) else if (JsonGetContainerType(data) == JSON_CONTAINER_TYPE_ARRAY && JsonArrayContainsOnlyPrimitives(data)) { - if ((JsonLength(data) != 1) || - (!StringEqual(JsonPrimitiveGetAsString(JsonArrayGet(data, 0)), "any::"))) + switch (JsonLength(data)) { + case 0: Log(LOG_LEVEL_ERR, - "Invalid class specification '%s' in CMDB data, only '[\"any::\"]' allowed", - JsonPrimitiveGetAsString(JsonArrayGet(data, 0))); + "Empty class specification '[]' in CMDB data not allowed, only '[\"any::\"]'"); + continue;; + case 1: + if (!StringEqual(JsonPrimitiveGetAsString(JsonArrayGet(data, 0)), "any::")) + { + Log(LOG_LEVEL_ERR, + "Invalid class specification '[\"%s\"]' in CMDB data, only '[\"any::\"]' allowed", + JsonPrimitiveGetAsString(JsonArrayGet(data, 0))); + continue; + } + // All good :) + break; + default: + Log(LOG_LEVEL_ERR, + "Too many elements in class specification in CMDB data, only '[\"any::\"]' allowed"); continue; } StringSet *default_tags = StringSetNew(); From 32f856536c395455856f1a67cb476f65d8fa374b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 6 Mar 2023 12:03:22 +0100 Subject: [PATCH 022/255] Now prints problematic value when too many elements in CMDB class spec Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit c48a5ee898eb9e0c3524919caf0b4a6c5794d60e) Signed-off-by: Lars Erik Wik --- libpromises/cmdb.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libpromises/cmdb.c b/libpromises/cmdb.c index 5bcccf33e0..ff6dec9d98 100644 --- a/libpromises/cmdb.c +++ b/libpromises/cmdb.c @@ -431,8 +431,14 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) // All good :) break; default: - Log(LOG_LEVEL_ERR, - "Too many elements in class specification in CMDB data, only '[\"any::\"]' allowed"); + { + Writer *const str = StringWriter(); + JsonWriteCompact(str, data); + Log(LOG_LEVEL_ERR, + "Too many elements in class specification '%s' in CMDB data, only '[\"any::\"]' allowed", + StringWriterData(str)); + WriterClose(str); + } continue; } StringSet *default_tags = StringSetNew(); From e912b50ac7cd975ac1575e9912bfacffaf5dcbbc Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 17 Mar 2023 11:00:50 +0100 Subject: [PATCH 023/255] Directories are now created with correct perms Instead of creating the directories with the default file permissions, then change them to the desired state; directories are now created with the desired set of permissions. ``` info: Created file '/tmp/testfile', mode 0655 info: Created directory '/tmp/testdir/.', mode 0655 ``` Ticket: CFE-4114 Changelog: Body Signed-off-by: Lars Erik Wik (cherry picked from commit 5c2fe664e3b69bb9b70ba14ffa03f7224089ef77) Signed-off-by: Lars Erik Wik --- cf-agent/verify_files_utils.c | 45 +++++++++++++------ libpromises/files_lib.c | 12 +++-- libpromises/files_lib.h | 9 ++-- libpromises/files_links.c | 6 +-- .../01_files/copy_from01.cf.expected | 2 +- .../01_files/copy_from02.cf.expected | 2 +- 6 files changed, 51 insertions(+), 25 deletions(-) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 067ce96287..79ec481e33 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -341,8 +341,8 @@ static PromiseResult CfCopyFile(EvalContext *ctx, char *sourcefile, else { bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, &attr, &result, - destfile, true, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, &attr, &result, destfile, + true, &dir_created, DEFAULTMODE)) { return result; } @@ -757,8 +757,9 @@ static PromiseResult SourceSearchAndCopy(EvalContext *ctx, const char *from, cha struct stat tostat; bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, - newto, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, newto, + attr->move_obstructions, &dir_created, + DEFAULTMODE)) { return result; } @@ -3154,8 +3155,9 @@ static PromiseResult CopyFileSources(EvalContext *ctx, char *destination, const PromiseResult result = PROMISE_RESULT_NOOP; bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, - vbuff, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, vbuff, + attr->move_obstructions, &dir_created, + DEFAULTMODE)) { BufferDestroy(source_buf); return result; @@ -4339,15 +4341,30 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu if (MakingChanges(ctx, pp, attr, result, "create directory '%s'", file)) { + mode_t filemode = DEFAULTMODE; + if (PromiseGetConstraintAsRval(pp, "mode", RVAL_TYPE_SCALAR) == NULL) + { + Log(LOG_LEVEL_VERBOSE, + "No mode was set, choosing directory default %04jo", + (uintmax_t) filemode); + } + else + { + filemode = attr->perms.plus & ~(attr->perms.minus); + } + bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, filemode)) { return false; } if (dir_created) { - RecordChange(ctx, pp, attr, "Created directory '%s'", file); + RecordChange(ctx, pp, attr, + "Created directory '%s', mode %04jo", file, + (uintmax_t) filemode); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); } } @@ -4370,8 +4387,9 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu } bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { return false; } @@ -4423,8 +4441,9 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu } bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { return false; } diff --git a/libpromises/files_lib.c b/libpromises/files_lib.c index 689b82571f..a380ea4660 100644 --- a/libpromises/files_lib.c +++ b/libpromises/files_lib.c @@ -120,11 +120,15 @@ bool MakeParentInternalDirectory(const char *parentandchild, bool force, bool *c parentandchild, force, true, created, DEFAULTMODE); } -bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, const Attributes *attr, - PromiseResult *result, const char *parentandchild, - bool force, bool *created) +bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, + const Attributes *attr, + PromiseResult *result, + const char *parentandchild, + bool force, bool *created, + const mode_t perms_mode) { - return MakeParentDirectoryImpl(ctx, pp, attr, result, parentandchild, force, false, created, DEFAULTMODE); + return MakeParentDirectoryImpl(ctx, pp, attr, result, parentandchild, + force, false, created, perms_mode); } static bool MakeParentDirectoryImpl(EvalContext *ctx, const Promise *pp, const Attributes *attr, diff --git a/libpromises/files_lib.h b/libpromises/files_lib.h index 718358e440..bff4b85a5a 100644 --- a/libpromises/files_lib.h +++ b/libpromises/files_lib.h @@ -52,9 +52,12 @@ bool MakeParentInternalDirectory(const char *parentandchild, bool force, bool *c * @warning This function will not behave right on Windows if the path * contains double (back)slashes! **/ -bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, const Attributes *attr, - PromiseResult *result, const char *parentandchild, - bool force, bool *created); +bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, + const Attributes *attr, + PromiseResult *result, + const char *parentandchild, + bool force, bool *created, + mode_t perms_mode); void RotateFiles(const char *name, int number); void CreateEmptyFile(char *name); diff --git a/libpromises/files_links.c b/libpromises/files_links.c index d032f1018b..2f6d5da076 100644 --- a/libpromises/files_links.c +++ b/libpromises/files_links.c @@ -137,9 +137,9 @@ PromiseResult VerifyLink(EvalContext *ctx, char *destination, const char *source } bool dir_created = false; - if (MakeParentDirectoryForPromise(ctx, pp, attr, &result, - destination, attr->move_obstructions, - &dir_created)) + if (MakeParentDirectoryForPromise(ctx, pp, attr, &result, destination, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { if (dir_created) { diff --git a/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected b/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected index f08b81ddb5..b3203bcadb 100644 --- a/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected +++ b/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected @@ -1,4 +1,4 @@ - info: Created directory '/tmp/TEST.destination/subdir/.' + info: Created directory '/tmp/TEST.destination/subdir/.', mode 0700 info: Copied file '/tmp/TEST.source/file-perms-644' to '/tmp/TEST.destination/file-perms-644.cfnew' (permissions preserved) info: Moved '/tmp/TEST.destination/file-perms-644.cfnew' to '/tmp/TEST.destination/file-perms-644' info: Object '/tmp/TEST.destination/file-perms-644' had permissions 0600, changed it to 0644 diff --git a/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected b/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected index c37c43374e..39c5c0b160 100644 --- a/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected +++ b/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected @@ -1,4 +1,4 @@ - info: Created directory '/tmp/TEST.destination/subdir/.' + info: Created directory '/tmp/TEST.destination/subdir/.', mode 0700 info: Copied file '/tmp/TEST.source/file-perms-644' to '/tmp/TEST.destination/file-perms-644.cfnew' (mode '600') info: Moved '/tmp/TEST.destination/file-perms-644.cfnew' to '/tmp/TEST.destination/file-perms-644' info: Updated file '/tmp/TEST.destination/file-perms-644' from 'localhost:/tmp/TEST.source/file-perms-644' From bfa5fe82bb6e34e7f74c9830787c40444cdee72f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 28 Mar 2023 11:10:32 -0500 Subject: [PATCH 024/255] Added native core dump handling in cf-support for solaris Ticket: ENT-9786 Changelog: title (cherry picked from commit 56f23ea2abd03e7b517b62590269499ccee9dac9) --- misc/cf-support | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/misc/cf-support b/misc/cf-support index 51a8d8dc20..0c56b0d167 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -167,15 +167,21 @@ else # core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/var/cfengine/bin/cf-key', real uid: 0, effective uid: 0, realgid: 0, effective gid: 0, execfn: '/var/cfengine/bin/cf-key', platform: 'x86_64' cf_core_files=`find "$response" -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//'` if [ -n "$cf_core_files" ]; then - if ! command -v gdb >/dev/null; then - echo "Please install gdb. This is required in order to analyze core dumps." - exit 1 + if [ "$OS" != "solaris" ]; then + if ! command -v gdb >/dev/null; then + echo "Please install gdb. This is required in order to analyze core dumps." + exit 1 + fi fi for core_file in $cf_core_files; do file "$core_file" >> "$_core_log" - execfn=`file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g"` - exe="`realpath "$execfn"`" - gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 + if [ "$OS" = "solaris" ]; then + pstack "$core_file" >> "$_core_log" 2>&1 + else + execfn=`file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g"` + exe="`realpath "$execfn"`" + gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 + fi done fi fi From d5d0e2caa68ac5a3e7e0bdb3701b3fcf93608549 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 3 Apr 2023 14:43:28 -0500 Subject: [PATCH 025/255] Adjust cf-support for hpux mktemp command mktemp -d on hpux doesn't work the same so just use the fallback legacy POSIX shell method. Ticket: ENT-9786 Changelog: title (cherry picked from commit 3467d171f5a3bd247d8b8cc5a0888b1f62e43027) --- misc/cf-support | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index 0c56b0d167..eb788cb50a 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -115,7 +115,7 @@ collection="cfengine_support_case_$case_number-`hostname`-$timestamp" make_temp_dir() { - if command -v mktemp >/dev/null; then + if command -v mktemp >/dev/null && [ "$OS" != "hpux" ]; then mktemp -d else # shellcheck disable=SC2021 From 961312d8d5ef910a63628b87f70016bf8febcc2e Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 4 Apr 2023 14:08:12 -0500 Subject: [PATCH 026/255] Moved OS detection earlier in cf-support It is needed earlier in the script for debugger detection and mktemp fallbacks. Ticket: ENT-9786 Changelog: title (cherry picked from commit a4f7a417e7b13f1aedeb08499eb98f5e911708f1) --- misc/cf-support | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/misc/cf-support b/misc/cf-support index eb788cb50a..0a04f49d25 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -126,6 +126,24 @@ make_temp_dir() fi } + +# determine operating system flavor +if command -v swlist 2>/dev/null; then + OS="hpux" +elif command -v oslevel 2>/dev/null; then + OS=aix +elif [ -f /etc/release ]; then + OS=solaris + OS_VERSION=$(uname -r) +elif [ -f /etc/redhat-release ] || [ -f /etc/os-release ] || [ -f /etc/lsb-release ]; then + OS=linux +elif command -v system_profiler 2>/dev/null; then + OS=macos +else + echo "unable to determine operating system, will try generic unix commands." + OS=unix +fi + tmpdir="`make_temp_dir`/$collection" export tmpdir mkdir -p "$tmpdir" @@ -226,23 +244,6 @@ log_cmd() fi } -# determine operating system flavor -if command -v swlist 2>/dev/null; then - OS="hpux" -elif command -v oslevel 2>/dev/null; then - OS=aix -elif [ -f /etc/release ]; then - OS=solaris - OS_VERSION=$(uname -r) -elif [ -f /etc/redhat-release ] || [ -f /etc/os-release ] || [ -f /etc/lsb-release ]; then - OS=linux -elif command -v system_profiler 2>/dev/null; then - OS=macos -else - echo "unable to determine operating system, will try generic unix commands." - OS=unix -fi - # first, collect basic information about the system log_cmd "uname -a" log_cmd "$BINDIR/cf-promises -V" From 8139925a7b6dc956afc5b4ebff2d7a3c94217daf Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 11 Apr 2023 10:39:37 +0200 Subject: [PATCH 027/255] Bumped libntech to master Ticket: None Changelog: None Signed-off-by: Lars Erik Wik --- libntech | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libntech b/libntech index 0c2de6fa25..9ed99dbefe 160000 --- a/libntech +++ b/libntech @@ -1 +1 @@ -Subproject commit 0c2de6fa259b5cbff2d915cd044bb0fc72972a85 +Subproject commit 9ed99dbefe2e601dc2debd3d13569d89bbc729f3 From ce6f189d353384a5f6b1e2168041c3569b6c2f6c Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 16 Mar 2023 14:07:34 +0100 Subject: [PATCH 028/255] validjson() no longer accepts trailing bogus data Policy function validjson() no longer accepts trailing bogus data. I.e. non-whitespace characters after json element termination. Ticket: CFE-4080 Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 264de4e4e80578c5e97e850ea11d0cccc2505d28) --- libpromises/evalfunction.c | 2 +- .../validjson_trailing_bogus_data.cf | 54 +++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 503237aca8..f6bef4137f 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -7089,7 +7089,7 @@ static FnCallResult ValidateDataGeneric(const char *const fname, } JsonElement *json = NULL; - JsonParseError err = JsonParse(&data, &json); + JsonParseError err = JsonParseAll(&data, &json); if (err != JSON_PARSE_OK) { Log(LOG_LEVEL_VERBOSE, "%s: %s", fname, JsonParseErrorToString(err)); diff --git a/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf new file mode 100644 index 0000000000..fda15ae3df --- /dev/null +++ b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf @@ -0,0 +1,54 @@ +############################################################################## +# +# Test validjson() evaluates to !any:: when there is trailing bogus data after +# termination for JSON object. +# +############################################################################## + +body common control +{ + bundlesequence => { "test", "check" }; + version => "1.0"; +} + +############################################################################## + +bundle agent test +{ + meta: + "description" -> { "CFE-4080" } + string => "Test validjson() with trailing bogus data"; +} + +############################################################################## + +bundle agent check +{ + classes: + "ok" + and => { + not(validjson('""a')), + validjson('""'), + not(validjson('{}b')), + validjson('{}'), + not(validjson('[]c')), + not(validjson('{}}')), + not(validjson('{"d": "e"}}')), + not(validjson('[]]')), + not(validjson('[[]]]')), + not(validjson('[[[]]]]')), + not(validjson(' []]')), + not(validjson('"some": [ "json" ] }')), + not(validjson('{ "some": [ "json" ] } [')), + not(validjson('["some", "json"]!')), + not(validjson(' ["some", "json"]a')), + not(validjson('["some", "json"] {"foo": "var"} ')), + validjson('{"test": [1, 2, 3]}'), + }; + + reports: + ok:: + "$(this.promise_filename) Pass"; + !ok:: + "$(this.promise_filename) FAIL"; +} From 86405516ca5352453e8e8339d644045e8876e2bd Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 19 Apr 2023 15:59:57 -0500 Subject: [PATCH 029/255] Prevented cf-support from searching more than 1 level for core files Prior to this change cf-support would search for core files recursively to infinity levels deep. This could be very expensive if a user typed in / as the path for core files for example. This change simply limits that recursion to a single level. Ticket: ENT-9981 Changelog: Title (cherry picked from commit a2583e26447c04bc64cd2d4ef04f984f1085a024) --- misc/cf-support | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index 0a04f49d25..3ddf3d7215 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -183,7 +183,7 @@ else if [ "$response" != "n" ]; then # file command on core files results in lines like the following which we parse for cf-* binaries # core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/var/cfengine/bin/cf-key', real uid: 0, effective uid: 0, realgid: 0, effective gid: 0, execfn: '/var/cfengine/bin/cf-key', platform: 'x86_64' - cf_core_files=`find "$response" -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//'` + cf_core_files=`find "$response/." \( -name . -o -prune \) -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//'` if [ -n "$cf_core_files" ]; then if [ "$OS" != "solaris" ]; then if ! command -v gdb >/dev/null; then From a408ca417be2d17adbc79299b2ead5e69ac533f8 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 10 Apr 2023 14:28:06 -0500 Subject: [PATCH 030/255] Fixed compiler warnings about unused variables With clang 14.0.3 on MacOS Ticket: ENT-9878 Changelog: title (cherry picked from commit 9da28382f8720a6e4b95fffef84a8b7b2064aebf) --- cf-agent/verify_methods.c | 2 -- libcfnet/client_code.c | 3 +-- libpromises/evalfunction.c | 2 -- libpromises/iteration.c | 5 ----- 4 files changed, 1 insertion(+), 11 deletions(-) diff --git a/cf-agent/verify_methods.c b/cf-agent/verify_methods.c index 39d32ab72f..7ca2865c36 100644 --- a/cf-agent/verify_methods.c +++ b/cf-agent/verify_methods.c @@ -95,10 +95,8 @@ PromiseResult VerifyMethod(EvalContext *ctx, const Rval call, const Attributes * const FnCall *fp = RvalFnCallValue(call); ExpandScalar(ctx, PromiseGetBundle(pp)->ns, PromiseGetBundle(pp)->name, fp->name, method_name); args = fp->args; - int arg_index = 0; while (args) { - ++arg_index; args = args->next; } args = fp->args; diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c index afaef5a2d5..d168d37b31 100644 --- a/libcfnet/client_code.c +++ b/libcfnet/client_code.c @@ -572,7 +572,7 @@ bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentCon static bool EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, AgentConnection *conn) { - int blocksize = 2048, n_read = 0, plainlen, more = true, finlen, cnt = 0; + int blocksize = 2048, n_read = 0, plainlen, more = true, finlen; int tosend, cipherlen = 0; char *buf, in[CF_BUFSIZE], out[CF_BUFSIZE], workbuf[CF_BUFSIZE], cfchangedstr[265]; unsigned char iv[32] = @@ -658,7 +658,6 @@ static bool EncryptCopyRegularFileNet(const char *source, const char *dest, off_ return false; } - cnt++; /* If the first thing we get is an error message, break. */ diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index f6bef4137f..c6b186872f 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -3644,7 +3644,6 @@ static FnCallResult FnCallMapData(EvalContext *ctx, ARG_UNUSED const Policy *pol { const JsonElement *e2; JsonIterator iter2 = JsonIteratorInit(e); - int position = 0; while ((e2 = JsonIteratorNextValueByType(&iter2, JSON_ELEMENT_TYPE_PRIMITIVE, true)) != NULL) { char *key = (char*) JsonGetPropertyAsString(e2); @@ -3697,7 +3696,6 @@ static FnCallResult FnCallMapData(EvalContext *ctx, ARG_UNUSED const Policy *pol EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_THIS, "k[1]"); } EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_THIS, "v"); - position++; } } break; diff --git a/libpromises/iteration.c b/libpromises/iteration.c index 3fba1ed20f..d314f6ada5 100644 --- a/libpromises/iteration.c +++ b/libpromises/iteration.c @@ -100,9 +100,6 @@ typedef struct { * field never changes after Wheel initialisation. */ char *varname_unexp; - /* Number of dependencies of varname_unexp */ - // const size_t deps; - /* On each iteration of the wheels, the unexpanded string is * re-expanded, so the following is refilled, again and again. */ char *varname_exp; @@ -527,7 +524,6 @@ static char *ProcessVar(PromiseIterator *iterctx, const EvalContext *evalctx, s_end = s + s_max; } char *next_var = s + FindDollarParen(s, s_max); - size_t deps = 0; while (next_var < s_end) /* does it have nested variables? */ { @@ -552,7 +548,6 @@ static char *ProcessVar(PromiseIterator *iterctx, const EvalContext *evalctx, else /* inner variable processed correctly */ { /* This variable depends on inner expansions. */ - deps++; /* We are sure (subvar_end+1) is not out of bounds. */ char *s_next = subvar_end + 1; const size_t s_next_len = strlen(s_next); From 72415705a76083cbd33d355b7f9d88983a7b342b Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 10 Apr 2023 14:56:09 -0500 Subject: [PATCH 031/255] Fixed deprecated-non-prototype compiler warnings error: passing arguments to a function without a prototype is deprecated in all versions of C and is not supported in C2x [-Werror,-Wdeprecated-non-prototype with clang 14.0.3 on MacOS Ticket: ENT-9878 Changelog: title (cherry picked from commit 4d66859eaff3895a3ed08283c8498b7fc83a1922) --- cf-net/cf-net.c | 2 +- libpromises/sort.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cf-net/cf-net.c b/cf-net/cf-net.c index 87d61724fe..840ec56e5c 100644 --- a/cf-net/cf-net.c +++ b/cf-net/cf-net.c @@ -156,7 +156,7 @@ static const char *command_strings[] = // INIT: static void CFNetSetDefault(CFNetOptions *opts); -static void CFNetInit(); +static void CFNetInit(const char *min_tls_version, const char *allow_ciphers); static void CFNetOptionsClear(CFNetOptions *opts); // MAIN LOGIC: diff --git a/libpromises/sort.c b/libpromises/sort.c index 371f7e9420..6c5d142995 100644 --- a/libpromises/sort.c +++ b/libpromises/sort.c @@ -203,7 +203,7 @@ static bool RlistCustomItemLess(void *lhs_, void *rhs_, void *ctx) { Rlist *lhs = lhs_; Rlist *rhs = rhs_; - bool (*cmp)() = ctx; + bool (*cmp)(void *a, void *b) = ctx; return (*cmp)(lhs->val.item, rhs->val.item); } From c854cf426172bb0e1f91d2802df0213b6461ba81 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Tue, 11 Apr 2023 09:24:15 -0500 Subject: [PATCH 032/255] Added classes and vars to cf-support Ticket: CFE-4160 Changelog: Title (cherry picked from commit ef020982fee71331edc0e1670fcfe680213dd89e) --- misc/cf-support | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/cf-support b/misc/cf-support index 3ddf3d7215..e9de4ca054 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -342,6 +342,10 @@ log_cmd "$BINDIR/cf-key -p $WORKDIR/ppkeys/localhost.pub" log_cmd "grep 'version =' $WORKDIR/inputs/promises.cf" log_cmd "$BINDIR/cf-key -s -n" log_cmd "$BINDIR/cf-check diagnose" +$BINDIR/cf-promises --no-lock --show-classes --show-vars > "$tmpdir/classes-and-vars.txt" 2>&1 +$BINDIR/cf-agent --no-lock --file update.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/update-evaluated-classes-and-vars.txt" 2>&1 +$BINDIR/cf-agent --no-lock --file promises.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/promises-evaluated-classes-and-vars.txt" 2>&1 + if command -v systemctl >/dev/null; then log_cmd "systemctl status cfengine3" log_cmd "systemctl status cf-*" From 72ee327921cdfed09b27f7c9db8e591894411c80 Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Wed, 12 Apr 2023 15:30:08 +0200 Subject: [PATCH 033/255] Symlink rpmvercmp only when needed Ticket: ENT-9891 Issue was that when "$RPMVERCMP" variable is not set, this command: ln "$RPMVERCMP" "$WORKDIR/bin" was printing an unhelpful error message that it can't overwrite a directory, thus polluting logs. So the solution is to not run this command when this variable is not set, a.k.a. when we don't need rpmvercmp. (cherry picked from commit 3cec91067a300bf721610a08eb3909b41439a434) --- tests/acceptance/testall | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/acceptance/testall b/tests/acceptance/testall index 9d4fb2d594..79cf1d39c2 100755 --- a/tests/acceptance/testall +++ b/tests/acceptance/testall @@ -431,7 +431,10 @@ runtest() { $LN_CMD "$CF_NET" "$WORKDIR/bin" $LN_CMD "$CF_CHECK" "$WORKDIR/bin" $LN_CMD "$CF_RUNAGENT" "$WORKDIR/bin" - $LN_CMD "$RPMVERCMP" "$WORKDIR/bin" + if [ "$NEED_RPMVERCMP" = "yes" ] + then + $LN_CMD "$RPMVERCMP" "$WORKDIR/bin" + fi $LN_CMD "$DIFF" "$WORKDIR/bin" fi for inc in $INCLUDE_IN_WORKDIR From 68091f614ced5439b03883ff6fe2475b30ae2e50 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 19 Apr 2023 12:54:04 -0500 Subject: [PATCH 034/255] Added use of together action to do multi-repo workflows Ticket: ENT-9169 Changelog: none (cherry picked from commit c9b6aba09e1eb8e412d6cc40fc8c24f61913310c) Conflicts: .github/workflows/job-static-check.yml .github/workflows/job-valgrind-check.yml These two conflicting jobs are not in place in 3.21.x so not included --- .github/workflows/valgrind.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index 122390cfa5..ab5c421b12 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -14,11 +14,16 @@ jobs: with: path: core submodules: recursive + - name: Get Togethers + uses: cfengine/together-javascript-action@v1.4 + id: together + with: + myToken: ${{ secrets.GITHUB_TOKEN }} - name: Clone masterfiles (master) uses: actions/checkout@v3 with: repository: cfengine/masterfiles - ref: master + ref: ${{steps.together.outputs.masterfiles}} path: masterfiles submodules: recursive - name: Install dependencies From d203f2c3e111b4a93bc220c29b267354f70ec04e Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 19 Apr 2023 13:34:57 -0500 Subject: [PATCH 035/255] Upgraded actions/checkout from v2 to v3 From github workflow warning: Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: actions/checkout@v2. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Ticket: none Changelog: none (cherry picked from commit 8814e1d519f85b94125f46751a4c79545d314f05) --- .github/workflows/asan_unit_tests.yml | 2 +- .github/workflows/macos_unit_tests.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/asan_unit_tests.yml b/.github/workflows/asan_unit_tests.yml index aae0a8fdcf..9f7ba2076e 100644 --- a/.github/workflows/asan_unit_tests.yml +++ b/.github/workflows/asan_unit_tests.yml @@ -7,7 +7,7 @@ jobs: asan_unit_tests: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - name: Install dependencies diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index ac3eab2c84..d42545e022 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -7,7 +7,7 @@ jobs: macos_unit_tests: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - name: Install dependencies From 59f44b8ad4539c44f7d08d9ef549261db796c5d7 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 20 Apr 2023 16:08:48 -0500 Subject: [PATCH 036/255] Upgrade together javascript action to v1.6 To support empty descriptions. (cherry picked from commit a8763b8065e3ab926d08299ae99867328a95c168) --- .github/workflows/valgrind.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index ab5c421b12..6a47f36cc9 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -15,7 +15,7 @@ jobs: path: core submodules: recursive - name: Get Togethers - uses: cfengine/together-javascript-action@v1.4 + uses: cfengine/together-javascript-action@v1.6 id: together with: myToken: ${{ secrets.GITHUB_TOKEN }} From 8af977ee3fea299c27fcb063029c547e2baddd4f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 4 May 2023 11:15:44 -0500 Subject: [PATCH 037/255] Bumped .CFVERSION number to 3.21.2 --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index 4c5e482b21..31f8fdf5e9 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.1 +3.21.2 From bd1a54175f7670c11a428626171860dbf15baa24 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 5 May 2023 07:50:48 -0500 Subject: [PATCH 038/255] Upgraded together javascript action Ticket: ENT-10190 Changelog: none (cherry picked from commit ed867c06259bd3ed1d00dcd6d673316c05d9e03f) Conflicts: .github/workflows/job-static-check.yml .github/workflows/job-valgrind-check.yml .github/workflows/valgrind.yml valgrind.yml needed and upgrade, the other two are not present in 3.21.x and so were removed --- .github/workflows/valgrind.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index 6a47f36cc9..00e8df9060 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -15,7 +15,7 @@ jobs: path: core submodules: recursive - name: Get Togethers - uses: cfengine/together-javascript-action@v1.6 + uses: cfengine/together-javascript-action@v1.7 id: together with: myToken: ${{ secrets.GITHUB_TOKEN }} From 9ae362c39d2ff589971e1bda68e40dcd46700074 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 10 May 2023 14:40:45 +0000 Subject: [PATCH 039/255] Added mctp_socket class to selinux policy Needed by rhel-9.2 linux kernel Ticket: ENT-10206 Changelog: title (cherry picked from commit f3ef17c3ec2d8afb35a73ced6938750aefb84a5f) --- misc/selinux/cfengine-enterprise.te | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index d44339de6d..1c1981011f 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -91,6 +91,7 @@ require { type rpm_script_t; class lockdown { confidentiality integrity }; class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind }; + class mctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; class udp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown node_bind }; class sock_file { create write getattr setattr unlink }; class rawip_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; From 06641c21f85c73d4201a597009210b0f61a553c2 Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Tue, 30 May 2023 12:54:57 +0200 Subject: [PATCH 040/255] Added changelog for 3.21.2 --- ChangeLog | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4d07306787..c75a0c78cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,31 @@ +3.21.2: + - Added --help option to cf-support and aligned output with other + components (ENT-9740) + - Added classes and vars to cf-support (CFE-4160) + - Added condition to runalerts service to require stamp directory + (ENT-9711) + - Added mctp_socket class to selinux policy (ENT-10206) + - Added native core dump handling in cf-support for solaris (ENT-9786) + - Added needed selinux class lockdown for latest rhel-9 hosts + (ENT-9685) + - Adjust cf-support for exotic/legacy POSIX systems (ENT-9340) + - Adjust cf-support for hpux mktemp command (ENT-9786) + - Instead of creating the directories with the default file + permissions, then change them to the desired state; directories are + now created with the desired set of permissions (CFE-4114) + - Enabled install-time selinux policy compiling (ENT-9685) + - Fixed --with-libxml2=no case in configure.ac (CFE-4023) + - Fixed compiler warnings about unused variables (ENT-9878) + - Fixed debug module expand logging for scalars (CFE-4122) + - Fixed deprecated-non-prototype compiler warnings (ENT-9878) + - Fixed syntax description of validjson() (ENT-9759) + - Moved OS detection earlier in cf-support (ENT-9786) + - Prevented cf-support from searching more than 1 level for core files + (ENT-9981) + - Started checking status of all cf- prefixed systemd services in cf-support + (ENT-9804) + - validjson() no longer accepts trailing bogus data (CFE-4080) + 3.21.0: - Added cf-support utility for generating support information (ENT-9037) From 8b683d021c8b04e35abd9d98dc58ab91e7e643cb Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 1 Jun 2023 13:27:14 +0200 Subject: [PATCH 041/255] Reviewed and improved 3.21.2 change log --- ChangeLog | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index c75a0c78cb..21c6a5bffa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,18 +8,14 @@ - Added native core dump handling in cf-support for solaris (ENT-9786) - Added needed selinux class lockdown for latest rhel-9 hosts (ENT-9685) - - Adjust cf-support for exotic/legacy POSIX systems (ENT-9340) - - Adjust cf-support for hpux mktemp command (ENT-9786) + - Adjusted cf-support for exotic/legacy POSIX systems (ENT-9340) + - Adjusted cf-support for hpux mktemp command (ENT-9786) - Instead of creating the directories with the default file permissions, then change them to the desired state; directories are now created with the desired set of permissions (CFE-4114) - Enabled install-time selinux policy compiling (ENT-9685) - - Fixed --with-libxml2=no case in configure.ac (CFE-4023) - - Fixed compiler warnings about unused variables (ENT-9878) - Fixed debug module expand logging for scalars (CFE-4122) - - Fixed deprecated-non-prototype compiler warnings (ENT-9878) - Fixed syntax description of validjson() (ENT-9759) - - Moved OS detection earlier in cf-support (ENT-9786) - Prevented cf-support from searching more than 1 level for core files (ENT-9981) - Started checking status of all cf- prefixed systemd services in cf-support From 020622e22cd33bc482399e7c3790c29e8e83a85b Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 1 Jun 2023 13:58:58 +0200 Subject: [PATCH 042/255] Added changelog for 3.21.1 --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 21c6a5bffa..5dc0f49909 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,13 @@ (ENT-9804) - validjson() no longer accepts trailing bogus data (CFE-4080) +3.21.1: + - This release contains fixes to CVE-2023-26560, a security vulnerability in the + CFEngine Enterprise Hub / Mission Portal. Beyond this, there were no other changes. + For more information about the vulnerability and release see our blog; + https://cfengine.com/blog/2023/cve-2023-26560/ + https://cfengine.com/blog/2023/cfengine-3-18-4-and-3-21-1-released/ + 3.21.0: - Added cf-support utility for generating support information (ENT-9037) From d99aa79d0645137088cb967ae2ec79fc86506744 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 1 Jun 2023 18:23:54 +0200 Subject: [PATCH 043/255] Upgraded libntech to latest master Signed-off-by: Ole Herman Schumacher Elgesem --- libntech | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libntech b/libntech index 9ed99dbefe..1d9ceb62cf 160000 --- a/libntech +++ b/libntech @@ -1 +1 @@ -Subproject commit 9ed99dbefe2e601dc2debd3d13569d89bbc729f3 +Subproject commit 1d9ceb62cf4cf64875199bd1454c74b8f124001f From 0ba67bc9dcffe8e070ec7fd8c3db78ba3de59f17 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 1 Jun 2023 14:25:04 -0500 Subject: [PATCH 044/255] Added libxml2 configure.ac related changelogs --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5dc0f49909..2b608a825b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ 3.21.2: + - The CF3_WITH_LIBRARY and AC_CHECK_HEADERS were moved to outside of the check for with-libxml2=no (CFE-4023) + - configure.ac: Enabled use of pkg-config to find libxml2 (CFE-4014) - Added --help option to cf-support and aligned output with other components (ENT-9740) - Added classes and vars to cf-support (CFE-4160) From dc0a22f39dbf606e89f2f3cdc1942c514cce1221 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 19 May 2023 11:47:11 +0200 Subject: [PATCH 045/255] Variables & Classes Modules automatically tagged According to the docs; all variables and classes will be tagged with `source=module`. This was apparently only the case when specifying tags using `^meta=Tag1,Tag2`. Now this tag is added all the time, even when you don't specify tags. Furthermore, we added an additional meta tag `derived_from=` which holds the path to the module script when using the `usemodule()` policy function or the command when using a commands promise with `module => "true"`. Ticket: ENT-7725 Changelog: Body Signed-off-by: Lars Erik Wik (cherry picked from commit 4c99d33fb8af694efc4e25b0302d9eb825079f9c) --- libpromises/evalfunction.c | 4 ++++ .../vars-from-module-have-source-and-derived_from-tags.cf | 8 ++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index c6b186872f..c21b1ed672 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -8609,6 +8609,9 @@ void ModuleProtocol(EvalContext *ctx, const char *command, const char *line, int { assert(tags); + StringSetAdd(tags, xstrdup("source=module")); + StringSetAddF(tags, "derived_from=%s", command); + // see the sscanf() limit below if(context_size < 51) { @@ -8671,6 +8674,7 @@ void ModuleProtocol(EvalContext *ctx, const char *command, const char *line, int StringSetAddSplit(tags, content, ','); StringSetAdd(tags, xstrdup("source=module")); + StringSetAddF(tags, "derived_from=%s", command); } else if (sscanf(line + 1, "persistence=%ld", persistence) == 1) { diff --git a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf index 4b7b931d01..090efade28 100644 --- a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf +++ b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf @@ -15,10 +15,6 @@ bundle agent test string => "windows", comment => "The subtest policy uses /bin/echo"; - "test_soft_fail" - string => "any", - meta => { "ENT-7725" }; - commands: "/bin/echo" args => "=my_var_from_module= my val from module", @@ -34,12 +30,12 @@ bundle agent check reports: # Every variable should have a source=SOMETHING tag - "Pass $(this.promise_filename)" + "$(this.promise_filename) Pass" if => and( reglist( @(my_var_from_module_tags), "source=.*" ), reglist( @(my_var_from_module_tags), "derived_from=.*" ) ); - "FAIL $(this.promise_filename)" + "$(this.promise_filename) FAIL" unless => and( reglist( @(my_var_from_module_tags), "source=.*" ), reglist( @(my_var_from_module_tags), "derived_from=.*" ) From 7d5fb4cf7cf2af3cad27a45a2f2f698df81b583a Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 30 May 2023 13:23:16 +0200 Subject: [PATCH 046/255] Fixed test to pass with new default tag We added a new default tag `derived_from=.*` in ENT-7725 for modules. The test now also checks for this tag. Ticket: ENT-7725 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 27ba1ce75b095b6d22b784d90c0a23863cdd4302) --- .../08_commands/01_modules/set-tags.cf | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/acceptance/08_commands/01_modules/set-tags.cf b/tests/acceptance/08_commands/01_modules/set-tags.cf index 73e474dc9a..6d59cbb3da 100644 --- a/tests/acceptance/08_commands/01_modules/set-tags.cf +++ b/tests/acceptance/08_commands/01_modules/set-tags.cf @@ -62,10 +62,10 @@ bundle agent check "jtags2" string => join(",", "tags2"); "jtags3" string => join(",", "tags3"); - "etags0" string => "xyz,abc=def,,??what is this??,source=module"; - "etags1" string => "xyz,abc=def,,??what is this??,source=module"; - "etags2" string => "1,2,3,source=module"; - "etags3" string => "a,b,c,source=module"; + "etags0" string => "xyz,abc=def,,\?\?what is this\?\?,source=module,derived_from=.*"; + "etags1" string => "xyz,abc=def,,\?\?what is this\?\?,source=module,derived_from=.*"; + "etags2" string => "1,2,3,source=module,derived_from=.*"; + "etags3" string => "a,b,c,source=module,derived_from=.*"; classes: @@ -76,10 +76,10 @@ bundle agent check "var3ok" expression => strcmp("${this.joined3}" , "${this.actual3}"); "var4ok" expression => strcmp("hello there" , "${xyz.myvar}"); - "tags0ok" expression => strcmp($(jtags0), $(etags0)); - "tags1ok" expression => strcmp($(jtags1), $(etags1)); - "tags2ok" expression => strcmp($(jtags2), $(etags2)); - "tags3ok" expression => strcmp($(jtags3), $(etags3)); + "tags0ok" expression => regcmp($(etags0), $(jtags0)); + "tags1ok" expression => regcmp($(etags1), $(jtags1)); + "tags2ok" expression => regcmp($(etags2), $(jtags2)); + "tags3ok" expression => regcmp($(etags3), $(jtags3)); "ok" and => { "myclass", "var0ok", "var1ok", "var2ok", "var3ok", "var4ok", "tags0ok", "tags1ok", "tags2ok", "tags3ok", }; @@ -88,15 +88,15 @@ bundle agent check DEBUG:: "xyzvars = $(xyzvars)"; - "tags0ok => strcmp('$(jtags0)', '$(etags0)')" if => "tags0ok"; - "tags1ok => strcmp('$(jtags1)', '$(etags1)')" if => "tags1ok"; - "tags2ok => strcmp('$(jtags2)', '$(etags2)')" if => "tags2ok"; - "tags3ok => strcmp('$(jtags3)', '$(etags3)')" if => "tags3ok"; + "tags0ok => regcmp('$(etags0)', '$(jtags0)')" if => "tags0ok"; + "tags1ok => regcmp('$(etags1)', '$(jtags1)')" if => "tags1ok"; + "tags2ok => regcmp('$(etags2)', '$(jtags2)')" if => "tags2ok"; + "tags3ok => regcmp('$(etags3)', '$(jtags3)')" if => "tags3ok"; - "tags0 NOT ok => strcmp('$(jtags0)', '$(etags0)')" if => "!tags0ok"; - "tags1 NOT ok => strcmp('$(jtags1)', '$(etags1)')" if => "!tags1ok"; - "tags2 NOT ok => strcmp('$(jtags2)', '$(etags2)')" if => "!tags2ok"; - "tags3 NOT ok => strcmp('$(jtags3)', '$(etags3)')" if => "!tags3ok"; + "tags0 NOT ok => regcmp('$(etags0)', '$(jtags0)')" if => "!tags0ok"; + "tags1 NOT ok => regcmp('$(etags1)', '$(jtags1)')" if => "!tags1ok"; + "tags2 NOT ok => regcmp('$(etags2)', '$(jtags2)')" if => "!tags2ok"; + "tags3 NOT ok => regcmp('$(etags3)', '$(jtags3)')" if => "!tags3ok"; ok:: "$(this.promise_filename) Pass"; From 693a5d4a222ee3f0dd87b3d922e01be68e722a6f Mon Sep 17 00:00:00 2001 From: Lars Erik Wik <53906608+larsewi@users.noreply.github.com> Date: Mon, 5 Jun 2023 16:09:01 +0200 Subject: [PATCH 047/255] Update ChangeLog to include changes from ENT-7725 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 2b608a825b..d30cb86391 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ - Started checking status of all cf- prefixed systemd services in cf-support (ENT-9804) - validjson() no longer accepts trailing bogus data (CFE-4080) + - Variables & Classes Modules are now automatically tagged with 'source=module' and 'derived_from=' (ENT-7725) 3.21.1: - This release contains fixes to CVE-2023-26560, a security vulnerability in the From 418ea70ec32900b11a88fca01c8cea2c6339343c Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Mon, 5 Jun 2023 16:14:37 +0200 Subject: [PATCH 048/255] Corrected capitalization in changelog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d30cb86391..8152460c34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,7 +23,7 @@ - Started checking status of all cf- prefixed systemd services in cf-support (ENT-9804) - validjson() no longer accepts trailing bogus data (CFE-4080) - - Variables & Classes Modules are now automatically tagged with 'source=module' and 'derived_from=' (ENT-7725) + - Variables & classes modules are now automatically tagged with 'source=module' and 'derived_from=' (ENT-7725) 3.21.1: - This release contains fixes to CVE-2023-26560, a security vulnerability in the From bb2cda1c1600b78e5a12750a06b558e824a45d12 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 9 Jun 2023 16:57:28 +0200 Subject: [PATCH 049/255] Bumped .CFVERSION number to 3.21.3 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index 31f8fdf5e9..c60ca5ac9c 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.2 +3.21.3 From b3c18d2813edc3ff11caecc48a5b3e50f9da120d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 15 Jun 2023 13:15:08 +0200 Subject: [PATCH 050/255] Fixed misleading error message when adding CMDB classes The function that adds CMDB classes to the context, checks if the class is already there. If this is the case, it skips adding the class and returns false. The code using this function interpreted false as an error, which is not the case. Ticket: ENT-10336 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit bc438ca11006fd86b0bc9015da1f2414f262ed76) --- libpromises/cmdb.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libpromises/cmdb.c b/libpromises/cmdb.c index ff6dec9d98..2e17fb9c9a 100644 --- a/libpromises/cmdb.c +++ b/libpromises/cmdb.c @@ -407,8 +407,10 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, default_tags, NULL); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else if (JsonGetContainerType(data) == JSON_CONTAINER_TYPE_ARRAY && @@ -446,8 +448,10 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, default_tags, NULL); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else if (JsonGetContainerType(data) == JSON_CONTAINER_TYPE_OBJECT) @@ -484,8 +488,10 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, tags, comment); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else From 643215f6f1d943527415065bcef1f8680fd0726f Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Mon, 19 Jun 2023 11:43:44 -0500 Subject: [PATCH 051/255] Improved syntax description for validjson() This function takes a string, and not a data container, it has confused people. Ticket: ENT-9759 Changelog: Title (cherry picked from commit c4ffbdb1e1c4b2186107f1647c4c0ae2aedf48c6) --- libpromises/evalfunction.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index c21b1ed672..94b2793d24 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -9536,7 +9536,7 @@ static const FnCallArg READFILE_ARGS[] = static const FnCallArg VALIDDATATYPE_ARGS[] = { - {CF_ANYSTRING, CF_DATA_TYPE_STRING, "Data to validate"}, + {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"}, {NULL, CF_DATA_TYPE_NONE, NULL} }; From 6eca381e38cc6b74b103db5264ace7ba76228452 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Wed, 21 Jun 2023 16:24:18 +0200 Subject: [PATCH 052/255] ChangeLog: Backported cleanups from master to 3.21.x Signed-off-by: Ole Herman Schumacher Elgesem --- ChangeLog | 1864 ++++++++++++++++++++++------------------------------- 1 file changed, 765 insertions(+), 1099 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8152460c34..db73fda858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -297,7 +297,7 @@ interpreters results in an error (CFE-3572) - Value of the 'files_single_copy' body control attribute is now logged in verbose logging mode (CFE-3622) - - variables and classes defined in cmdb cannot be re-defined in + - Variables and classes defined in cmdb cannot be re-defined in augments (ENT-7079) - Verbose log now contains comments associated with 'vars' and 'classes' promises (CFE-2442, CFE-2443) @@ -529,7 +529,7 @@ - IPv6 addresses are now added to policy variable sys.ip_addresses (CFE-682) - IPv6 addresses now respect ignored_interfaces.rx (CFE-3156) - - hostname now allowed in bindtoaddress (CFE-3190) + - Hostname now allowed in bindtoaddress (CFE-3190) - Fixed issue when removing comments from files in various policy functions This also fixes many erroneous occurences of the error message mentioning: @@ -597,7 +597,7 @@ - Added a new utility to contrib: cf-remote cf-remote is a python + fabric tool to log in to remote hosts you have ssh access to. It can be used to download, transfer, - and install cfengine packages as well as bootstrapping etc. + and install CFEngine packages as well as bootstrapping etc. At this point, cf-remote is not packaged with CFEngine, but can be installed separately from: https://github.com/cfengine/cf-remote @@ -793,17 +793,17 @@ use string comparison to find matches. The documentation is clear; arguments should be regexes (so you have to escape special characters). - bundle agent main - { - vars: - "myvar" - string => "example", - meta => {"os[linux]"}; - "matches" - slist => variablesmatching(".*", "os\[linux\]"); - reports: - "Match: $(matches)"; - } + bundle agent main + { + vars: + "myvar" + string => "example", + meta => {"os[linux]"}; + "matches" + slist => variablesmatching(".*", "os\[linux\]"); + reports: + "Match: $(matches)"; + } The above example is correct. If you don't escape the brackets like above, it will no longer work. (You probably shouldn't use brackets in tags anyway). @@ -817,7 +817,7 @@ (CFE-2817) - Fixed issue with cf-agent intermittently hanging on windows sometimes (ENT-3756) - - change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars + - Change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars (ENT-4023) - os-release file is now used for hard classes and sys.flavor on all linuxes This will improve platform detection on newer operating systems where @@ -828,14 +828,14 @@ special variable sys.flavor will also be set by determining major version from VERSION_ID. Example os-release file: - ID=coreos - VERSION_ID=1185.3.0 + ID=coreos + VERSION_ID=1185.3.0 For the example above, sys.flavor will be coreos_1185 and 4 hard classes will be set; coreos_1185_3_0, coreos_1185_3, coreos_1185, and coreos. For backwards compatibility, older distribution specific logic is still executed and may overwrite sys.flavor and define hard classes as before. - - refactor use of atexit to use custom cleanup function instead. On Windows + - Refactor use of atexit to use custom cleanup function instead. On Windows atexit() unloads DLLs before and/or during atexit functions being called which causes bad behavior. (ENT-3756) @@ -1020,7 +1020,7 @@ example to enable all log modules, run: cf-agent -d --log-modules=all - Add: edit_line contains_literal_string to stdlib - - add variablesmatching_as_data() function paralleling variablesmatching() + - Add variablesmatching_as_data() function paralleling variablesmatching() (Redmine #7885) - Allow specifying agent maxconnections via def.json (CFE-2461) - Add getuserinfo() function @@ -1034,29 +1034,29 @@ This speeds up enormously the execution of policies that included long slists or JSON containers, that in the past didn't even terminate. Change: "cf_null" string literal was changed to not be something - special, and it's now a string that can be used anywhere, like - in slists or part of bundlesequence etc. + special, and it's now a string that can be used anywhere, like + in slists or part of bundlesequence etc. NOTE: Old policy should be grep'ed for "cf_null" and in case such - occurences were handled specially, they should be reworked. + occurences were handled specially, they should be reworked. Change: "--empty-list--" is now never printed by format(), - an empty list is now printed as "{ }". + an empty list is now printed as "{ }". Change: Order of pre-evaluation was slightly changed, A new "vars" pass - at the beginning of pre-evaluation was added. It used to be - classes-vars, but it was changed to vars-classes-vars. As a - result some classes or variables might be evaluated at a - different time than before. As always try to write policy code that works no matter what the - order of execution is. - One way is to always *guard* the execution of functions to avoid - bogus function results. For example the following will avoid - running execresult() bevore the file has been created: - execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); + at the beginning of pre-evaluation was added. It used to be + classes-vars, but it was changed to vars-classes-vars. As a + result some classes or variables might be evaluated at a + different time than before. As always try to write policy code that works no matter what the + order of execution is. + One way is to always *guard* the execution of functions to avoid + bogus function results. For example the following will avoid + running execresult() bevore the file has been created: + execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); C internals: NULL Rlist is now perfectly valid, in fact it is the only - way to denote an empty Rlist. + way to denote an empty Rlist. C internals: Since a slist variable can be NULL, API of - EvalContextVariableGet() changed: The way to detect if a - variable is found, is not to check return value for NULL, - but to check returned *type* for CF_DATA_TYPE_NONE. - Fixed what I could find as wrong API uses. (CFE-2162) + EvalContextVariableGet() changed: The way to detect if a + variable is found, is not to check return value for NULL, + but to check returned *type* for CF_DATA_TYPE_NONE. + Fixed what I could find as wrong API uses. (CFE-2162) - Allow arbitrary service policies (CFE-2402) - Behaviour change: cf-execd: Do not append -Dfrom_cfexecd to exec_command . (CFE-2386) @@ -1074,7 +1074,7 @@ (CFE-2429) - Change: Switch processes restart_class logging to verbose - Change: Log level for keeping verbatim JSON to DEBUG (CFE-2141) - - Change: Require network before cfengine services (CFE-2435) + - Change: Require network before CFEngine services (CFE-2435) - Behaviour change: getvalues(inexistent_var) returns an empty list. Restores 3.7.x and earlier behaviour. (CFE-2479) - Behaviour change: when used with CFEngine 3.10.0 or greater, @@ -1093,7 +1093,7 @@ (CFE-2519) Bug fixes: - - fix files promise not setting ACL properly on directories. (CFE-616) + - Fix files promise not setting ACL properly on directories. (CFE-616) - Upgrade CFEngine dependencies to the following versions: - lixml2 2.9.4 - OpenSSL 1.0.2j @@ -1110,12 +1110,12 @@ - Fix bug which caused empty emails to be sent from cf-execd if there was no previous output log and the new log was fully filtered by email filters. (ENT-2739) - - allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) + - Allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) - Fix connection cache, reuse connections when possible. (CFE-2447) - Fix rare bug that would sometimes prevent redis-server from launching. - Fix bug in files promise when multiple owners are promised but first one doesn't exist, and improve logging . (CFE-2432) - - define kept outcome with action warn if edit_line is as expected + - Define kept outcome with action warn if edit_line is as expected (CFE-2424) - Example using getvariablemetatags() and getclassmetatags() to get a specific tag key - Remove 2k limit on strings length when writing JSON policies @@ -1125,7 +1125,7 @@ - Allow editing fields in lines longer than 4k (CFE-2438) - Don't send empty emails for logs where everything is filtered. (ENT-2739) - - allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration + - Allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration (ARCHIVE-1619) - insert_lines is no longer implicitly matching EOF as end of the region if 'select_end' pattern is not matched . (CFE-2263) @@ -1149,8 +1149,8 @@ - Be less verbose if a network interface doesn't have a MAC address. (CFE-1995) - Fix: CFEngine choking on standard services (CFE-2806) - - fix insert_lines related memory corruption (CFE-2520) - - fix cf-serverd crash when reporting corrupted data. (ENT-3023) + - Fix insert_lines related memory corruption (CFE-2520) + - Fix cf-serverd crash when reporting corrupted data. (ENT-3023) - Fix ability to manage INI sections with metachars for manage_variable_values_ini and set_variable_values_ini (CFE-2519) - Fix apt_get package module incorrectly using interactive mode. @@ -1176,7 +1176,7 @@ - See documentation for more details. (Jira CFE-1991) - sys.ip2iface: new reverse mapping variable from IP to interface name - Namespaced classes can now be specified on the command line. - - namespaces can now be passed to cf-runagent -D and --remote-bundles + - Namespaces can now be passed to cf-runagent -D and --remote-bundles (Redmine #7856) - Add 'cf-full' and 'json-full' to cf-promises '-p' option. They generate output based on the entire policy. The existing 'cf' @@ -1198,7 +1198,7 @@ useful. A corresponding $(def.jq) variable has also been added with a default path to this tool. See documentation for mapdata() for more information and examples. (Jira CFE-2071) - - behaviour change: "true" is always defined and "false" is never defined in a context expression. + - Behaviour change: "true" is always defined and "false" is never defined in a context expression. - Add: nimclient package module for AIX This module provides basic functionality for using nimclient as a means to ensure packages are either present or absent. It does not support @@ -1292,8 +1292,8 @@ defined, it will be used by all promises of type unless another body is explicitly used. - cf-serverd no longer appends "-I -Dcfruncommand" to - cfruncommand, this has to be done manually in masterfiles - body server control. (Redmine #7732) + cfruncommand, this has to be done manually in masterfiles + body server control. (Redmine #7732) - eval() function arguments mode and options are now optional. - sort() function argument mode is now optional. @@ -1383,7 +1383,7 @@ started" messages in the log, most notably in long running cf-agent runs (longer than one minute). (Redmine #7933) - TTY detection should be more reliable. (Redmine #7606) - - cf-promises -p cf now produces valid cfengine code (Redmine #7956) + - cf-promises -p cf now produces valid CFEngine code (Redmine #7956) - Fix ps options for FreeBSD to check processes only in current host and not in jails - cf-runagent now properly supports multiple -D or -s arguments (Redmine #7191) @@ -1414,7 +1414,7 @@ attributes is different between the mount points. - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Improve logging when managing setuid/setgid - Reduce verbosity of apt_get package module (Redmine #7485) - packagesmatching() and packageupdatesmatching() should work @@ -1451,7 +1451,7 @@ hub can execute package promises. (Redmine #7602) - Fix: CFEngine choking on standard services (Jira CFE-2086) - Fix: cf-upgrade on SUSE - - Fix: Stop cfengine choking on systemctl output (Jira CFE-2806) + - Fix: Stop CFEngine choking on systemctl output (Jira CFE-2806) - storage: Properly initialize the list of current mounts (Jira CFE-1803) - Fix bug which caused empty emails to be sent from cf-execd @@ -1505,7 +1505,7 @@ - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) - Fix ps options for FreeBSD to check processes only in current host and not in jails - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Show errors regarding failure to copy extended attributes when doing a local file copy. Errors could happen when copying across two different mount points where the support for extended @@ -1559,7 +1559,7 @@ inherit from, plus any arguments it accepts. For example: body classes myclasses { - inherit_from => classes_generic("myname"); + inherit_from => classes_generic("myname"); } (Redmine #4309) - Add url_get() function. (Redmine #6480) @@ -1626,7 +1626,7 @@ - Redmine #6027 Directories should no more be changed randomly into files. (Redmine #6027) - Improve cf-serverd's lock contention because of getpwnam() - call. (Redmine #7643) (Redmine #7643) + call. (Redmine #7643) (Redmine #7643) - action_policy "warn" now correctly produces warnings instead of various other verbosity levels. (Redmine #7274) - If there is an error saving a mustache template file @@ -1691,7 +1691,7 @@ - Redis 2.8.24 - rsync 3.1.2 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. - - parse def.json vars, classes, and inputs in C (Redmine #7453) + - Parse def.json vars, classes, and inputs in C (Redmine #7453) - Namespaced classes can now be specified on the command line. - getvalues() will now return a list also for data containers, and will descend recursively into the containers. (Redmine #7116) @@ -1731,7 +1731,7 @@ (Redmine #7274) - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) @@ -1755,7 +1755,7 @@ - Redis 2.8.24 - rsync 3.1.2 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. - - parse def.json vars, classes, and inputs in C (Redmine #7453) + - Parse def.json vars, classes, and inputs in C (Redmine #7453) - Namespaced classes can now be specified on the command line. - getvalues() will now return a list also for data containers, and will descend recursively into the containers. (Redmine #7116) @@ -1795,7 +1795,7 @@ (Redmine #7274) - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) @@ -1888,23 +1888,22 @@ - New package promise implementation. The syntax is much simpler, to try it out, check out the syntax: packages: - "mypackage" - policy => "absent/present", - - # Optional, default taken from common control - package_module => apt_get, + "mypackage" + policy => "absent/present", - # Optional, will only match exact version. May be - # "latest". - version => "32.0", + # Optional, default taken from common control + package_module => apt_get, - # Optional. - architecture => "x86_64"; + # Optional, will only match exact version. May be + # "latest". + version => "32.0", + # Optional. + architecture => "x86_64"; - Full systemd support for all relevant platforms - New classes to determine whether certain features are enabled: - * feature_yaml - * feature_xml + * feature_yaml + * feature_xml For the official CFEngine packages, these are always enabled, but packages from other sources may be built without the support. - New readdata() support for generic data input (CSV, YAML, JSON, or auto) @@ -1929,7 +1928,7 @@ same data structure will produce the same JSON every time. - New "@if minimum_version(x.x)" syntax in order to hide future language improvements from versions that don't understand them. - - compile time option (--with-statedir) to + - Compile time option (--with-statedir) to override the default state/ directory path. - Fix error messages/ handling in process signalling which no longer allowed any signals to fail silently @@ -1941,7 +1940,7 @@ - In a services promise, if the service_method bundle is not specified, it defaults to the promiser string (canonified) with "service_" as a prefix. The bundle must be in the same namespace as the promise. - - inline JSON in policy files: surrounding with parsejson() is now + - Inline JSON in policy files: surrounding with parsejson() is now optional *when creating a new data container*. - New data_expand() function to interpolate variables in a data container. - Add configurable network bandwidth limit for all outgoing @@ -2126,72 +2125,72 @@ 3.6.3 New features: - - support for HP-UX 11.23 and later - - experimental support for Red Hat Enterprise Linux 7 + - Support for HP-UX 11.23 and later + - Experimental support for Red Hat Enterprise Linux 7 Bug fixes: - - fix getindices on multi-dimensional arrays (Redmine #6779) - - fix mustache template method to run in dryrun mode (Redmine #6739) - - set mailto and mailfrom settings for execd in def.cf (Redmine #6702) - - fix conflation of multi-index entries in arrays (Redmine #6674) - - fix promise locking when transferring using update.cf (Redmine #6623) - - update JSON parser to return an error on truncation (Redmine #6608) - - fix sys.hardware_addresses not expanded (Redmine #6603) - - fix opening database txn /var/cfengine/cf_lastseen.lmdb: + - Fix getindices on multi-dimensional arrays (Redmine #6779) + - Fix mustache template method to run in dryrun mode (Redmine #6739) + - Set mailto and mailfrom settings for execd in def.cf (Redmine #6702) + - Fix conflation of multi-index entries in arrays (Redmine #6674) + - Fix promise locking when transferring using update.cf (Redmine #6623) + - Update JSON parser to return an error on truncation (Redmine #6608) + - Fix sys.hardware_addresses not expanded (Redmine #6603) + - Fix opening database txn /var/cfengine/cf_lastseen.lmdb: MDB_READERS_FULL when running cf-keys --show-hosts (Redmine #6602) - - fix segfault (Null pointer dereference) when select_end in + - Fix segfault (Null pointer dereference) when select_end in delete_lines never matches (Redmine #6589) - - fix max_file_size => "0" not disabling or allowing any size + - Fix max_file_size => "0" not disabling or allowing any size (Redmine #6588) - - fix ifvarclass, with iteration over list, failing when deleting + - Fix ifvarclass, with iteration over list, failing when deleting files with time condition (Redmine #6577) - - fix classes defined with "or" constraint are never set if any value + - Fix classes defined with "or" constraint are never set if any value doesn't evaluate to a scalar (Redmine #6569) - - update "mailfrom" default in default policy (Redmine #6567) - - fix logrotate ambiguity of filename (Redmine #6563) - - fix parsing JSON files (Redmine #6549) - - reduce write count activity to /var partition (Redmine #6523) - - fix files delete attribute incorrectly triggering promise_kept + - Update "mailfrom" default in default policy (Redmine #6567) + - Fix logrotate ambiguity of filename (Redmine #6563) + - Fix parsing JSON files (Redmine #6549) + - Reduce write count activity to /var partition (Redmine #6523) + - Fix files delete attribute incorrectly triggering promise_kept (Redmine #6509) - - update services bundle output related to chkconfig when run in + - Update services bundle output related to chkconfig when run in inform mode. (Redmine #6492) - - fix Solaris serverd tests (Redmine #6406) - - fix broken bechaviour of merging arrays with readstringarray + - Fix Solaris serverd tests (Redmine #6406) + - Fix broken bechaviour of merging arrays with readstringarray (Redmine #6369) - - fix ifelapsed bug with bundle nesting (Redmine #6334) - - fix handling cf_null in bundlesequence (Redmine #6119) - - fix maparray reading whole input array when using subarray + - Fix ifelapsed bug with bundle nesting (Redmine #6334) + - Fix handling cf_null in bundlesequence (Redmine #6119) + - Fix maparray reading whole input array when using subarray (Redmine #6033) - - fix directories being randomly changed to files (Redmine #6027) - - update defaults promise type to work with classes (Redmine #5748) + - Fix directories being randomly changed to files (Redmine #6027) + - Update defaults promise type to work with classes (Redmine #5748) - systemd integration in services promises (Redmine #5415) - - fix touch attribute ignoring action = warn_only (Redmine #3172) - - fix 4KB string limit in functions readfile, string_downcase, + - Fix touch attribute ignoring action = warn_only (Redmine #3172) + - Fix 4KB string limit in functions readfile, string_downcase, string_head, string_reverse, string_length, string_tail, string_upcase (Redmine #2912) 3.6.2 Bug fixes: - - don't regenerate software_packages.csv every time (Redmine #6441) - - improve verbose message for package_list_command - - fix missing log output on AIX (Redmine #6434) - - assorted fixes to dirname() esp on Windows (Redmine #4716) - - fix package manager detection - - fix build issues on FreeBSD - - allow copying of dead symbolic links (Redmine #6175) - - preserve order in readstringarrayidx (Redmine #6466) - - fix passing of unexpanded variable references to arrays + - Don't regenerate software_packages.csv every time (Redmine #6441) + - Improve verbose message for package_list_command + - Fix missing log output on AIX (Redmine #6434) + - Assorted fixes to dirname() esp on Windows (Redmine #4716) + - Fix package manager detection + - Fix build issues on FreeBSD + - Allow copying of dead symbolic links (Redmine #6175) + - Preserve order in readstringarrayidx (Redmine #6466) + - Fix passing of unexpanded variable references to arrays (Redmine #5893) - - use entries for new {admin,deny}_{ips,hostnames} constraints in + - Use entries for new {admin,deny}_{ips,hostnames} constraints in the relevant legacy lists (Redmine #6542) - - cope with ps's numeric fields overflowing to the right - - interpret failing function calls in ifvarclass as class not set + - Cope with ps's numeric fields overflowing to the right + - Interpret failing function calls in ifvarclass as class not set (Redmine #6327) - - remove unexpanded lists when extending lists (Redmine #6541) - - infer start-time of a process from elapsed when needed + - Remove unexpanded lists when extending lists (Redmine #6541) + - Infer start-time of a process from elapsed when needed (Redmine #4094) - - fix input range definition for laterthan() function (Redmine #6530) - - don't add trailing delimiter when join()'ing lists ending with a + - Fix input range definition for laterthan() function (Redmine #6530) + - Don't add trailing delimiter when join()'ing lists ending with a null-value (Redmine #6552) - 9999999999 (ten 9s) or higher has been historically used as an upper bound in CFEngine code and policy but because of overflow on 32-bit @@ -2210,7 +2209,7 @@ Changes: - Short-circuit evaluation of classes promises if class is already set (Redmine #5241) - - fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) + - Fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) - cf-serverd logs reconfiguration message to NOTICE (was INFO) so that it's always logged in syslog Bug fixes: @@ -2240,23 +2239,23 @@ Changes: - Changes to logging output - - add process name and pid in syslog message (GitHub #789) - - cf-serverd logging levels are now more standardised: - - INFO logs only failures - - VERBOSE logs successful requests as well - - DEBUG logs actual protocol traffic. - - cf-serverd now logs the relevant client IP address on - each message. - - Logging contexts to local database (cf_classes.tcdb) has been deprecated. - - 'usebundle' promisees are logged for all the bundle promises - - output from 'reports' promises has nothing prefixed except 'R: ' - - a log line with stack path is generated when the promise type evaluated changes + - Add process name and pid in syslog message (GitHub #789) + - cf-serverd logging levels are now more standardised: + - INFO logs only failures + - VERBOSE logs successful requests as well + - DEBUG logs actual protocol traffic. + - cf-serverd now logs the relevant client IP address on + each message. + - Logging contexts to local database (cf_classes.tcdb) has been deprecated. + - 'usebundle' promisees are logged for all the bundle promises + - output from 'reports' promises has nothing prefixed except 'R: ' + - a log line with stack path is generated when the promise type evaluated changes - LMDB (symas.com/mdb) is the default database for local data storage : use version 0.9.9 or later cf-agent --self-diagnostics (-x) is only implemented for TCDB, not for LMDB - port argument in readtcp() and selectservers() may be a service name (e.g. "http", "pop3"). - Enable source file in agent copy_from promises to be a relative path. - - file "changes" reporting now reports with log level "notice", instead of "error". + - file "changes" reporting now reports with log level "notice", instead of "error". - process_results default to AND'ing of set attributes if not specified (Redmine #3224) - interface is now canonified in sys.hardware_mac[interface] to align with sys.ipv4[interface] (Redmine #3418) @@ -2264,182 +2263,182 @@ - Linux flavor "SUSE" now correctly spelled with all uppercase in variables and class names (Redmine #3734). The "suse" lowercase version is also provided for convenience (Redmine #5417). - $(this.promise_filename) and $(..._dirname) variables are now absolute paths. (Redmine #3839) - - including the same file multiple times in 'body control inputs' is not an error + - Including the same file multiple times in 'body control inputs' is not an error - portnumber in body copy_from now supports service names like "cfengine", "pop3" etc, check /etc/services for more. - The failsafe.cf policy, run on bootstrap and in some other unusual cases, has been extracted from C code into libpromises/failsafe.cf - masterfiles - - cf_promises_validated is now in JSON format - - timestamp key is timestamp (sec since unix epoch) of last time validated - - the masterfiles now come from https://github.com/cfengine/masterfiles and are - not in the core repository + - cf_promises_validated is now in JSON format + - timestamp key is timestamp (sec since unix epoch) of last time validated + - the masterfiles now come from https://github.com/cfengine/masterfiles and are + not in the core repository - cf-serverd calls cf-agent with -Dcfruncommand when executing cf-runagent requests - - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, - promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, - variables_exclude attributes from report_data_select body (syntax is valid but not functional). - They have been replaced by the following attributes: promise_handle_include, - promise_handle_exclude, metatags_include, metatags_exclude. + - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, + promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, + variables_exclude attributes from report_data_select body (syntax is valid but not functional). + They have been replaced by the following attributes: promise_handle_include, + promise_handle_exclude, metatags_include, metatags_exclude. New features: - New promise type "users" for managing local user accounts. - TLS authentication and fully encrypted network protocol. Additions specific to the new type of connections: - - New attribute "allowlegacyconnects" in body server control, - which enables serving policy via non-latest cfengine protocol, - to the given list of hosts. If the option is absent, it - defaults to allow all hosts. To refuse non-TLS connections, - specify an empty list. - - New attribute "protocol_version" in body copy_from, and body - common control, which defines the preferred protocol for - outgoing connections.. Allowed values at the moment: "0" or - "undefined", "classic" or "1", "latest" or "2". By leaving the - copy_from option as undefined the common control option is - used, and if both are undefined then classic protocol is used - by default. - - The new networking protocol uses TLS for authentication, - after which all dialog is encrypted within the established - TLS session. cf-serverd is still able to speak the legacy - protocol with old agents. - - The 'skipverify' option in 'body server control' is - deprecated and only left for compatibility; it does - nothing - - cf-serverd does not hang up the connection if some request - fails, so that the client can add more requests. - - For the connections using the new protocol, all of the - paths in bundle server access_rules now differentiate - between a directory and a file using the trailing - slash. If the path exists then this is auto-detected and - trailing slash appended automatically. You have to append - a trailing slash manually to an inexistent or symbolic - path (e.g. "/path/to/$(connection.ip)/") to force - recursive access. + - New attribute "allowlegacyconnects" in body server control, + which enables serving policy via non-latest CFEngine protocol, + to the given list of hosts. If the option is absent, it + defaults to allow all hosts. To refuse non-TLS connections, + specify an empty list. + - New attribute "protocol_version" in body copy_from, and body + common control, which defines the preferred protocol for + outgoing connections.. Allowed values at the moment: "0" or + "undefined", "classic" or "1", "latest" or "2". By leaving the + copy_from option as undefined the common control option is + used, and if both are undefined then classic protocol is used + by default. + - The new networking protocol uses TLS for authentication, + after which all dialog is encrypted within the established + TLS session. cf-serverd is still able to speak the legacy + protocol with old agents. + - The 'skipverify' option in 'body server control' is + deprecated and only left for compatibility; it does + nothing + - cf-serverd does not hang up the connection if some request + fails, so that the client can add more requests. + - For the connections using the new protocol, all of the + paths in bundle server access_rules now differentiate + between a directory and a file using the trailing + slash. If the path exists then this is auto-detected and + trailing slash appended automatically. You have to append + a trailing slash manually to an inexistent or symbolic + path (e.g. "/path/to/$(connection.ip)/") to force + recursive access. - New in 'access' promises for 'bundle server access_rules' - - Attributes "admit_ips", "admit_hostnames", "admit_keys", - "deny_ips", "deny_hostnames", "deny_keys" - - "admit_keys" and "deny_keys" add the new functionality - of controlling access according to host identity, - regardless of the connecting IP. - - For these new attributes, regular expressions - are not allowed, only CIDR notation for "admit/deny_ips", exact - "SHA=..." strings for "admit/deny_keys", and exact hostnames - (e.g. "cfengine.com") or subdomains (starting with dot, - e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules - apply to 'deny_*' attributes. - - These new constraints and the paths in access_rules, can contain - special variables "$(connection.ip)", "$(connection.hostname)", - "$(connection.key)", which are expanded dynamically for every - received connection. - - For connections using the new protocol, "admit" and "deny" - constraints in bundle server access_rules are being phased - out, preferred attributes are now "admit_ips", "deny_ips", - "admit_hostnames", "deny_hostnames", "admit_keys", - "deny_keys". - - New "shortcut" attribute in bundle server access_rules used to - dynamically expand non-absolute request paths. + - Attributes "admit_ips", "admit_hostnames", "admit_keys", + "deny_ips", "deny_hostnames", "deny_keys" + - "admit_keys" and "deny_keys" add the new functionality + of controlling access according to host identity, + regardless of the connecting IP. + - For these new attributes, regular expressions + are not allowed, only CIDR notation for "admit/deny_ips", exact + "SHA=..." strings for "admit/deny_keys", and exact hostnames + (e.g. "cfengine.com") or subdomains (starting with dot, + e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules + apply to 'deny_*' attributes. + - These new constraints and the paths in access_rules, can contain + special variables "$(connection.ip)", "$(connection.hostname)", + "$(connection.key)", which are expanded dynamically for every + received connection. + - For connections using the new protocol, "admit" and "deny" + constraints in bundle server access_rules are being phased + out, preferred attributes are now "admit_ips", "deny_ips", + "admit_hostnames", "deny_hostnames", "admit_keys", + "deny_keys". + - New "shortcut" attribute in bundle server access_rules used to + dynamically expand non-absolute request paths. - masterfiles - - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) - - many standard library bundles and bodies, especially packages- and file-related, - were revised and fixed - - supports both Community and Enterprise - - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory - (configured mainly in def.cf) - - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA - if available or hash of tree - - a bunch'o'bundles to make starting with CFEngine easier: - - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, - file_link, file_hardlink, file_empty, file_make - - packages-related: package_absent, package_present, package_latest, - package_specific_present, package_specific_absent, package_specific_latest, package_specific - - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute - - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, - git_clean, git_stash, git_stash_and_clean, git_commit, git - - process-related: process_kill - - other: cmerge, url_ping, logrotate, prunedir + - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) + - many standard library bundles and bodies, especially packages- and file-related, + were revised and fixed + - supports both Community and Enterprise + - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory + (configured mainly in def.cf) + - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA + if available or hash of tree + - a bunch'o'bundles to make starting with CFEngine easier: + - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, + file_link, file_hardlink, file_empty, file_make + - packages-related: package_absent, package_present, package_latest, + package_specific_present, package_specific_absent, package_specific_latest, package_specific + - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute + - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, + git_clean, git_stash, git_stash_and_clean, git_commit, git + - process-related: process_kill + - other: cmerge, url_ping, logrotate, prunedir - New command line options for agent binaries - - New options to cf-promises - - '--show-classes' and '--show-vars' - - '--eval-functions' controls whether cf-promises should evaluate functions - - Colorized output for agent binaries with command line option '--color' - (auto-enabled if you set CFENGINE_COLOR=1) + - New options to cf-promises + - '--show-classes' and '--show-vars' + - '--eval-functions' controls whether cf-promises should evaluate functions + - Colorized output for agent binaries with command line option '--color' + (auto-enabled if you set CFENGINE_COLOR=1) - New language features - - New variable type 'data' for handling of structured data (ie JSON), - including supporting functions: - - 'data_readstringarray' - read a delimited file into a data map - - 'data_readstringarrayidx' - read a delimited file into a data array - - 'datastate' - create a data variable with currently set classes and variables - - 'datatype' - determine the type of the top element of a container - - 'format' - %S can be used to serialize 'data' containers into a string - - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" - arrays into a data container - - 'parsejson' - create a data container from a JSON string - - 'readjson' - create a data container from a file that contains JSON - - 'storejson' - serialize a data container into a string - - Most functions operating on lists can also operate on data containers - - pass a data container to a bundle with the @(container) notation - - the module protocol accepts JSON for data containers with the '%' sigil + - New variable type 'data' for handling of structured data (ie JSON), + including supporting functions: + - 'data_readstringarray' - read a delimited file into a data map + - 'data_readstringarrayidx' - read a delimited file into a data array + - 'datastate' - create a data variable with currently set classes and variables + - 'datatype' - determine the type of the top element of a container + - 'format' - %S can be used to serialize 'data' containers into a string + - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" + arrays into a data container + - 'parsejson' - create a data container from a JSON string + - 'readjson' - create a data container from a file that contains JSON + - 'storejson' - serialize a data container into a string + - Most functions operating on lists can also operate on data containers + - pass a data container to a bundle with the @(container) notation + - the module protocol accepts JSON for data containers with the '%' sigil - Tagging of classes and variables allows annotating of language construct with meta data; supporting functionality: - - The module protocol in 'commands' promises has been extended to allow setting - of tags of created variables and classes, and the context of created variables - - 'getclassmetatags' - returns list of meta tags for a class - - 'getvariablemetatags' - returns list of meta tags for a variable + - The module protocol in 'commands' promises has been extended to allow setting + of tags of created variables and classes, and the context of created variables + - 'getclassmetatags' - returns list of meta tags for a class + - 'getvariablemetatags' - returns list of meta tags for a variable - 'body file control' has an 'inputs' attribute to include library files and other dependencies - bundlesequences can be built with bundlesmatching() based on bundle name and tags - New attributes in existing promise types and bodies - - New option 'preserve_all_lines' for insert_type in insert_lines promises - - Caching of expensive system functions to avoid multiple executions of - execresult() etc, can be controlled via cache_system_functions attribute in - body common control - - New option 'mailsubject' in body executor control allows defining the subject - in emails sent by CFEngine - - Support for Mustache templates in 'files' promises; use 'template_method' and - 'template_data' attributes. Without 'template_data' specified, uses datastate(). + - New option 'preserve_all_lines' for insert_type in insert_lines promises + - Caching of expensive system functions to avoid multiple executions of + execresult() etc, can be controlled via cache_system_functions attribute in + body common control + - New option 'mailsubject' in body executor control allows defining the subject + in emails sent by CFEngine + - Support for Mustache templates in 'files' promises; use 'template_method' and + 'template_data' attributes. Without 'template_data' specified, uses datastate(). - New and improved functions - - 'bundlesmatching' - returns list of defined bundles matching a regex and tags - - 'canonifyuniquely' - converts a string into a unique, legal class name - - 'classesmatching' - returns list of set classes matching a regex and tags - - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" - - 'findfiles' - list files matching a search pattern; use "**" for recursive searches - - 'makerule' - evaluates whether a target file needs to be rebuilt from sources - - 'max', 'min' - returns maximum and minimum of the numbers in a container or list - (sorted by a 'sort' method) - - 'mean' - returns the mean of the numbers in a container or list - - 'nth' - learned to look up by key in a data container holding a map - - 'packagesmatching' - returns a filtered list of installed packages. - - 'readfile' - learned to read system files of unknown size like those in /proc - - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC - - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a - string - - 'string_head', 'string_tail' - returns the beginning/end of a string - - 'string_length' - returns the length of a string - - 'string_reverse' - reverses a string - - 'string_split' - improved implementation, deprecates 'splitstring' - - 'variablesmatching' - returns a list of variables matching a regex and tags - - 'variance' - returns the variance of numbers in a list or container + - 'bundlesmatching' - returns list of defined bundles matching a regex and tags + - 'canonifyuniquely' - converts a string into a unique, legal class name + - 'classesmatching' - returns list of set classes matching a regex and tags + - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" + - 'findfiles' - list files matching a search pattern; use "**" for recursive searches + - 'makerule' - evaluates whether a target file needs to be rebuilt from sources + - 'max', 'min' - returns maximum and minimum of the numbers in a container or list + (sorted by a 'sort' method) + - 'mean' - returns the mean of the numbers in a container or list + - 'nth' - learned to look up by key in a data container holding a map + - 'packagesmatching' - returns a filtered list of installed packages. + - 'readfile' - learned to read system files of unknown size like those in /proc + - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC + - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a + string + - 'string_head', 'string_tail' - returns the beginning/end of a string + - 'string_length' - returns the length of a string + - 'string_reverse' - reverses a string + - 'string_split' - improved implementation, deprecates 'splitstring' + - 'variablesmatching' - returns a list of variables matching a regex and tags + - 'variance' - returns the variance of numbers in a list or container - New hard classes - - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will - be deprecated) - - all the time-based classes have GMT equivalents + - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will + be deprecated) + - all the time-based classes have GMT equivalents - New variables - - 'sys.bindir' - the location of the CFEngine binaries - - 'sys.failsafe_policy_path' - the location of the failsafe policy file - - 'sys.inputdir' - the directory where CFEngine searches for policy files - - 'sys.key_digest' - the digest of the host's cryptographic key - - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries - - 'sys.logdir' - the directory where the CFEngine log files are saved - - 'sys.masterdir' - the location of masterfiles on the policy server - - 'sys.piddir' - the directory where the daemon pid files are saved - - 'sys.sysday' - the number of days since the beginning of the UNIX epoch - - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch - - 'sys.update_policy_path' - the name of the update policy file - - 'sys.uptime' - the number of minutes the host has been online - - 'this.promise_dirname' - the name of the file in which the current promise - is defined - - 'this.promiser_uid' - the ID of the user running cf-agent - - 'this.promiser_gid' - the group ID of the user running cf-agent - - 'this.promiser_ppid' - the ID of the parent process running cf-agent + - 'sys.bindir' - the location of the CFEngine binaries + - 'sys.failsafe_policy_path' - the location of the failsafe policy file + - 'sys.inputdir' - the directory where CFEngine searches for policy files + - 'sys.key_digest' - the digest of the host's cryptographic key + - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries + - 'sys.logdir' - the directory where the CFEngine log files are saved + - 'sys.masterdir' - the location of masterfiles on the policy server + - 'sys.piddir' - the directory where the daemon pid files are saved + - 'sys.sysday' - the number of days since the beginning of the UNIX epoch + - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch + - 'sys.update_policy_path' - the name of the update policy file + - 'sys.uptime' - the number of minutes the host has been online + - 'this.promise_dirname' - the name of the file in which the current promise + is defined + - 'this.promiser_uid' - the ID of the user running cf-agent + - 'this.promiser_gid' - the group ID of the user running cf-agent + - 'this.promiser_ppid' - the ID of the parent process running cf-agent Deprecations: - 'splitstring' - deprecated by 'string_split' @@ -2447,349 +2446,299 @@ - 'skipverify' Bug fixes: for a complete list of fixed bugs, see Redmine at https://cfengine.com/dev - - various fixes in evaluation and variable resolution + - Various fixes in evaluation and variable resolution - Improve performance of list iteration (Redmine #1875) - Removed limitation of input length to internal buffer sizes - - directories ending with "/" are not ignored - - lsdir() always return a list now, never a scalar + - directories ending with "/" are not ignored + - lsdir() always return a list now, never a scalar - 'abortclasses' fixed to work in common bundles and other cases - - namespaced 'edit_line' bundles now work (Redmine#3781) - - lists are interpolated in correct order (Redmine#3122) + - Namespaced 'edit_line' bundles now work (Redmine#3781) + - Lists are interpolated in correct order (Redmine#3122) - cf-serverd reloads policies properly when they change - - lots of leaks (memory and file descriptor) fixed + - Lots of leaks (memory and file descriptor) fixed 3.5.3 - Changes: - - Improved security checks of symlink ownership. A symlink created by a user pointing - to resources owned by a different user will no longer be followed. - - Changed the way package versions are compared in package promises. (Redmine #3314) - In previous versions the comparison was inconsistent. This has been fixed, but may - also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison - works as follows: - - For instance: - apache-2.2.31 ">=" "2.2.0" - will result in the package being installed. - - Bug fixes: - - fix cf-monitord crash due to incorrect array initialization (Redmine #3180) - - fix cf-serverd stat()'ing the file tree every second (Redmine #3479) - - correctly populate sys.hardware_addresses variable (Redmine #2936) - - add support for Debian's GNU/kfreebsd to build system (Redmine #3500) - - fix possible stack corruption in guest_environments promises (Redmine #3552) - - work-around hostname trunctation in HP-UX's uname (Redmine #3517) - - fix body copy purging of empty directories (Redmine #3429) - - make discovery and loading of avahi libraries more robust - - compile and packaging fixes for HP-UX, AIX and Solaris - - fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) - - fix epoch calculation for stime inrange calculation (Redmine #2921) + Changes: + - Improved security checks of symlink ownership. A symlink created by a user pointing + to resources owned by a different user will no longer be followed. + - Changed the way package versions are compared in package promises. (Redmine #3314) + In previous versions the comparison was inconsistent. This has been fixed, but may + also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison + works as follows: + + For instance: + apache-2.2.31 ">=" "2.2.0" + will result in the package being installed. + + Bug fixes: + - Fix cf-monitord crash due to incorrect array initialization (Redmine #3180) + - Fix cf-serverd stat()'ing the file tree every second (Redmine #3479) + - Correctly populate sys.hardware_addresses variable (Redmine #2936) + - Add support for Debian's GNU/kfreebsd to build system (Redmine #3500) + - Fix possible stack corruption in guest_environments promises (Redmine #3552) + - Work-around hostname trunctation in HP-UX's uname (Redmine #3517) + - Fix body copy purging of empty directories (Redmine #3429) + - Make discovery and loading of avahi libraries more robust + - Compile and packaging fixes for HP-UX, AIX and Solaris + - Fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) + - Fix epoch calculation for stime inrange calculation (Redmine #2921) 3.5.2 - Bug fixes: - - fix delayed abortclasses checking (Redmine #2316, #3114, #3003) - - fix maplist arguments bug (Redmine #3256) - - fix segfaults in cf-pomises (Redmine #3173, 3194) - - fix build on Solaris 10/SmartOS (Redmine #3097) - - sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) - - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) - - Don't truncate keys to 126 characters in getindices (Redmine #2626) - - files created via log_* actions now have mode 600 (Redmine #1578) - - fix wrong log message when a promise is ignored due to 'ifvarclass' not matching - - fix lifetime of persistent classes (Redmine #3259) - - fix segfault when process_select body had no process_result attribute - Default to AND'ed expression of all specified attributes (Redmine #3224) - - include system message in output when acl promises fail - - fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) + Bug fixes: + - Fix delayed abortclasses checking (Redmine #2316, #3114, #3003) + - Fix maplist arguments bug (Redmine #3256) + - Fix segfaults in cf-pomises (Redmine #3173, 3194) + - Fix build on Solaris 10/SmartOS (Redmine #3097) + - Sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) + - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) + - Don't truncate keys to 126 characters in getindices (Redmine #2626) + - Files created via log_* actions now have mode 600 (Redmine #1578) + - Fix wrong log message when a promise is ignored due to 'ifvarclass' not matching + - Fix lifetime of persistent classes (Redmine #3259) + - Fix segfault when process_select body had no process_result attribute + Default to AND'ed expression of all specified attributes (Redmine #3224) + - Include system message in output when acl promises fail + - Fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) 3.5.1 - Changes: - - file changes are logged with log level Notice, not Error - - the CFEngine Standard Library in masterfiles/libraries is now split into - promise-type specific policy files, and lives in a version-specific directory. - This should have no impact on current code, but allows more granular include of - needed stdlib elements (Redmine #3044) - - Bug fixes: - - fix recursive copying of files (Redmine #2965) - - respect classes in templates (Redmine ##2928) - - fix timestamps on Windows (Redmine #2933) - - fix non-root cf-agent flooding syslog (Redmine #2980) - - fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) - - Preserve security context when editing or copying local files (Redmine #2728) - - fix path for sys.crontab on redhat systems (Redmine #2553) - - prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) - - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) - - Fix "changes" promise not receiving status when file is missing (Redmine #2820) - - Fix symlinks being destroyed when editing them (Redmine #2363) - - Fix missing "promise kept" status for the last line in a file (Redmine #2943) + Changes: + - File changes are logged with log level Notice, not Error + - The CFEngine Standard Library in masterfiles/libraries is now split into + promise-type specific policy files, and lives in a version-specific directory. + This should have no impact on current code, but allows more granular include of + needed stdlib elements (Redmine #3044) + + Bug fixes: + - Fix recursive copying of files (Redmine #2965) + - Respect classes in templates (Redmine ##2928) + - Fix timestamps on Windows (Redmine #2933) + - Fix non-root cf-agent flooding syslog (Redmine #2980) + - Fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) + - Preserve security context when editing or copying local files (Redmine #2728) + - Fix path for sys.crontab on redhat systems (Redmine #2553) + - Prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) + - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) + - Fix "changes" promise not receiving status when file is missing (Redmine #2820) + - Fix symlinks being destroyed when editing them (Redmine #2363) + - Fix missing "promise kept" status for the last line in a file (Redmine #2943) 3.5.0 - New features: - - classes promises now take an optional scope constraint. - - new built-in functions: every, none, some, nth, sublist, uniq, filter - - every - - none - - some - - nth - - sublist - - uniq - - filter - - classesmatching - - strftime - - filestat - - ifelse - - maparray - - format - - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the + New features: + - classes promises now take an optional scope constraint. + - New built-in functions: every, none, some, nth, sublist, uniq, filter + - every + - none + - some + - nth + - sublist + - uniq + - filter + - classesmatching + - strftime + - filestat + - ifelse + - maparray + - format + - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the user to specify the output format (none, cf, json) - - cf-promises allows partial check of policy (without body common control) without integrity check; + - cf-promises allows partial check of policy (without body common control) without integrity check; --full-check enforces integrity check - - agent binaries support JSON input format (.json file as generated by cf-promises) - - cf-key: new options --trust-key/-t and --print-digest/-p - - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and - failsafe is run because of this - - add scope attribute for body classes (Redmine #2013) - - Better diagnostics of parsing errors - - Error messages from parser now show the context of error - - new cf-agent option: --self-diagnostics - - new output format, and --legacy-output - - warnings for cf-promises. - - Enable zeroconf-discovery of policy hubs for automatic bootstrapping - if Avahi is present - - Support for sys.cpus on more platforms than Linux & HPUX - - Changes: - - parser no longer allows ',' after promiser or promisee. must be either ';' or lval - - Make parser output in GCC compatible format the only supported format - (remove --gcc-brief-format flag) - - - Silence license warnings in Enterprise Free25 installations - - action_policy => "warn" causes not_kept classes to be set on promise needing repair. - - command line option version (-V) now prints a shorter parsable version without graphic - - implicit execution of server and common bundles taking arguments is skipped in cf-serverd. - - WARNING: option --policy-server removed, require option to --bootstrap instead - - process promises don't log if processes are out of range unless you - run in verbose mode - - reports promises are now allowed in any context (Redmine #2005) - - cf-report has been removed - - cf-execd: --once implies --no-fork - - Version info removed from mail subject in the emails sent by cf-execd. - The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" - Please change your email filters accordingly if necessary. - - "outputs" promise type is retired. Their semantics was not clear, and the functionality - is better suited for control body setting, not a promise. - - Tokyo Cabinet databases are now automatically checked for - correctness during opening. It should prevent a number of issues - with corrupted TC databases causing binaries to hang. - - Improved ACL handling on Windows, which led to some syntax changes. We now consistently - use the term "default" to describe ACLs that can be inherited by child objects. These - keywords have received new names: - acl_directory_inherit -> acl_default - specify_inherit_aces -> specify_default_aces - The old keywords are deprecated, but still valid. In addition, a new keyword - "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on - Unix platforms. (Redmine #1832) - - Networking code is moved from libpromises to its own library, - libcfnet. Work has begun on making the API more sane and thread-safe. - Lots of legacy code was removed. - - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). - - Replace old deprecated and non thread-safe resolver calls with - getaddrinfo() and getnameinfo(). - - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are - returning error when resolution fails. - - Running cf-execd --once now implies --no-fork, and also does not wait - for splaytime to pass. - - execresult(), returnszero() and commands promises no longer requires the first word - word to be an absolute path when using the shell. (Part of Redmine #2143) - - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean - values are accepted but deprecated. (Part of Redmine #2143) - - returnszero() now correctly sets the class name in this scenario (Part of - Redmine #2143): - classes: - "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); - - Bugfixes: - - bundles are allowed to be empty (Redmine #2411) - - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) - - Correct parsing of list variables by a command module. (Redmine #2239) - - Fixed issue with package management and warn. (Redmine #1831) - - Fixed JSON crash. (Redmine #2151) - - Improved error checking when using fgets(). (Redmine #2451) - - Fixed error message when deleting nonexistent files. (Redmine #2448) - - Honor warn-only when purging from local directory. (Redmine #2162) - - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) - - Allocate memory dynamically to avoid out-of-buffer or out-of-hash - situations - - fix edit_xml update of existing attributes (Redmine #2034) - - use failsafe policy from compile-time specified workdir (Redmine #1991) - - ifvarclass checked from classes promises in common bundles - - do not wait for splaytime when executing only once - - disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) - - Out-of-tree builds should work again, fixed a bunch of related bugs. - - Fixed race condition in file editing. (Redmine #2545) - - Fixed memory leak in cf-serverd and others (Redmine #1758) - -3.4.5 (Bugfix and Stability release) - - Bugfixes: - - - make qualified arrays expand correcty (Redmine #1998, Mantis #1128) - - - correct possible errors in tcdb files when opening - - - avoid possible db corruption when mixing read/write and cursor operations - - - Allow umask value of 002 (Redmine #2496) - -3.4.4 (Bugfix and Stability release) - - Bugfixes: - - - prevent possible crash when archiving files (GitHub #316) - - - don't create symlinks to cf-know in update policy - - - don't enable xml support if libxml2 is too old (Redmine #1937) - -3.4.3 (Bugfix and Stability release) - - Bugfixes: + - Agent binaries support JSON input format (.json file as generated by cf-promises) + - cf-key: new options --trust-key/-t and --print-digest/-p + - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and + failsafe is run because of this + - Add scope attribute for body classes (Redmine #2013) + - Better diagnostics of parsing errors + - Error messages from parser now show the context of error + - New cf-agent option: --self-diagnostics + - New output format, and --legacy-output + - Warnings for cf-promises. + - Enable zeroconf-discovery of policy hubs for automatic bootstrapping + if Avahi is present + - Support for sys.cpus on more platforms than Linux & HPUX - - Don't flood error messages when processes are out of defined range - - - prevent segmentation fault in cf-monitord -x (Redmine #2021) - - - when copying files, use same file mode as source file, rather than 0600 (Redmine #1804) - - - include xpath in messages generated by edit_xml operations (Redmine #2057) - -3.4.2 (Bugfix and Stability release) - - Bugfixes: - - - Fixes to policies in masterfiles (see masterfiles/Changelog for details) - - - Fixes for OpenBSD (GitHub #278) - - - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) - - - Fix build issues on NetBSD, SLES 12.2 + Changes: + - Parser no longer allows ',' after promiser or promisee. must be either ';' or lval + - Make parser output in GCC compatible format the only supported format + (remove --gcc-brief-format flag) + + - Silence license warnings in Enterprise Free25 installations + - action_policy => "warn" causes not_kept classes to be set on promise needing repair. + - Command line option version (-V) now prints a shorter parsable version without graphic + - Implicit execution of server and common bundles taking arguments is skipped in cf-serverd. + - WARNING: option --policy-server removed, require option to --bootstrap instead + - process promises don't log if processes are out of range unless you + run in verbose mode + - reports promises are now allowed in any context (Redmine #2005) + - cf-report has been removed + - cf-execd: --once implies --no-fork + - Version info removed from mail subject in the emails sent by cf-execd. + The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" + Please change your email filters accordingly if necessary. + - "outputs" promise type is retired. Their semantics was not clear, and the functionality + is better suited for control body setting, not a promise. + - Tokyo Cabinet databases are now automatically checked for + correctness during opening. It should prevent a number of issues + with corrupted TC databases causing binaries to hang. + - Improved ACL handling on Windows, which led to some syntax changes. We now consistently + use the term "default" to describe ACLs that can be inherited by child objects. These + keywords have received new names: + acl_directory_inherit -> acl_default + specify_inherit_aces -> specify_default_aces + The old keywords are deprecated, but still valid. In addition, a new keyword + "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on + Unix platforms. (Redmine #1832) + - Networking code is moved from libpromises to its own library, + libcfnet. Work has begun on making the API more sane and thread-safe. + Lots of legacy code was removed. + - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). + - Replace old deprecated and non thread-safe resolver calls with + getaddrinfo() and getnameinfo(). + - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are + returning error when resolution fails. + - Running cf-execd --once now implies --no-fork, and also does not wait + for splaytime to pass. + - execresult(), returnszero() and commands promises no longer requires the first word + word to be an absolute path when using the shell. (Part of Redmine #2143) + - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean + values are accepted but deprecated. (Part of Redmine #2143) + - returnszero() now correctly sets the class name in this scenario (Part of + Redmine #2143): + classes: + "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); - - Improve error message when libxml2 support is not compiled (Redmine #1799) + Bugfixes: + - Bundles are allowed to be empty (Redmine #2411) + - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) + - Correct parsing of list variables by a command module. (Redmine #2239) + - Fixed issue with package management and warn. (Redmine #1831) + - Fixed JSON crash. (Redmine #2151) + - Improved error checking when using fgets(). (Redmine #2451) + - Fixed error message when deleting nonexistent files. (Redmine #2448) + - Honor warn-only when purging from local directory. (Redmine #2162) + - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) + - Allocate memory dynamically to avoid out-of-buffer or out-of-hash + situations + - Fix edit_xml update of existing attributes (Redmine #2034) + - Use failsafe policy from compile-time specified workdir (Redmine #1991) + - ifvarclass checked from classes promises in common bundles + - Do not wait for splaytime when executing only once + - Disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) + - Out-of-tree builds should work again, fixed a bunch of related bugs. + - Fixed race condition in file editing. (Redmine #2545) + - Fixed memory leak in cf-serverd and others (Redmine #1758) + +3.4.5: (Bugfix and stability release) - - fix potential segmentation fault when trimming network socket data (GitHub #233) + Bugfixes: + - Make qualified arrays expand correcty (Redmine #1998, Mantis #1128) + - Correct possible errors in tcdb files when opening + - Avoid possible db corruption when mixing read/write and cursor operations + - Allow umask value of 002 (Redmine #2496) - - fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) +3.4.4: (Bugfix and stability release) - - execute background promise serially when max_children was reached, rather - than skipping them (GitHub #233) + Bugfixes: + - Prevent possible crash when archiving files (GitHub #316) + - Don't create symlinks to cf-know in update policy + - Don't enable xml support if libxml2 is too old (Redmine #1937) - - fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) +3.4.3: (Bugfix and stability release) - - fix compilation with Sun Studio 12 (Redmine #1901) + Bugfixes: + - Don't flood error messages when processes are out of defined range + - Prevent segmentation fault in cf-monitord -x (Redmine #2021) + - When copying files, use same file mode as source file, rather than 0600 (Redmine #1804) + - Include xpath in messages generated by edit_xml operations (Redmine #2057) - - silence type-pun warning when building on HP-UX (GitHub #287) +3.4.2: (Bugfix and stability release) -3.4.1 (Bugfix and Stability release) + Bugfixes: + - Fixes to policies in masterfiles (see masterfiles/Changelog for details) + - Fixes for OpenBSD (GitHub #278) + - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) + - Fix build issues on NetBSD, SLES 12.2 + - Improve error message when libxml2 support is not compiled (Redmine #1799) + - Fix potential segmentation fault when trimming network socket data (GitHub #233) + - Fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) + - Execute background promise serially when max_children was reached, rather + than skipping them (GitHub #233) + - Fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) + - Fix compilation with Sun Studio 12 (Redmine #1901) + - Silence type-pun warning when building on HP-UX (GitHub #287) + +3.4.1: (Bugfix and stability release) New feature/behavior: - - cf-execd terminates agent processes that are not responsive for a configurable amount of time (see agent_expireafter in body executor control), defaulting to 1 week Bugfixes: - - - fix regression of classmatch() failing with hard classes (Redmine #1834) - - - create promise-defined and persistent classes in correct + - Fix regression of classmatch() failing with hard classes (Redmine #1834) + - Create promise-defined and persistent classes in correct namespace (Redmine #1836) - - - several fixes to namespace support - - - fix several crash bugs caused by buffer overflow and race + - Several fixes to namespace support + - Fix several crash bugs caused by buffer overflow and race conditions in cf-serverd - - - regenerate time classes in cf-execd for each run (Redmine #1838) - + - Regenerate time classes in cf-execd for each run (Redmine #1838) - edit_xml: fix select_xpath implementation and update documentation NOTE: code that uses select_xpath_region needs to be changed to select_xpath - - edit_xml: make sure that text-modification functions don't overwrite child nodes - - edit_xml: improve error logging 3.4.0 New features: - - Added rpmvercmp utility to compare versions of RPM packages for accurate sorting of RPM packages for packages promises. - - Implement network timeout on server side to avoid keeping stale connections for hours. - - XML editing capabilities. See the documentation for edit_xml body. Note the new dependency: libxml2. - - Implement inheritance of local classes by bundles called using "usebundle". By default classes are not inherited. See the examples/unit_inherit.cf for an example. - - Moved from Nova/Enterprise: - POSIX ACL support, - "outputs" promise type, - remote syslog support. - - packages_default_arch_command hook in packages promises, to specify default architecture of the packages on the system. - - packages_version_less_command / packages_version_equal_command hooks in packages promises, to specify external command for native package manager versions comparison - - agent_expireafter in body executor control allows you to set a timeout on all cf-agent runs, to enforce a threshold on the number of concurrent agents - - Running in Solaris zone is now detected and classes "zone" and "zone_" are created in this case. - - VirtualBox support added to guest_environment promises. - - guest_environment promises are supported under OS X. - - The "depends_on" attribute is now active, for the partal ordering of promises. If a promise depends on another (referred by handle) it will only be considered if the depends_on list is either kept or repaired already. ** WARNING: When upgrading, make sure that any existing use - of depends_on does not make some promises being - unintentionally ignored. This can happen if you are - currently referring to non-existent or never-run handles - in depends_on attributes. - + of depends_on does not make some promises being + unintentionally ignored. This can happen if you are + currently referring to non-existent or never-run handles + in depends_on attributes. - methods return values, initial implementation - - New format for cf-key -s, includes timestamp of last connection - - cf-promises --parse-tree option to parse policy file and dump it in JSON format - - Namespaces support for bundles and bodies. See the examples/unit_namespace*.cf for the usage. - - Default arguments for bundles. See the examples/unit_defaults.cf - - Metadata promise type. See the examples/unit_meta.cf New semantics: - - Methods promises now return the status of promises kept within them. If any promise was not kept, the method is not kept, else if any promise is repaired, the method was repaired @@ -2797,14 +2746,12 @@ - Remote variable access in namespaces by $(namespace:bundle.variable) Changed functionality: - - cf-execd -F switch no longer implies 'run once'. New -O/--once option is added to achieve this behaviour. This makes cf-execd easier to run from systemd, launchd and other supervision systems. Misc: - - Support for the following outdated platforms and corresponding classes has been removed. De facto those platforms were unsupported for a long time, as CFEngine codebase uses C99 @@ -2823,59 +2770,45 @@ - NeXTSTEP (nextstep) - GNU Hurd (gnu) - NEC UX/4800 (ux4800) - - (Old news) Since 3.3.0 the layout of CFEngine Community packages has changed slightly. cf-* binaries have been moved to /var/cfengine/bin, due to the following reasons: - - - cf-* binaries are linked to libraries installed to - /var/cfengine/lib, so placing binaries in /usr/local/sbin does not - increase reliability of the CFEngine, - - - keeping whole CFEngine under single prefix (/var/cfengine) - makes packaging simpler, - - - it matches the layout of CFEngine Enterprise packages. - - Please adjust your policies (the recommended ways to deal with - the move are either to adjust $PATH to include /var/cfengine or to - create symlinks in /usr/local/sbin in case you are relying on - binaries to be available in $PATH). - + - cf-* binaries are linked to libraries installed to + /var/cfengine/lib, so placing binaries in /usr/local/sbin does not + increase reliability of the CFEngine, + - keeping whole CFEngine under single prefix (/var/cfengine) + makes packaging simpler, + - it matches the layout of CFEngine Enterprise packages. + + Please adjust your policies (the recommended ways to deal with + the move are either to adjust $PATH to include /var/cfengine or to + create symlinks in /usr/local/sbin in case you are relying on + binaries to be available in $PATH). - Workdir location is properly changed if --prefix or --enable-fhs options are supplied to configure (Mantis #1195). - - Added check for broken libmysqlclient implementations (Mantis #1217). - - Standard library is updated from COPBL repository. - - cf-know is no longer built in Community releases. The only functionality useful in Community, namely the reference manual generation, is provided by new compile-time cf-gendoc tool. + - Filename (for storing filechanges) changed + from file_change.log -> file_changes.log (in /var/cfengine/state) - - Filename (for storing filechanges) changed - from file_change.log -> file_changes.log (in /var/cfengine/state) - - New format for storing file changes introduced: - [timestamp,filename,,Message] - - N = New file found - C = Content Changed - S = Stats changed - R = File removed + New format for storing file changes introduced: + [timestamp,filename,,Message] + N = New file found + C = Content Changed + S = Stats changed + R = File removed - Acceptance test suite passes on Mac OS X. - - Changed some port numbers to replace old services with imap(s) - - archlinux hard class on Arch Linux. - - Detect BSD Make and automatically switch to GNU Make during build. Bugfixes: - - cfruncommand for cf-execd is an arbitrary shell command now (Mantis #1268). - Fixed broken "daily" splayclasses (Mantis #1307). - Allow filenames up to 4096 bytes in network transfers (Redmine #1199). @@ -2898,73 +2831,64 @@ https://cfengine.com/bugtracker/changelog_page.php (old bug tracker) and https://cfengine.com/dev/projects/core/versions/34 (new bug tracker) -3.3.9 (Bugfix and Stability release) +3.3.9: (Bugfix and stability release) Bugfixes: - - Do not lose hard classes in cf-serverd during policy reload (Mantis #1218). - Implement receive network timeout in cf-serverd. Prevents overloading cf-serverd with stale connections. -3.3.8 (Bugfix and Stability release) +3.3.8: (Bugfix and stability release) Versions 3.3.6, 3.3.7 were internal and weren't released. Bugfixes: - - Propery set sys.domain variable if hostname is fully-qualified. - Fixed several small memory leaks. - Make network timeout for network reads configurable. Previously it was hardcoded to be 30 seconds, which was not enough for cf-runagent invoking cf-agent on big policies (Mantis #1028). -3.3.5 (Bugfix and Stability release) +3.3.5: (Bugfix and stability release) Bugfixes: - - Fixed cf-execd memory leak on hosts with cf-monitord running. - Robustify against wrongly-sized entires in embedded databases. Standard library: - - Bugfixes from upstream COPBL repository. - standard_services bundle from upstream COPBL repository. -3.3.4 (Bugfix and Stability release) +3.3.4: (Bugfix and stability release) Evaluation of policies: - - Fix wrong classes set after installation of several packages using packages promises (Mantis #829). - Fix segfault using edit_template on existing file (Mantis #1155). Misc: - - Fix memory leak during re-read of network interfaces' information in cf-execd/cf-serverd. -3.3.3 (Bugfix and Stability release) +3.3.3: (Bugfix and stability release) Evaluation of policies: - - Zero-length files are valid for readfile() and similar functions (Mantis #1136). - Unchoke agent in case it encounters symlinks in form ./foo (Similar to Mantis #1117). Misc: - - Fix generation of reference manual on machines with umask more relaxed than 022. - Use statvfs(3) on OpenBSD to obtain filesystem information (Mantis #1135). -3.3.2 (Bugfix and Stability release) +3.3.2: (Bugfix and stability release) Evaluation of policies: - - Do not segfault if file copy was interrupted due to network connectivity or server going away (Mantis #1089). - Do not segfault if log_failed attribute is present in body, but @@ -2977,14 +2901,12 @@ (Mantis #890, #1066). Base policy: - - Properly set permissions on files for /var/cfengine/lib on HP-UX (Mantis #1114). - Standard library (cfengine_stdlib.cf) is synced with COPBL repository. Misc: - - Do not create huge file in case corrupted TokyoCabinet database is detected (Mantis #1106). - Fix file descriptor leak on error paths, may have caused crashes @@ -2997,40 +2919,35 @@ on HP-UX (Mantis #1109). - Fix compilation on Solaris 11 (Mantis #1091). -3.3.1 (Bugfix and Stability release) +3.3.1: (Bugfix and stability release) Evaluation of policies: - - Do not cut off name of bundle in variables interpolation (Mantis #975). - Do not segfault in function evaluation guarded by ifvaclass clause (Mantis #1084, #864). - Do not segfault if "classes" promise does not declare any value to be evaluated (Mantis #1074). - Do not segfault in database promises if there is no - database_operation provided (Mantis #1046). + database_operation provided (Mantis #1046). Built-in functions: - - Fix countclassesmatching() function which was misbehaving trying - to match classes starting with alphanumeric symbol (Mantis #1073). + to match classes starting with alphanumeric symbol (Mantis #1073). - Fix diskfree() to return kilobytes, as described in documentation (Mantis #980, #955). - Fix hostsseen() function to avoid treating all hosts as not - being seen since 1970 (Mantis #886). + being seen since 1970 (Mantis #886). - Do not output misleading error message if readtcp() is unable to connect (Mantis #1085). Command-line interface: - - -d option previously reqired an argument, though help message disagreed (Mantis #1053). - Disable --parse-tree option, not ready for the release (Mantis #1063). - Acept -h as a --help option. - Ensure that cf-execd might be started right after being shut down. Misc: - - Plug file descriptor leak after failed file copy (Mantis #990). - Fix unsafe admit rules in default promises.cf (Mantis #1040). - Fix splaytime to match documentation: it is specified in minutes, not seconds (Mantis #1099). Packaging: - - Fix owner/group of initscript and profile.d snippet in RPM builds (Mantis #1061, #1058). - Fix location of libvirt socket CFEngine uses to connect to libvirtd (Mantis #1072). - Install CoreBase to /var/cfengine/masterfiles during installation (Mantis #1075). @@ -3074,7 +2991,6 @@ - mac_:: - discovered MAC addresses Changes: - - Major cleanup of database handling code. Should radically decrease amount of database issues experienced under heavy load. @@ -3087,10 +3003,8 @@ For the older systems QDBM, which relies only on C89, is a better replacement, and deemed to be as portable, as Berkeley DB. - - Change of lastseen database schema. Should radically decrease I/O contention on lasteen database. - - Automatic reload of policies by cf-execd. - Documentation is generated during build, PDF and HTML files are retired from repository. @@ -3105,506 +3019,258 @@ - See the full list of bugfixes at https://cfengine.com/bugtracker/changelog_page.php -3.2.4 (Bugfix and Stability release) - - Fixed failure in network transfer in case of misbehaving peer - - A few tiny memory leaks on error paths fixed - -3.2.3 (Bugfix and Stability release) - - A few tiny memory leaks fixed +3.2.4: (Bugfix and stability release) + - Fixed failure in network transfer in case of misbehaving peer + - A few tiny memory leaks on error paths fixed - Improved performance of cf-serverd under heavy load with - TokyoCabinet database - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.2.2 (Bugfix and Stability release) - - Enabled compilation in "large files" mode under AIX - - Alleviated problem with broken file transfers over unstable - Internet links. - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.2.1 (Bugfix and Stability release) - - Fixed compilation under HP-UX and Solaris +3.2.3: (Bugfix and stability release) + - A few tiny memory leaks fixed + - Improved performance of cf-serverd under heavy load with + TokyoCabinet database + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php - Enabled compilation using HP ANSI C compiler +3.2.2: (Bugfix and stability release) + - Enabled compilation in "large files" mode under AIX + - Alleviated problem with broken file transfers over unstable + internet links. + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php +3.2.1: (Bugfix and stability release) + - Fixed compilation under HP-UX and Solaris + - Enabled compilation using HP ANSI C compiler + - Full list of issues fixed is available on + - https://cfengine.com/bugtracker/changelog_page.php -3.2.0 +3.2.0: New bootstrap method with single-command bootstrapping: - cf-agent --bootstrap --policy-server 123.456.789.123 - Associated policy template files are added, partially maintained by CFEngine - - Bug fixes for file-editing, package versioning, and embedded - database corruption (We recommend using TokyoCabinet instead of - BerkeleyDB if building from source). - - Improved upgrade path for Nova. - - Patches for improved run-agent concurrency - - Reorganization of documentation and community resources - - 100% on regression test suite on 3 operating systems - (Ubuntu, Debian, SuSE on x86-64 hardware) - - Support for multiple release environments - - package_policy update and addupdate now check if user-supplied - version is larger than currently installed - updates only if so - - Help text of cf-report -r corrected - a list of key hashes is - required, not ip addresses. - - New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) - - Warnings are on edit_line changes can now give greater degree of information - without spamming promise logs - - Class expressions parser accepts '||' as an alias for '|' again. - - Invalidation of package list cache on installation/removal of - packages. - - New option cf-key -r to remove host key by IP or hostname. - - Added detection of network interfaces which belong to BSD jails. - - Improve robustness of multi-threaded code, in particular fix - problems with spurious access denials in server and losing of - authentication rules after policy reload. - - cf-promises accepts option -b matching cf-agent, which causes it - to do not complain about missing bundlesequence. - - New functions and(), not(), or() and concat() to ease use of - ifvarclass() clause. - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.1.5 - New class parser, '||' is no longer allowed in expressions (use '|'). - - Class setting in the promise types insert_lines, delete_lines, - replace_patterns, field_edits, vars, classes is restored. - - suspiciousnames implemented. - - New function getvalues(). - - New functions parse{read,int,string}array to match read{read,int,string}array. - - Testsuite added to check for core functionality. - - Syslog prefix is fixed to say 'cf3' instead of 'community'. - -3.1.4 (Bugfix and Stability release) - - Some urgent patches to 3.1.3. - Class validation parse bug fixed. - Global zone handling error for solaris fixed. - Package architectures handled correctly (bug #456). - Reading and writing of key name "root-.pub" eliminated (bug #442, #453). - cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. - Lock purging to avoid remnant complexity explosion (bug #430). - Some copyright notices added that got lost. - -3.1.3 (Stability release) - - Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). - The daemons now show no growth even with very complex policies. - - cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). - - Added 30 second timeout on recv() on Linux. - - package_noverify_returncode implemented (bug #256). - - A flexible mechanism for setting classes based on return codes of - commands has been introduced. Allows for setting promise kept, - repaired or failed based on any return codes. This is currently - implemented for commands-promises, package-manager commands and - transformer in files. In classes body, see attributes - kept_returncodes, repaired_returncodes, failed_returncodes (bug - #248, #329). - - New function ip2host - reverse DNS lookup (bug #146). - -3.1.2 (Scalability/efficiency release) - - Big efficiency improvements by caching output from - cf-promises. Can also be used for much more efficient policy - deployment (only pull if changed). - - Caching state of ps command for greater efficiency. Reloaded for each bundle. - - Index class lookup improves efficiency of class evaluation for huge configurations. - - Fixed issue where certain promiser strings got corrupted. - - Minor memory access issues fixed. - - Iterator bug introduced in 3.1.0 fixed - -3.1.1 (Bugfix release) - - Memory leaks in server tracked down and fixed. - List expansion bug (one list items not executed) fixed. - Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. - cf-key -s command for showing key hash/IP address identity pairs - -3.1.0 - Change in storage of public keys. Cfengine now hashes the public key and uses this - as the keyname. Keys will be converted automatically. - - The old dynamic addresses lists are deprecated. - Caching of dns and key information for greater server speed. - Change in last-seen format reflects the public key usage. - - New package policy addupdate - installs package if not there and - updates it otherwise. - - Support for package_changes => "bulk" in file repository as well. - - New special function readstringarrayidx, similar to readstringarray, - but uses integer indices. Very useful if first row elements are - not good identifiers (e.g. contains spaces, non-unique, etc.). - - Change two log formats to use time() instead of date() - - filechanges - - total compliance - - Change from using md5 to sha256 as default digest for commercial version, - community retains md5 for compat. - - Commands not returning 0 in commands-promises are flagged - as repair_failed. - - Adjustable timeout on connect(). Defaults to 10 seconds, adjustable - with default_timeout in agent control. - - Redesign of the knowledge map infrastructure. - - Now possible to use variables to call methods, e.g - - methods: - - "name $(list)" usebundle => $(list)("abc"); - - See reference manual notes - - Changes to normal ordering to optimize execution. - - Increased stability by always initializing Attribute and Promise - structures. - - When running cf-promises in dry-run mode (-n), the user does not need - to put binaries in WORKDIR/bin. For example, non-privileged users can verify root - policies. - - Source control revision added in version string if run in verbose mode - (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. - - New semantics in return values of list functions. Null values are now allowed - and there is no iteration over empty lists. The value "cf_null" is reserved for - use as a null iterator. - -3.0.5p1 - Showing paths allowed/denied access to when cf-serverd is run in verbose mode. - Bug in server fixed for dynamic addresses. - File handle closure bugfix - too many open databases. - Seg fault in mount files fix. - Twin used in cf-execd without checking. - Check_root set wrong directory permissions at source not destination. - Error message degraded in body definition. - Undefined body not warned as error. - Various build enahncements. - Package_list_update called only once per manager, and fixed crash. - Version number bug in packages. - -3.0.5 - Encryption problems fixed - client key buffer was uninitialized. - - Classes-promisers are now automatically canonified when class - strings are defined, to simplifying the use of variables in classes. - - New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. - - Attribute package_delete_convention added, to allow customizable - package name in delete command during update. - - package_list_update_ifelapsed limit added. - - Private variable $(firstrepo) is available in package_name_convention - and package_delete_convention in order to expand the full path to - a package, which is required by some managers. - - Some of the threading code is rewritten and made more robust. This includes - synchronizing access to the lastseen database from the server. - - Bad initialization of BSD flags fixed - Multiple variable expansion issues in control fixed for server and agent - Allow ignore_missing_bundles to affect methods: bundles too - Run agent trust dialogue fixed - - Bug in CPU monitoring, increasing time scale caused linear decay - of CPU measurement. - - Bug in Setuid log storage, fix. - - Hooks added for new Nova virtualization promises. - - Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. - - -3.0.4 - Class cancellation in promises to create better class feedback, - allows emulation of switch/case semantics etc - - Value of SA measurement promises - - Special function getenv() which returns the contents of an - environment variable (on all platforms). - New function translatepath for generic Windows - New function escape() to escape literals as regular expressions (like SQL) - New function host2ip for caching IP address lookup - New function regextract for setting variables with backreferences - - New variables for the components $(sys.cf_agent), $(sys.cf_know) etc - pointing to the binaries. - - More robust integrated database implementation; closing all - handles when receiving signals, self-healing on corruption. - - Package installation on localhost without a manager like yum completed, - multiple repositories searched, and universal methods. - - Numerous bugfixes - - -3.0.3 - sha256 .. new hashes in openssl included in syntax tree. - - End of line autocropping in readfile (hopefully intelligent) - - hashmatch function incorrectly implemented - old debugging code left behind. Fix. - - sys.crontab variable - - Unknown user is now interpretated as "same user", so that we give cfengine a chance to - fix - - Unregistered addresses no longer report "(Non registered IP)", but return as the address - itself when doing reverse lookups. - -3.0.2 - IMPORTANT: Change in normal ordering of editing. replace comes - after insert lines Much testing and minor bug fixing - - Memory leaks fixed - Many hooks added for Nova enterprise extensions. - - promise_output reports now placed in WORKDIR/reports directory - - Initialization correction and self-correx in monitord - - Many new body constraints added. - - Code readied for enterprise version Nova. - - -b option can override the bundlesequence (must not contain parameters yet) - - collapse_destination_dir option added to copy so that files can be - aggregated from subdirectories into a single destination. - - Preparation for release: - unit_accessed_before.cf x - unit_accumulated_time.cf x - unit_acl.cf x - unit_acl_generic.cf x - unit_ago.cf x - unit_arrays.cf x - unit_backreferences_files.cf x - unit_badpromise.cf x - unit_badtype.cf x - unit_bsdflags.cf x - unit_cf2_integration.cf x - unit_changedbefore.cf x - unit_change_detect.cf x - unit_chdir.cf x - unit_classes_global.cf x - unit_classmatch.cf x - unit_classvar_convergence.cf x - unit_compare.cf x - unit_controlclasses.cf x - unit_control_expand.cf x - unit_copy.cf x - unit_copy_edit.cf x - unit_copylinks.cf x - unit_createdb.cf x - unit_create_filedir.cf x - unit_definitions.cf x - unit_deletelines.cf x - unit_disable_and_rotate_files.cf x - unit_dollar.cf x - unit_edit_column_files.cf x - unit_edit_comment_lines.cf x - unit_edit_deletenotmatch.cf x - unit_edit_insert_lines.cf x - unit_edit_insert_lines_silly.cf x - unit_edit_replace_string.cf x - unit_edit_sectioned_file.cf x - unit_edit_setvar.cf x - unit_edit_triggerclass.cf x - unit-env.cf x - unit_epimenides.cf x - unit_exec_args.cf x - unit_execd.cf x - unit_exec_in_sequence.cf x - unit_execresult.cf x - unit_expand.cf x - unit_failsafe.cf x - unit_file_change_detection.cf x - unit_fileexists.cf x - unit_file_owner_list_template.cf x - unit_fileperms.cf x - unit_filesexist2.cf x - unit_filesexist.cf x - unit_getgid.cf x - unit_getindices.cf x - unit_getregistry.cf x - unit_getuid.cf x - unit_global_list_expansion_2.cf x - unit_global_list_expansion.cf x - unit_groupexists.cf x - unit_hash.cf x - unit_hashcomment.cf x - unit_hashmatch.cf x - unit_helloworld.cf x - unit_hostrange.cf x - unit_intarray.cf x - unit_iprange.cf x - unit_irange.cf x - unit_isdir.cf x - unit_islink.cf x - unit_isnewerthan.cf x - unit_isplain.cf x - unit_isvariable.cf x - unit_iteration.cf x - unit_knowledge_txt.cf x - unit_lastnode.cf x - unit_ldap.cf x - unit_linking.cf x - unit_literal_server.cf x - unit_locate_files_and_compress.cf x - unit_log_private.cf x - unit_loops.cf x - unit_measurements.cf x - unit_method.cf x - unit_method_validate.cf x - unit_module_exec_2.cf - unit_module_exec.cf - unit_mount_fs.cf x - unit_neighbourhood_watch.cf x - unit_null_config.cf x - unit_occurrences.cf x - unit_ordering.cf x - unit_package_apt.cf x - unit_package_hash.cf x - unit_package_rpm.cf x - unit_package_yum.cf x - unit_package_zypper.cf x - unit_parallel_exec.cf x - unit_pathtype.cf x - unit_pattern_and_edit.cf x - unit_peers.cf x - unit_postfix.cf x - unit_process_kill.cf x - unit_process_matching2.cf x - unit_process_matching.cf x - unit_process_signalling.cf x - unit_readlist.cf x - unit_readtcp.cf x - unit_regarray.cf x - unit_registry.cf x - unit_regline.cf x - unit_reglist.cf x - unit_remove_deadlinks.cf x - unit_rename.cf x - unit_report_state.cf x - unit_reporttofile.cf x - unit_returnszero.cf x - unit_select_mode.cf x - unit_select_region.cf x - unit_selectservers.cf x - unit_select_size.cf x - unit_server_copy_localhost.cf x - unit_server_copy_remote.cf x - unit_server_copy_purge.cf x - unit_splitstring.cf x - unit_sql.cf x - unit_storage.cf x - unit_strcmp.cf x - unit_stringarray.cf x - unit_syslog.cf x - unit_template.cf x - unit_tidy_all_files.cf x - unit_user_edit.cf x - unit_user_edit_method.cf x - unit_userexists.cf x - unit_varclass.cf x - unit_vars.cf x - unit_warnifline.cf x - unit_webserver.cf x - - -3.0.1 - First standalone release, independent of cfengine 2 - Purge old definitions and check consistency. - - NB: changed search_mode to be a list of matching values - - Reporting rationalized in cf-promises with -r only to avoid - leaving output files everywhere. - - Hooks added for upcoming commercial additions to cfengine. - - Added classify() and hostinnetgroup() functions - Added additional change management options for change detection - - Package management added - generic mechanisms. - - Limits on backgrounding added to avoid resource contention during cfengine runs. - Image type added to cf-know. - - New classes for quartly shifts: Morning,Afternoon,Evening,Night - - Bug fixes in editfiles - line insertion for multiple line objects - - Change the name of the variables and context from the monitord for - better separation of data, and shorter names. sys -> mon - average -> av, stddev -> dev - - canonical name for windows changed from "nt" to "windows", also version names - added "vista","xp" etc.. - - License notices updated for dual license editions. - -3.0.0 - First release of cfengine 3. Known omissions: - - no support for ACLs - - no support for packages - - no support for interface configuration - These will be added in the next release. + - Bug fixes for file-editing, package versioning, and embedded + database corruption (We recommend using TokyoCabinet instead of + BerkeleyDB if building from source). + - Improved upgrade path for Nova. + - Patches for improved run-agent concurrency + - Reorganization of documentation and community resources + - 100% on regression test suite on 3 operating systems + (Ubuntu, Debian, SuSE on x86-64 hardware) + - Support for multiple release environments + - package_policy update and addupdate now check if user-supplied + version is larger than currently installed - updates only if so + - Help text of cf-report -r corrected - a list of key hashes is + required, not ip addresses. + - New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) + - Warnings are on edit_line changes can now give greater degree of information + without spamming promise logs + - Class expressions parser accepts '||' as an alias for '|' again. + - Invalidation of package list cache on installation/removal of + packages. + - New option cf-key -r to remove host key by IP or hostname. + - Added detection of network interfaces which belong to BSD jails. + - Improve robustness of multi-threaded code, in particular fix + problems with spurious access denials in server and losing of + authentication rules after policy reload. + - cf-promises accepts option -b matching cf-agent, which causes it + to do not complain about missing bundlesequence. + - New functions and(), not(), or() and concat() to ease use of + ifvarclass() clause. + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php + +3.1.5: + - New class parser, '||' is no longer allowed in expressions (use '|'). + - Class setting in the promise types insert_lines, delete_lines, + replace_patterns, field_edits, vars, classes is restored. + - suspiciousnames implemented. + - New function getvalues(). + - New functions parse{read,int,string}array to match read{read,int,string}array. + - Testsuite added to check for core functionality. + - Syslog prefix is fixed to say 'cf3' instead of 'community'. + +3.1.4: (Bugfix and stability release) + - Some urgent patches to 3.1.3. + - Class validation parse bug fixed. + - Global zone handling error for solaris fixed. + - Package architectures handled correctly (bug #456). + - Reading and writing of key name "root-.pub" eliminated (bug #442, #453). + - cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. + - Lock purging to avoid remnant complexity explosion (bug #430). + - Some copyright notices added that got lost. + +3.1.3: (Stability release) + - Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). + The daemons now show no growth even with very complex policies. + - cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). + - Added 30 second timeout on recv() on Linux. + - package_noverify_returncode implemented (bug #256). + - A flexible mechanism for setting classes based on return codes of + commands has been introduced. Allows for setting promise kept, + repaired or failed based on any return codes. This is currently + implemented for commands-promises, package-manager commands and + transformer in files. In classes body, see attributes + kept_returncodes, repaired_returncodes, failed_returncodes (bug + #248, #329). + - New function ip2host - reverse DNS lookup (bug #146). + +3.1.2: (Scalability/efficiency release) + - Big efficiency improvements by caching output from + cf-promises. Can also be used for much more efficient policy + deployment (only pull if changed). + - Caching state of ps command for greater efficiency. Reloaded for each bundle. + - Index class lookup improves efficiency of class evaluation for huge configurations. + - Fixed issue where certain promiser strings got corrupted. + - Minor memory access issues fixed. + - Iterator bug introduced in 3.1.0 fixed + +3.1.1: (Bugfix release) + - Memory leaks in server tracked down and fixed. + - List expansion bug (one list items not executed) fixed. + - Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. + - cf-key -s command for showing key hash/IP address identity pairs + +3.1.0: + - Change in storage of public keys. Cfengine now hashes the public key and uses this + as the keyname. Keys will be converted automatically. + - The old dynamic addresses lists are deprecated. + Caching of dns and key information for greater server speed. + Change in last-seen format reflects the public key usage. + - New package policy addupdate - installs package if not there and + updates it otherwise. + - Support for package_changes => "bulk" in file repository as well. + - New special function readstringarrayidx, similar to readstringarray, + but uses integer indices. Very useful if first row elements are + not good identifiers (e.g. contains spaces, non-unique, etc.). + - Change two log formats to use time() instead of date() + - filechanges + - total compliance + - Change from using md5 to sha256 as default digest for commercial version, + community retains md5 for compat. + - Commands not returning 0 in commands-promises are flagged + as repair_failed. + - Adjustable timeout on connect(). Defaults to 10 seconds, adjustable + with default_timeout in agent control. + - Redesign of the knowledge map infrastructure. + - Now possible to use variables to call methods, e.g + methods: + "name $(list)" usebundle => $(list)("abc"); + See reference manual notes + - Changes to normal ordering to optimize execution. + - Increased stability by always initializing Attribute and Promise + structures. + - When running cf-promises in dry-run mode (-n), the user does not need + to put binaries in WORKDIR/bin. For example, non-privileged users can verify root + policies. + - Source control revision added in version string if run in verbose mode + (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. + - New semantics in return values of list functions. Null values are now allowed + and there is no iteration over empty lists. The value "cf_null" is reserved for + use as a null iterator. + +3.0.5p1: + - Showing paths allowed/denied access to when cf-serverd is run in verbose mode. + - Bug in server fixed for dynamic addresses. + - File handle closure bugfix - too many open databases. + - Seg fault in mount files fix. + - Twin used in cf-execd without checking. + - Check_root set wrong directory permissions at source not destination. + - Error message degraded in body definition. + - Undefined body not warned as error. + - Various build enahncements. + - Package_list_update called only once per manager, and fixed crash. + - Version number bug in packages. + +3.0.5: + - Encryption problems fixed - client key buffer was uninitialized. + - Classes-promisers are now automatically canonified when class + strings are defined, to simplifying the use of variables in classes. + - New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. + - Attribute package_delete_convention added, to allow customizable + package name in delete command during update. + - package_list_update_ifelapsed limit added. + - Private variable $(firstrepo) is available in package_name_convention + and package_delete_convention in order to expand the full path to + a package, which is required by some managers. + - Some of the threading code is rewritten and made more robust. This includes + synchronizing access to the lastseen database from the server. + - Bad initialization of BSD flags fixed + - Multiple variable expansion issues in control fixed for server and agent + - Allow ignore_missing_bundles to affect methods: bundles too + - Run agent trust dialogue fixed + - Bug in CPU monitoring, increasing time scale caused linear decay + of CPU measurement. + - Bug in Setuid log storage, fix. + - Hooks added for new Nova virtualization promises. + - Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. + + +3.0.4: + - Class cancellation in promises to create better class feedback, + allows emulation of switch/case semantics etc + - Value of SA measurement promises + - Special function getenv() which returns the contents of an + environment variable (on all platforms). + - New function translatepath for generic Windows + - New function escape() to escape literals as regular expressions (like SQL) + - New function host2ip for caching IP address lookup + - New function regextract for setting variables with backreferences + - New variables for the components $(sys.cf_agent), $(sys.cf_know) etc + pointing to the binaries. + - More robust integrated database implementation; closing all + handles when receiving signals, self-healing on corruption. + - Package installation on localhost without a manager like yum completed, + multiple repositories searched, and universal methods. + - Numerous bugfixes + + +3.0.3: + - sha256 .. new hashes in openssl included in syntax tree. + - End of line autocropping in readfile (hopefully intelligent) + - hashmatch function incorrectly implemented - old debugging code left behind. Fix. + - sys.crontab variable + - Unknown user is now interpretated as "same user", so that we give CFEngine a chance to + fix + - Unregistered addresses no longer report "(Non registered IP)", but return as the address + itself when doing reverse lookups. + +3.0.2: + - IMPORTANT: Change in normal ordering of editing. replace comes + after insert lines Much testing and minor bug fixing + - Memory leaks fixed + - Many hooks added for Nova enterprise extensions. + - promise_output reports now placed in WORKDIR/reports directory + - Initialization correction and self-correx in monitord + - Many new body constraints added. + - Code readied for enterprise version Nova. + - -b option can override the bundlesequence (must not contain parameters yet) + - collapse_destination_dir option added to copy so that files can be + aggregated from subdirectories into a single destination. + +3.0.1: + - First standalone release, independent of CFEngine 2 + Purge old definitions and check consistency. + - NB: changed search_mode to be a list of matching values + - Reporting rationalized in cf-promises with -r only to avoid + leaving output files everywhere. + - Hooks added for upcoming commercial additions to CFEngine. + - Added classify() and hostinnetgroup() functions + - Added additional change management options for change detection + - Package management added - generic mechanisms. + - Limits on backgrounding added to avoid resource contention during CFEngine runs. + - Image type added to cf-know. + - New classes for quartly shifts: Morning,Afternoon,Evening,Night + - Bug fixes in editfiles - line insertion for multiple line objects + - Change the name of the variables and context from the monitord for + better separation of data, and shorter names. sys -> mon + average -> av, stddev -> dev + - Canonical name for windows changed from "nt" to "windows", also version names + added "vista","xp" etc.. + - License notices updated for dual license editions. + +3.0.0: + - First release of CFEngine 3. Known omissions: + - no support for ACLs + - no support for packages + - no support for interface configuration + - These will be added in the next release. From fa47a882df18881cb73cc185b3566af1e9a4e64c Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 27 Jun 2023 14:07:06 -0500 Subject: [PATCH 053/255] Removed LGTM banner that no longer works (cherry picked from commit 66490d6c29fb6145e6933c46fc27f4acd95624ef) --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 38b16dcff5..b356c99bfd 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ [![Gitter chat](https://badges.gitter.im/cfengine/core.png)](https://gitter.im/cfengine/core) -[![Language grade: C](https://img.shields.io/lgtm/grade/cpp/g/cfengine/core.svg?logo=lgtm&logoWidth=18&label=code%20quality)](https://lgtm.com/projects/g/cfengine/core/) - # CFEngine 3 CFEngine 3 is a popular open source configuration management system. Its primary From 27791a6528ab4da8e843d8b832d2d35a2c1994cf Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 14 Jul 2023 09:22:51 -0500 Subject: [PATCH 054/255] Removed push event handling in github actions workflow We don't have easy visibility on the results of these events which only occur after we merge pull requests. We use /merge refs in pull requests so running the actions again on push events (after the merge) don't really provide any additional information. Pushes/commits to pull requests are handled by the pull_request event so no change there. See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push Ticket: ENT-10428 Changelog: none (cherry picked from commit 81b49e7b0edec53133d16b9dbe0ac8dfba17a7b5) --- .github/workflows/ci.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc7e487e4c..138163171d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,13 +6,6 @@ on: pull_request: branches: [ master, 3.21.x, 3.18.x ] - # run this workflow on push/merge activity - # pull_request activity won't detect changes - # in the upstream branch before we merge - push: - branches: [ master, 3.21.x, 3.18.x ] - - jobs: unit_tests: uses: ./.github/workflows/unit_tests.yml From 3e16a046699eec58c6cea1340d18069a5f7ff508 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 19 Jun 2023 19:30:32 +0200 Subject: [PATCH 055/255] package[update]smatching now looks for software inventory databases If the default software inventory from context is not specified, the package[update]smatching policy functions now looks for the software inventory databases in the state directory and uses them if found. This change enables the usage of these functions in standalone policy files without the demand for specifying the default package inventory attribute in body common control. However, you still need the default package inventory attribute specified in the policy framework for the software inventory databases to exist in the first place and to be maintained. Ticket: ENT-9083 Changelog: commit Signed-off-by: Lars Erik Wik (cherry picked from commit 0c954b6b830262eadfb137d7ccb128a2fd71b87d) --- libpromises/dbm_api.c | 28 ++++++++++++++++++++++++++++ libpromises/dbm_api.h | 2 ++ libpromises/evalfunction.c | 26 ++++++++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index 0b6365c214..b7ef186e50 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -168,6 +168,34 @@ char *DBIdToSubPath(dbid id, const char *subdb_name) return native_filename; } +Seq *SearchExistingSubDBNames(const dbid id) +{ + char *const glob_pattern = DBIdToSubPath(id, "*"); + StringSet *const db_paths = GlobFileList(glob_pattern); + free(glob_pattern); + + Seq *const db_names = SeqNew(StringSetSize(db_paths), free); + StringSetIterator iter = StringSetIteratorInit(db_paths); + const char *db_path; + + // Start after the '$(sys.statedir)/packages_installed_' part of the path + const size_t from = strlen(GetStateDir()) + 1 + + strlen(DB_PATHS_STATEDIR[id]) + 1; + + // End before the '.lmdb' part of the path + const size_t chop = from + 1 + strlen(DBPrivGetFileExtension()); + + while ((db_path = StringSetIteratorNext(&iter)) != NULL) + { + char *const db_name = SafeStringNDuplicate(db_path + from, + strlen(db_path) - chop); + SeqAppend(db_names, db_name); + } + + StringSetDestroy(db_paths); + return db_names; +} + char *DBIdToPath(dbid id) { assert(DB_PATHS_STATEDIR[id] != NULL); diff --git a/libpromises/dbm_api.h b/libpromises/dbm_api.h index fe5ed6a9dd..516d1add6d 100644 --- a/libpromises/dbm_api.h +++ b/libpromises/dbm_api.h @@ -29,6 +29,7 @@ #define EC_CORRUPTION_REPAIR_FAILED 121 #include +#include #include // Only append to the end, keep in sync with DB_PATHS_STATEDIR array @@ -106,6 +107,7 @@ bool DeleteDBCursor(CF_DBC *dbcp); char *DBIdToPath(dbid id); char *DBIdToSubPath(dbid id, const char *subdb_name); +Seq *SearchExistingSubDBNames(dbid id); StringMap *LoadDatabaseToStringMap(dbid database_id); diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 94b2793d24..40f928c7d4 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -1956,6 +1956,24 @@ static FnCallResult FnCallPackagesMatching(ARG_UNUSED EvalContext *ctx, ARG_UNUS Rlist *default_inventory = GetDefaultInventoryFromContext(ctx); + bool inventory_allocated = false; + if (default_inventory == NULL) + { + // Did not find default inventory from context, try looking for + // existing LMDB databases in the state directory + dbid database = (installed_mode ? dbid_packages_installed + : dbid_packages_updates); + Seq *const seq = SearchExistingSubDBNames(database); + const size_t length = SeqLength(seq); + for (size_t i = 0; i < length; i++) + { + const char *const db_name = SeqAt(seq, i); + RlistAppendString(&default_inventory, db_name); + inventory_allocated = true; + } + SeqDestroy(seq); + } + if (!default_inventory) { // Legacy package promise @@ -1983,10 +2001,18 @@ static FnCallResult FnCallPackagesMatching(ARG_UNUSED EvalContext *ctx, ARG_UNUS Log(LOG_LEVEL_DEBUG, "No valid package module inventory found"); pcre_free(matcher); JsonDestroy(json); + if (inventory_allocated) + { + RlistDestroy(default_inventory); + } return FnFailure(); } } + if (inventory_allocated) + { + RlistDestroy(default_inventory); + } pcre_free(matcher); if (ret == false) From 50f88e77b8222874d2a411ef08897b8ba76f0ccc Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 25 Jul 2023 13:19:06 -0500 Subject: [PATCH 056/255] Added details about running in-source-directory and debugging with libtool Ticket: none Changelog: none (cherry picked from commit e0898a23d44e946d67afb12fb472703b1ee6908c) --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index b356c99bfd..deefb86546 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,13 @@ stated otherwise in the copyright notice inside the particular file. ## Example Usage +In order to use the built cf-agent in the source tree you must add a $HOME/.cfagent/bin/cf-promises file: + +$ pwd +/core +$ echo "cd $(pwd); cf-promises/cf-promises \"\$@\"" > ~/.cfagent/bin/cf-promises + + ### Hello World The following code demonstrates simple CFEngine output through a reports promise. @@ -63,6 +70,13 @@ The following policy code may be executed with cf-agent (the main CFEngine binar $ cf-agent/cf-agent hello.cf R: Hello, world + +## Debugging + +As this project uses autotools you must use libtool to run gdb/lldb/debuggers + +./libtool --mode=execute ./cf-agent/cf-agent + ## Contributing Please see the [CONTRIBUTING.md](https://github.com/cfengine/core/blob/master/CONTRIBUTING.md) file. From 070de326e934534dcc77dcea6d5e5cc2e62fec00 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 25 Jul 2023 13:19:53 -0500 Subject: [PATCH 057/255] Modified classesmatching() function to search parent bundles with inherit => true Ticket: ENT-5850 Changelog: title (cherry picked from commit c278bcf081a0b67bdb08fa8eafc5d56c713a0833) --- libpromises/eval_context.c | 59 +++++++++++++++++ libpromises/eval_context.h | 3 +- libpromises/evalfunction.c | 9 +-- .../02_functions/classesmatching_inherit.cf | 38 +++++++++++ .../02_functions/classesmatching_inherit_2.cf | 65 +++++++++++++++++++ 5 files changed, 167 insertions(+), 7 deletions(-) create mode 100644 tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf create mode 100644 tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf diff --git a/libpromises/eval_context.c b/libpromises/eval_context.c index 695ff8d045..4f644ac5dc 100644 --- a/libpromises/eval_context.c +++ b/libpromises/eval_context.c @@ -3484,6 +3484,65 @@ bool EvalContextIsIgnoringLocks(const EvalContext *ctx) return ctx->ignore_locks; } +StringSet *ClassesMatchingLocalRecursive( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only, + size_t stack_index) +{ + assert(ctx != NULL); + StackFrame *frame = SeqAt(ctx->stack, stack_index); + StringSet *matches; + if (frame->type == STACK_FRAME_TYPE_BUNDLE) + { + ClassTableIterator *iter = ClassTableIteratorNew( + frame->data.bundle.classes, + frame->data.bundle.owner->ns, + false, + true); // from EvalContextClassTableIteratorNewLocal() + matches = ClassesMatching(ctx, iter, regex, tags, first_only); + ClassTableIteratorDestroy(iter); + } + else + { + matches = StringSetNew(); // empty for passing up the recursion chain + } + + if (stack_index > 0 && frame->inherits_previous) + { + StringSet *parent_matches = ClassesMatchingLocalRecursive( + ctx, regex, tags, first_only, stack_index - 1); + StringSetJoin(matches, parent_matches, xstrdup); + StringSetDestroy(parent_matches); + } + + return matches; +} + +StringSet *ClassesMatchingLocal( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only) +{ + assert(ctx != NULL); + return ClassesMatchingLocalRecursive( + ctx, regex, tags, first_only, SeqLength(ctx->stack) - 1); +} + +StringSet *ClassesMatchingGlobal( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only) +{ + ClassTableIterator *iter = + EvalContextClassTableIteratorNewGlobal(ctx, NULL, true, true); + StringSet *matches = ClassesMatching(ctx, iter, regex, tags, first_only); + ClassTableIteratorDestroy(iter); + return matches; +} StringSet *ClassesMatching(const EvalContext *ctx, ClassTableIterator *iter, const char* regex, const Rlist *tags, bool first_only) { StringSet *matching = StringSetNew(); diff --git a/libpromises/eval_context.h b/libpromises/eval_context.h index f5e72d5250..01b16788ba 100644 --- a/libpromises/eval_context.h +++ b/libpromises/eval_context.h @@ -249,7 +249,8 @@ static inline bool IsDefinedClass(const EvalContext *ctx, const char *context) return (CheckClassExpression(ctx, context) == EXPRESSION_VALUE_TRUE); } StringSet *ClassesMatching(const EvalContext *ctx, ClassTableIterator *iter, const char* regex, const Rlist *tags, bool first_only); - +StringSet *ClassesMatchingGlobal(const EvalContext *ctx, const char* regex, const Rlist *tags, bool first_only); +StringSet *ClassesMatchingLocal(const EvalContext *ctx, const char* regex, const Rlist *tags, bool first_only); bool EvalProcessResult(const char *process_result, StringSet *proc_attr); bool EvalFileResult(const char *file_result, StringSet *leaf_attr); diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 40f928c7d4..c78224546a 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -1329,6 +1329,7 @@ static FnCallResult FnCallIfElse(EvalContext *ctx, static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(finalargs != NULL); bool count_only = false; bool check_only = false; unsigned count = 0; @@ -1367,8 +1368,7 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol Rlist *matches = NULL; { - ClassTableIterator *iter = EvalContextClassTableIteratorNewGlobal(ctx, NULL, true, true); - StringSet *global_matches = ClassesMatching(ctx, iter, RlistScalarValue(finalargs), finalargs->next, check_only); + StringSet *global_matches = ClassesMatchingGlobal(ctx, RlistScalarValue(finalargs), finalargs->next, check_only); StringSetIterator it = StringSetIteratorInit(global_matches); const char *element = NULL; @@ -1385,7 +1385,6 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } StringSetDestroy(global_matches); - ClassTableIteratorDestroy(iter); } if (check_only && count >= 1) @@ -1394,8 +1393,7 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } { - ClassTableIterator *iter = EvalContextClassTableIteratorNewLocal(ctx); - StringSet *local_matches = ClassesMatching(ctx, iter, RlistScalarValue(finalargs), finalargs->next, check_only); + StringSet *local_matches = ClassesMatchingLocal(ctx, RlistScalarValue(finalargs), finalargs->next, check_only); StringSetIterator it = StringSetIteratorInit(local_matches); const char *element = NULL; @@ -1412,7 +1410,6 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } StringSetDestroy(local_matches); - ClassTableIteratorDestroy(iter); } if (check_only) diff --git a/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf b/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf new file mode 100644 index 0000000000..add7db3e85 --- /dev/null +++ b/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf @@ -0,0 +1,38 @@ +bundle agent __main__ +{ + classes: + "defined_in_parent" expression => "cfengine"; + + methods: + "ENT-5850" + usebundle => ENT_5850, + inherit => "true"; +} + +bundle agent ENT_5850 +{ + vars: + "c_matching" + slist => classesmatching(".*"); + "c_matching_defined_in_parent" + slist => classesmatching("defined_in_parent"); + + classes: + "defined_here" expression => "cfengine"; + + reports: + "$(this.promise_filename) Pass" + if => some( "defined_in_parent", c_matching); + + "$(this.promise_filename) FAIL $(this.promise_filename)$(const.n)Could not find class 'defined_in_parent' in classesmatching() but it's defined" + if => and( not( some( "defined_in_parent", c_matching) ), + defined_in_parent + ); + + "Classes found by classesmatching() starting with 'defined' $(with)" + with => join( ", ", classesmatching("defined.*") ); + + "'defined_here' is defined" if => "defined_here"; + "'defined_in_parent' is defined" if => "defined_in_parent"; + "Running CFEngine: $(sys.cf_version)"; +} diff --git a/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf b/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf new file mode 100644 index 0000000000..a493934021 --- /dev/null +++ b/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf @@ -0,0 +1,65 @@ +bundle agent common +{ + vars: + "logfile" string => "$(this.promise_dirname)$(const.dirsep)defined_classes.log"; +} + +bundle agent __main__ +{ + classes: "defined_in_main"; + methods: + "init"; + "first" inherit => "true"; + "check"; +} + +bundle agent init +{ + files: + "$(common.logfile)" + delete => tidy; +} + +bundle agent first +{ + classes: "defined_in_first"; + methods: "second" inherit => "true"; +} + +bundle agent second +{ + classes: "defined_in_second"; + methods: "third" inherit => "true"; +} + +bundle agent third +{ + vars: + "defined_classes" slist => classesmatching("defined.*"); + + reports: + "defined_classes: $(defined_classes)" + report_to_file => "$(common.logfile)"; +} + +bundle agent check +{ + vars: + "expected" string => concat("defined_classes: defined_in_main$(const.n)", + "defined_classes: defined_in_first$(const.n)", + "defined_classes: defined_in_second$(const.n)"); + "actual" string => readfile("$(common.logfile)", inf); + + reports: + "$(this.promise_filename) Pass" + if => strcmp($(expected), $(actual)); + + "$(this.promise_filename) FAIL" + if => not(strcmp($(expected), $(actual))); +} + +body delete tidy +{ + dirlinks => "delete"; + rmdirs => "true"; +} From f1bf75b41930ec495920030fb097196d590529e5 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 9 Aug 2023 13:32:13 +0200 Subject: [PATCH 058/255] Added RvalWriteRaw function that doesn't escape quotes This function is needed for ticket ENT-4277. Ticket: ENT-4277 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 245ddfde2fd808cbbc375839bdcc5290de547e54) --- libpromises/fncall.c | 2 +- libpromises/policy.c | 2 +- libpromises/rlist.c | 17 +++++++++++------ libpromises/rlist.h | 3 ++- tests/unit/rlist_test.c | 35 ++++++++++++++++++++++++++++++++++- 5 files changed, 49 insertions(+), 10 deletions(-) diff --git a/libpromises/fncall.c b/libpromises/fncall.c index e504b57e77..6782dc6589 100644 --- a/libpromises/fncall.c +++ b/libpromises/fncall.c @@ -228,7 +228,7 @@ void FnCallWrite(Writer *writer, const FnCall *call) switch (rp->val.type) { case RVAL_TYPE_SCALAR: - ScalarWrite(writer, RlistScalarValue(rp), true); + ScalarWrite(writer, RlistScalarValue(rp), true, false); break; case RVAL_TYPE_FNCALL: diff --git a/libpromises/policy.c b/libpromises/policy.c index 3ef14360f0..c8f140b634 100644 --- a/libpromises/policy.c +++ b/libpromises/policy.c @@ -2107,7 +2107,7 @@ void BundleToString(Writer *writer, Bundle *bundle) } IndentPrint(writer, 2); - ScalarWrite(writer, pp->promiser, true); + ScalarWrite(writer, pp->promiser, true, false); /* FIX: add support * diff --git a/libpromises/rlist.c b/libpromises/rlist.c index 8f44f5168b..59f30cae3e 100644 --- a/libpromises/rlist.c +++ b/libpromises/rlist.c @@ -1339,7 +1339,7 @@ void RlistWrite(Writer *writer, const Rlist *list) WriterWriteChar(writer, '}'); } -void ScalarWrite(Writer *writer, const char *s, bool quote) +void ScalarWrite(Writer *writer, const char *s, bool quote, bool raw) { if (quote) { @@ -1347,7 +1347,7 @@ void ScalarWrite(Writer *writer, const char *s, bool quote) } for (; *s; s++) { - if (*s == '"') + if (*s == '"' && !raw) { WriterWriteChar(writer, '\\'); } @@ -1359,7 +1359,7 @@ void ScalarWrite(Writer *writer, const char *s, bool quote) } } -static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool quote) +static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool quote, bool raw) { if (item == NULL) { @@ -1369,7 +1369,7 @@ static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool switch (type) { case RVAL_TYPE_SCALAR: - ScalarWrite(writer, item, quote); + ScalarWrite(writer, item, quote, raw); break; case RVAL_TYPE_LIST: @@ -1392,12 +1392,17 @@ static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool void RvalWrite(Writer *writer, Rval rval) { - RvalWriteParts(writer, rval.item, rval.type, false); + RvalWriteParts(writer, rval.item, rval.type, false, false); } void RvalWriteQuoted(Writer *writer, Rval rval) { - RvalWriteParts(writer, rval.item, rval.type, true); + RvalWriteParts(writer, rval.item, rval.type, true, false); +} + +void RvalWriteRaw(Writer *writer, Rval rval) +{ + RvalWriteParts(writer, rval.item, rval.type, false, true); } char *RvalToString(Rval rval) diff --git a/libpromises/rlist.h b/libpromises/rlist.h index 1d5798da4a..8ce2a1858c 100644 --- a/libpromises/rlist.h +++ b/libpromises/rlist.h @@ -65,6 +65,7 @@ char *RvalToString(Rval rval); char *RlistToString(const Rlist *rlist); void RvalWrite(Writer *writer, Rval rval); void RvalWriteQuoted(Writer *writer, Rval rval); +void RvalWriteRaw(Writer *writer, Rval rval); unsigned RvalHash(Rval rval, unsigned seed); Rlist *RlistCopy(const Rlist *list); @@ -109,7 +110,7 @@ void RlistWrite(Writer *writer, const Rlist *list); Rlist *RlistLast(Rlist *start); void RlistFilter(Rlist **list, bool (*KeepPredicate)(void *item, void *predicate_data), void *predicate_user_data, void (*DestroyItem)(void *item)); void RlistReverse(Rlist **list); -void ScalarWrite(Writer *w, const char *s, bool quote); +void ScalarWrite(Writer *w, const char *s, bool quote, bool raw); void RlistFlatten(EvalContext *ctx, Rlist **list); bool RlistEqual (const Rlist *list1, const Rlist *list2); bool RlistEqual_untyped(const void *list1, const void *list2); diff --git a/tests/unit/rlist_test.c b/tests/unit/rlist_test.c index 32fb4e4a99..e713368ad9 100644 --- a/tests/unit/rlist_test.c +++ b/tests/unit/rlist_test.c @@ -713,6 +713,36 @@ static void test_regex_split_overlapping_delimiters() RlistDestroy(list); } +static void test_rval_write() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWrite(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\\\"Hello World!\\\""); + WriterClose(writer); +} + +static void test_rval_write_quoted() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWriteQuoted(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\"\\\"Hello World!\\\"\""); + WriterClose(writer); +} + +static void test_rval_write_raw() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWriteRaw(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\"Hello World!\""); + WriterClose(writer); +} + int main() { PRINT_TEST_BANNER(); @@ -744,7 +774,10 @@ int main() unit_test(test_regex_split_no_match), unit_test(test_regex_split_adjacent_separators), unit_test(test_regex_split_real_regex), - unit_test(test_regex_split_overlapping_delimiters) + unit_test(test_regex_split_overlapping_delimiters), + unit_test(test_rval_write), + unit_test(test_rval_write_quoted), + unit_test(test_rval_write_raw), }; return run_tests(tests); From 4146292fd7b0e50d6d91e1cb79f0e87378cb0937 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 24 Aug 2023 13:07:47 -0500 Subject: [PATCH 059/255] Removed references to travis Ticket: ENT-10447 Changelog: none (cherry picked from commit 16410e0fd9763078b74c2f46f77e4521794ac283) --- .github/workflows/valgrind.sh | 2 +- .travis.yml | 59 --------------------- travis-scripts/after_script.sh | 24 --------- travis-scripts/after_success.sh | 1 - travis-scripts/before_install.sh | 41 --------------- travis-scripts/script.sh | 88 -------------------------------- 6 files changed, 1 insertion(+), 214 deletions(-) delete mode 100644 .travis.yml delete mode 100755 travis-scripts/after_script.sh delete mode 100755 travis-scripts/after_success.sh delete mode 100755 travis-scripts/before_install.sh delete mode 100755 travis-scripts/script.sh diff --git a/.github/workflows/valgrind.sh b/.github/workflows/valgrind.sh index f510166130..73e7a48dd0 100644 --- a/.github/workflows/valgrind.sh +++ b/.github/workflows/valgrind.sh @@ -49,7 +49,7 @@ function check_serverd_valgrind_output { exit 1 fi set -e - echo "Serverd has 1 expected valgrind error in travis because of old glibc" + echo "Serverd has 1 expected valgrind error because of old glibc" echo "Because of this we use special assertions on output" echo "Looking for problems in $1:" grep -i "definitely lost" $1 diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 4dcfc5ef5e..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,59 +0,0 @@ -language: c -os: linux -dist: xenial - -# This is an addon for uploading artifacts to s3: -# https://docs.travis-ci.com/user/uploading-artifacts/ -# Env vars: ARTIFACTS_BUCKET ARTIFACTS_SECRET ARTIFACTS_BUCKET -# If you are logged in and have permission, you can see here: -# https://s3.console.aws.amazon.com/s3/buckets/cfengine-travis-artifacts?region=us-east-1 -addons: - artifacts: - paths: - - artifacts/ - -# Build on pushes only to given branches -branches: - only: - - master - - 3.12.x - - 3.15.x - - 3.18.x - -env: - global: - - CI_NODE_TOTAL=6 - # Quickest to build, fast performing, debugable builds. - - CFLAGS="-g1 -O1" - # upload log files, tarballs etc artifacts from the build. - - ARTIFACTS_BUCKET=cfengine-travis-artifacts - # 2 cores according to: https://docs.travis-ci.com/user/ci-environment/ - - MAKEFLAGS=-j3 - -# Parallel jobs listed here; fastest jobs should come first to give -# feedback ASAP. For more info read this: -# https://docs.travis-ci.com/user/multi-os/ -jobs: - fast_finish: true # Build will succeed once all linux jobs succeed - include: - - env: JOB_TYPE=compile_and_unit_test_asan - - env: JOB_TYPE=valgrind_health_check - - env: JOB_TYPE=compile_and_unit_test COVERAGE=no - compiler: clang - - env: JOB_TYPE=acceptance_tests_common - # The unsafe acceptance tests don't work with SIMFS which is the default - # filesystem in Travis; so change OS to Trusty, which uses ext4. - - env: JOB_TYPE=acceptance_tests_unsafe_serial_network_etc - - env: JOB_TYPE=serverd_multi_versions COVERAGE=no - -before_install: - - chmod ug+x ./travis-scripts/* - - ./travis-scripts/before_install.sh - -script: ./travis-scripts/script.sh - -after_success: ./travis-scripts/after_success.sh - -before_deploy: ./travis-scripts/before_deploy.sh - -after_script: ./travis-scripts/after_script.sh diff --git a/travis-scripts/after_script.sh b/travis-scripts/after_script.sh deleted file mode 100755 index 512ea2cabb..0000000000 --- a/travis-scripts/after_script.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -set +e -cd $TRAVIS_BUILD_DIR || return 1 -mkdir artifacts -test "x$DIST_TARBALL" != x && cp "$DIST_TARBALL" artifacts/ -mv config.log artifacts/ 2>/dev/null -mv tests/acceptance/summary.log artifacts/ 2>/dev/null -mv tests/acceptance/test.log artifacts/ 2>/dev/null -mv tests/acceptance/workdir artifacts/ 2>/dev/null -mv serverd-multi-versions-logs artifacts/ 2>/dev/null - -VERSION=$(expr "$DIST_TARBALL" : "cfengine-\(.*\).tar.gz") -VERSION=${VERSION:-master} -test "$TRAVIS_PULL_REQUEST" = "false" && BRANCH_OR_PULL_REQUEST=$TRAVIS_BRANCH || BRANCH_OR_PULL_REQUEST=PULL_$TRAVIS_PULL_REQUEST - -filename=cfengine-$VERSION-$BRANCH_OR_PULL_REQUEST-$JOB_TYPE.artifacts.zip -zip -q -r $filename artifacts/ - -echo ===== uploading $filename to file.io ===== -curl -F "file=@$filename" https://file.io -echo 'Note that file.io DELETES file from their servers after first download,' -echo "so don't delete it from your machine if you still need it!" - -cd - >/dev/null diff --git a/travis-scripts/after_success.sh b/travis-scripts/after_success.sh deleted file mode 100755 index 1a2485251c..0000000000 --- a/travis-scripts/after_success.sh +++ /dev/null @@ -1 +0,0 @@ -#!/bin/sh diff --git a/travis-scripts/before_install.sh b/travis-scripts/before_install.sh deleted file mode 100755 index 4d0833b30a..0000000000 --- a/travis-scripts/before_install.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -set -e -if [ "$TRAVIS_OS_NAME" = osx ] -then - set +e - rvm get stable - brew update - brew install lmdb - brew install make - brew install autoconf - brew install automake - brew install openssl - # brew install gcc@7 || brew link --overwrite gcc@7 - set -e - # gcc-7 --version - #brew install python - #brew install libxml2 - #brew install fakeroot -else - sudo rm -vf /etc/apt/sources.list.d/*riak* - sudo apt-get --quiet update - # Needed to build - sudo apt-get install -y libssl-dev libpam0g-dev - sudo apt-get install -y liblmdb-dev - # Needed to test - sudo apt-get install -y fakeroot - # Optional - sudo apt-get install -y libxml2-dev libacl1-dev - # Code coverage dependency: - sudo apt-get install -y lcov - # Ensure traditional yacc compatibility - sudo apt-get purge -y bison - sudo apt-get autoremove -y - sudo apt-get install -y byacc - sudo apt-get -qy install curl - - if [ "$JOB_TYPE" = valgrind_health_check ] - then - sudo apt-get install -y valgrind - fi -fi diff --git a/travis-scripts/script.sh b/travis-scripts/script.sh deleted file mode 100755 index 981a60fbd7..0000000000 --- a/travis-scripts/script.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh -set -e -set -x - -cd $TRAVIS_BUILD_DIR || exit 1 - -if [ "$JOB_TYPE" = valgrind_health_check ] -then - sudo bash travis-scripts/valgrind.sh - exit -fi - -INSTDIR=$HOME/cf_install - -# if [ "$JOB_TYPE" = style_check ] -# then -# # sh tests/misc/style_check.sh -# exit 0 -# fi - -# Fetch the tags from upstream even if we are on a -# foreign clone. Needed for determine-version.sh to work. -git remote add upstream https://github.com/cfengine/core.git \ - && git fetch --no-recurse-submodules upstream 'refs/tags/*:refs/tags/*' - -if [ "$TRAVIS_OS_NAME" = osx ] -then - ./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl)" --prefix=$INSTDIR --bindir=$INSTDIR/var/cfengine/bin - gmake --version - gmake CFLAGS="-Werror -Wall" - # Tests are disabled on OS X, because they started hanging in travis, - # for no apparent reason. - # gmake --debug -C tests/unit check - exit -else - NO_CONFIGURE=1 ./autogen.sh - ./configure --enable-debug --prefix=$INSTDIR --with-systemd-service --bindir=$INSTDIR/var/cfengine/bin \ - `[ "x$COVERAGE" != xno ] && echo --enable-coverage` -fi - -make dist - -DIST_TARBALL=`echo cfengine-*.tar.gz` -export DIST_TARBALL - -if [ "$JOB_TYPE" = compile_only ] -then - make CFLAGS="-Werror" -k -elif [ "$JOB_TYPE" = compile_and_unit_test ] -then - make CFLAGS="-Wall -Wextra -Werror -Wno-sign-compare" - make -C tests/unit check - make -C tests/load check - exit -elif [ "$JOB_TYPE" = compile_and_unit_test_asan ] -then - make CFLAGS="-Werror -Wall -fsanitize=address" LDFLAGS="-fsanitize=address" - make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check - make -C tests/load CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check - exit -else - make -fi - -cd tests/acceptance || exit 1 -chmod -R go-w . - -if [ "$JOB_TYPE" = acceptance_tests_common ] -then - ./testall --printlog --tests=common,errorlog - exit -fi - -# WARNING: the following job runs the selected tests as root! -# We are chmod'ing in the end so that code coverage data is readable from user -if [ "$JOB_TYPE" = acceptance_tests_unsafe_serial_network_etc ] -then - ./testall --gainroot=sudo --tests=timed,slow,errorexit,libxml2,libcurl,serial,network,unsafe - exit -fi - -if [ "$JOB_TYPE" = serverd_multi_versions ] -then - cd ../.. - set +e - tests/acceptance/serverd-multi-versions.sh - exit -fi From 59f640f681f68a27ddc19d9c63d31b72ee39af12 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Thu, 31 Aug 2023 17:53:09 +0200 Subject: [PATCH 060/255] Fix RlistEqual comparison on lists of different lengths The original issue that leads to this is the fact that the cache for execresult and execresult_as_data were mixed. This is caused by two separate issues: * The function cache uses the args list as key and discards the function itself. This means different function with the same args are considered identical, and cache is reused. * The args are passed as an Rlist, and the used Rlist comparison ignores the additional items of the longest list when comparing two lists of different lengths, leading to treating execresult and execresult_as_data as identical when using the same command and shell args. This PR only fixes the specific case of execresult, but leaves other function cache issues (e.g. host2ip vs. ip2host could be confused). (cherry picked from commit d5a7372bcef9a63dd53f58bd3951f8392ad21e00) Signed-off-by: Lars Erik Wik --- libpromises/rlist.c | 4 +- .../04_containers/execresult_and_as_data.cf | 41 +++++++++++++++++++ tests/unit/rlist_test.c | 18 ++++++++ 3 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf diff --git a/libpromises/rlist.c b/libpromises/rlist.c index 59f30cae3e..64ea0e6ac4 100644 --- a/libpromises/rlist.c +++ b/libpromises/rlist.c @@ -1657,8 +1657,8 @@ bool RlistEqual(const Rlist *list1, const Rlist *list2) assert(rp1->val.item == NULL && rp2->val.item == NULL); } } - - return true; + // return false if lengths are different + return (rp1 == NULL && rp2 == NULL); } bool RlistEqual_untyped(const void *list1, const void *list2) diff --git a/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf b/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf new file mode 100644 index 0000000000..8404a26236 --- /dev/null +++ b/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf @@ -0,0 +1,41 @@ +####################################################### +# +# Test the ability to call the same command with execresult and execresult_as_data +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ +} + +####################################################### + +bundle agent test +{ + vars: + !windows:: + "res1" string => execresult("echo test", "useshell"); + "res2" data => execresult_as_data("echo test", "useshell", "stdout"); + windows:: + "res1" string => execresult("echo test", "powershell"); + "res2" data => execresult_as_data("echo test", "powershell", "stdout"); +} + + +####################################################### + +bundle agent check +{ + methods: + "any" usebundle => dcs_check_strcmp("${test.res1}", "${test.res2[output]}", "$(this.promise_filename)", "no"); +} diff --git a/tests/unit/rlist_test.c b/tests/unit/rlist_test.c index e713368ad9..5064fe08a7 100644 --- a/tests/unit/rlist_test.c +++ b/tests/unit/rlist_test.c @@ -31,6 +31,23 @@ static void test_length(void) RlistDestroy(list); } +static void test_equality(void) +{ + Rlist *list1 = RlistFromSplitString("a,b,c", ','); + Rlist *list2 = RlistFromSplitString("a,b,c", ','); + Rlist *list3 = RlistFromSplitString("z,b,c", ','); + Rlist *list4 = RlistFromSplitString("a,b,c,d", ','); + + assert_true(RlistEqual(list1, list2)); + assert_false(RlistEqual(list1, list3)); + assert_false(RlistEqual(list1, list4)); + + RlistDestroy(list1); + RlistDestroy(list2); + RlistDestroy(list3); + RlistDestroy(list4); +} + static void test_prepend_scalar_idempotent(void) { Rlist *list = NULL; @@ -750,6 +767,7 @@ int main() { unit_test(test_prepend_scalar_idempotent), unit_test(test_length), + unit_test(test_equality), unit_test(test_copy), unit_test(test_rval_to_scalar), unit_test(test_rval_to_scalar2), From 83d0a5578fd70e2429982d640beda5c475dedae5 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Thu, 7 Sep 2023 15:25:18 +0200 Subject: [PATCH 061/255] Added the function name to the result cache key The function cache only used the args values, which in some cases could lead to mixing results from different functions with the same arguments. Ticket: CFE-4244 Changelog: Cashed policy function results now take into account number of arguments and function name. Signed-off-by: Lars Erik Wik Co-authored-by: Alexis Mousset (cherry picked from commit 29e60a9ba05016847c3b601f469bcb5e19147960) Signed-off-by: Lars Erik Wik --- libpromises/eval_context.c | 18 ++++++- .../01_vars/02_functions/cache_name.cf | 51 +++++++++++++++++++ 2 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 tests/acceptance/01_vars/02_functions/cache_name.cf diff --git a/libpromises/eval_context.c b/libpromises/eval_context.c index 4f644ac5dc..0f2bb9985b 100644 --- a/libpromises/eval_context.c +++ b/libpromises/eval_context.c @@ -2837,7 +2837,14 @@ bool EvalContextFunctionCacheGet(const EvalContext *ctx, return false; } - Rval *rval = FuncCacheMapGet(ctx->function_cache, args); + // The cache key is made of the function name and all args values + Rlist *args_copy = RlistCopy(args); + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); + Rval *rval = FuncCacheMapGet(ctx->function_cache, key); + RlistDestroy(key); if (rval) { if (rval_out) @@ -2863,7 +2870,14 @@ void EvalContextFunctionCachePut(EvalContext *ctx, Rval *rval_copy = xmalloc(sizeof(Rval)); *rval_copy = RvalCopy(*rval); - FuncCacheMapInsert(ctx->function_cache, RlistCopy(args), rval_copy); + + Rlist *args_copy = RlistCopy(args); + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); + + FuncCacheMapInsert(ctx->function_cache, key, rval_copy); } /* cfPS and associated machinery */ diff --git a/tests/acceptance/01_vars/02_functions/cache_name.cf b/tests/acceptance/01_vars/02_functions/cache_name.cf new file mode 100644 index 0000000000..abbace9238 --- /dev/null +++ b/tests/acceptance/01_vars/02_functions/cache_name.cf @@ -0,0 +1,51 @@ +####################################################### +# +# Test that the function result cache checks function name +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ + vars: + "agent_regex" string => ".*cf-agent.*"; +} + +####################################################### + +bundle common test +{ + meta: + "description" -> { "CFE-4244" } + string => "Test that the function result cache checks function name"; + + vars: + "res1" data => findprocesses("${init.agent_regex}"); + + classes: + # must not reuse result from previous line + # is reused, produces a type error + "_pass" expression => processexists("${init.agent_regex}"); +} + + +####################################################### + +bundle agent check +{ + methods: + _pass:: + "pass" usebundle => dcs_pass("$(this.promise_filename)"); + + !_pass:: + "pass" usebundle => dcs_fail("$(this.promise_filename)"); +} From cac8b32b2db22d988a51ed46866448161dff900a Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 14 Sep 2023 14:56:40 +0200 Subject: [PATCH 062/255] Moved asserts to top of EvalContextFunctionCache functions Two reasons for this: 1. CONTRIBUTING.md says to do this at the top 2. the `ctx` argument was actually used before the assert Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit eec977631e9875aa5475aa24d5b276f77ef789a7) --- libpromises/eval_context.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libpromises/eval_context.c b/libpromises/eval_context.c index 0f2bb9985b..de7f1b7d7a 100644 --- a/libpromises/eval_context.c +++ b/libpromises/eval_context.c @@ -2832,6 +2832,10 @@ bool EvalContextFunctionCacheGet(const EvalContext *ctx, const FnCall *fp ARG_UNUSED, const Rlist *args, Rval *rval_out) { + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + if (!(ctx->eval_options & EVAL_OPTION_CACHE_SYSTEM_FUNCTIONS)) { return false; @@ -2839,9 +2843,6 @@ bool EvalContextFunctionCacheGet(const EvalContext *ctx, // The cache key is made of the function name and all args values Rlist *args_copy = RlistCopy(args); - assert(fp != NULL); - assert(fp->name != NULL); - assert(ctx != NULL); Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); Rval *rval = FuncCacheMapGet(ctx->function_cache, key); RlistDestroy(key); @@ -2863,6 +2864,10 @@ void EvalContextFunctionCachePut(EvalContext *ctx, const FnCall *fp ARG_UNUSED, const Rlist *args, const Rval *rval) { + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + if (!(ctx->eval_options & EVAL_OPTION_CACHE_SYSTEM_FUNCTIONS)) { return; @@ -2872,9 +2877,6 @@ void EvalContextFunctionCachePut(EvalContext *ctx, *rval_copy = RvalCopy(*rval); Rlist *args_copy = RlistCopy(args); - assert(fp != NULL); - assert(fp->name != NULL); - assert(ctx != NULL); Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); FuncCacheMapInsert(ctx->function_cache, key, rval_copy); From 27876220f01b3d496df3826d02e49a2f8e33ce82 Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Thu, 27 Apr 2023 13:48:05 +0200 Subject: [PATCH 063/255] Amend acceptance tests for testsuite to pass on Windows For now, majority of tests are marked as soft-fail (a failure is expected). Follow-up tasks are created (and linked) to investigate these failures one-by-one. Changelog: none Ticket: ENT-2664 (cherry picked from commit 895c3caefad8d15dcc41a8317738b64e1251c1f7) --- .../00_basics/01_compiler/string_contexts.cf | 4 ++++ .../00_basics/01_compiler/with_iteration.cf | 4 ++++ .../02_switches/dry_run_perms_doesnt_lie.cf | 7 +++++++ .../00_basics/03_bodies/dynamic_inputs_findfiles.cf | 3 --- .../00_basics/03_bodies/dynamic_inputs_maplist.cf | 3 --- ...uts_based_on_list_variable_dependent_on_class.cf | 10 +++++++++- tests/acceptance/00_basics/04_bundles/namespaced.cf | 3 +++ tests/acceptance/00_basics/def.json/bad-json.cf | 8 ++++++-- tests/acceptance/00_basics/def.json/state.cf | 9 +++++++++ tests/acceptance/00_basics/macros/if_triple.cf | 13 +++++++++---- tests/acceptance/01_vars/01_basic/sysvars.cf | 3 +++ tests/acceptance/01_vars/01_basic/this_variables.cf | 3 +++ tests/acceptance/01_vars/02_functions/cf_version.cf | 3 +++ .../acceptance/01_vars/02_functions/data_expand.cf | 3 +++ .../01_vars/02_functions/every_some_none.cf | 3 +++ tests/acceptance/01_vars/02_functions/execresult.cf | 3 +++ .../02_functions/execresult_action_immediate.cf | 2 ++ .../01_vars/02_functions/execresult_select.cf | 2 ++ .../01_vars/02_functions/execresult_stderr.cf | 2 ++ tests/acceptance/01_vars/02_functions/filter.cf | 3 +++ tests/acceptance/01_vars/02_functions/findfiles.cf | 2 +- .../acceptance/01_vars/02_functions/findfiles_up.cf | 2 ++ .../01_vars/02_functions/format_edge_case.cf | 3 +++ tests/acceptance/01_vars/02_functions/getindices.cf | 3 +++ .../getindices_returns_expected_list_from_array.cf | 4 ++-- ...ices_returns_expected_list_from_datacontainer.cf | 4 ++-- tests/acceptance/01_vars/02_functions/gettags.cf | 4 ++++ .../acceptance/01_vars/02_functions/getuserinfo.cf | 3 +++ tests/acceptance/01_vars/02_functions/getvalues.cf | 4 ++++ .../01_vars/02_functions/getvalues_containers.cf | 4 ++++ ...for_given_datacontainer_index_merging_strings.cf | 4 ++++ tests/acceptance/01_vars/02_functions/ifelse.cf | 4 ++++ .../01_vars/02_functions/ifelse_isvariable.cf | 2 ++ .../acceptance/01_vars/02_functions/inline_json.cf | 4 ++++ tests/acceptance/01_vars/02_functions/join.cf | 4 ++++ tests/acceptance/01_vars/02_functions/length.cf | 4 ++++ tests/acceptance/01_vars/02_functions/maparray.cf | 4 ++++ .../01_vars/02_functions/maparray_multi_index.cf | 4 ++++ tests/acceptance/01_vars/02_functions/maplist.cf | 4 ++++ .../01_vars/02_functions/mergedata-json-strings.cf | 2 ++ .../01_vars/02_functions/network/url_get.cf | 2 ++ .../01_vars/02_functions/nth_datacontainer.cf | 5 ++++- tests/acceptance/01_vars/02_functions/readdata.cf | 4 ++++ .../01_vars/02_functions/readdata_yaml.cf | 4 ++++ .../01_vars/02_functions/regex_replace.cf | 4 ++++ tests/acceptance/01_vars/02_functions/reverse.cf | 4 ++++ .../setop_unique_difference_intersection.cf | 3 +++ .../01_vars/02_functions/shuffle-exact.cf | 4 ++-- tests/acceptance/01_vars/02_functions/sort.cf | 4 +++- tests/acceptance/01_vars/02_functions/storejson.cf | 3 +++ .../01_vars/02_functions/storejson_edge_case.cf | 3 +++ tests/acceptance/01_vars/02_functions/strftime.cf | 4 ++++ .../01_vars/02_functions/string_mustache.cf | 4 ++++ .../01_vars/02_functions/string_replace.cf | 4 ++++ .../acceptance/01_vars/02_functions/string_trim.cf | 4 ++++ tests/acceptance/01_vars/02_functions/sublist.cf | 4 ++++ .../01_vars/02_functions/sum_and_product.cf | 4 ++++ tests/acceptance/01_vars/02_functions/text_xform.cf | 4 ++++ tests/acceptance/01_vars/02_functions/type.cf | 2 ++ .../01_vars/02_functions/url_get_local.cf | 2 ++ tests/acceptance/01_vars/02_functions/validdata.cf | 4 ++++ .../02_functions/validjson_trailing_bogus_data.cf | 2 ++ .../01_vars/02_functions/variablesmatching.cf | 4 ++++ .../01_vars/02_functions/wrap_container_fncalls.cf | 4 ++++ .../acceptance/01_vars/04_containers/inline_json.cf | 4 ++++ .../acceptance/01_vars/04_containers/inline_yaml.cf | 4 ++++ .../04_containers/iterate_over_data_array.cf | 2 ++ .../01_vars/deep_delayed_expansion/main.cf | 2 ++ .../02_classes/01_basic/from_json_booleans.cf | 4 ++++ .../01_basic/variable_class_expressions_with_if.cf | 2 +- tests/acceptance/02_classes/02_functions/iprange.cf | 4 ++++ .../02_classes/02_functions/isipinsubnet.cf | 4 ++++ tests/acceptance/02_classes/03_os/powershell.cf | 3 +++ .../01_matching/inverse_ttime_inverse_found.cf | 3 --- tests/acceptance/05_processes/01_matching/owner.cf | 4 ++++ .../01_matching/process_select_fncalls.cf | 3 +++ .../05_processes/01_matching/timed/stime.cf | 2 ++ tests/acceptance/05_processes/process_stop.cf | 2 ++ tests/acceptance/07_packages/001.cf | 4 ++++ tests/acceptance/07_packages/002.cf | 4 ++++ tests/acceptance/07_packages/003.cf | 4 ++++ tests/acceptance/07_packages/004.cf | 4 ++++ tests/acceptance/07_packages/005.cf | 4 ++++ tests/acceptance/07_packages/006.cf | 4 ++++ .../07_packages/package_module_interpreter.cf | 4 +++- tests/acceptance/07_packages/package_module_path.cf | 2 ++ .../01_modules/module-array-allows-at.cf | 2 ++ .../01_modules/module-array-allows-slash.cf | 2 ++ .../08_commands/01_modules/module-array-indexing.cf | 3 --- .../08_commands/01_modules/module_file_test.cf | 2 ++ .../08_commands/01_modules/set-persistent-class.cf | 7 +++++++ tests/acceptance/08_commands/01_modules/set-tags.cf | 3 +++ ...from-module-have-source-and-derived_from-tags.cf | 3 ++- tests/acceptance/08_commands/02_syntax/arglist.cf | 3 +++ .../acceptance/08_commands/03_shells/shelltypes.cf | 3 +++ tests/acceptance/09_services/outcomes.cf | 4 ++++ tests/acceptance/09_services/reload.cf | 2 +- tests/acceptance/09_services/restart.cf | 2 +- .../09_services/service_cannot_be_resolved.cf | 2 +- .../standard_services-from-non-default-namespace.cf | 3 +++ tests/acceptance/09_services/start.cf | 2 +- tests/acceptance/09_services/stop.cf | 2 +- .../01_create/cfengine_create_by_default.cf | 3 +++ tests/acceptance/10_files/01_create/perms-mode.cf | 4 ++++ tests/acceptance/10_files/02_maintain/016.cf | 4 ++++ .../10_files/02_maintain/changes_depth_search.cf | 4 ++++ .../02_maintain/changes_depth_search_last_file.cf | 4 ++++ .../10_files/02_maintain/changes_update_hashes.cf | 4 ++++ tests/acceptance/10_files/02_maintain/fifos.cf | 6 +++--- tests/acceptance/10_files/04_match/match_scope.cf | 4 ++++ .../10_files/08_field_edits/file_content.cf | 4 ++++ .../09_insert_lines/block_insert_duplicate.cf | 4 ++++ .../10_files/09_insert_lines/crlf-in-cftemplate.cf | 4 ++++ .../crlf-in-edit_line-insert-file.cf | 4 ++++ .../10_files/09_insert_lines/crlf-in-edit_line.cf | 4 ++++ .../10_files/09_insert_lines/crlf-in-mustache.cf | 4 ++++ .../10_files/09_insert_lines/insert-large-lines.cf | 3 +++ .../10_files/11_xml_edits/build_xpath_001.cf | 4 ++++ .../10_files/11_xml_edits/build_xpath_002.cf | 4 ++++ .../10_files/11_xml_edits/build_xpath_003.cf | 4 ++++ .../10_files/11_xml_edits/delete_attribute_001.cf | 4 ++++ .../10_files/11_xml_edits/delete_attribute_002.cf | 4 ++++ .../10_files/11_xml_edits/delete_text_001.cf | 4 ++++ .../10_files/11_xml_edits/delete_text_002.cf | 4 ++++ .../10_files/11_xml_edits/delete_tree_001.cf | 4 ++++ .../10_files/11_xml_edits/delete_tree_002.cf | 4 ++++ .../10_files/11_xml_edits/insert_host_example.cf | 4 ++++ .../10_files/11_xml_edits/insert_text_001.cf | 4 ++++ .../10_files/11_xml_edits/insert_text_002.cf | 4 ++++ .../10_files/11_xml_edits/insert_tree_001.cf | 4 ++++ .../10_files/11_xml_edits/insert_tree_003.cf | 4 ++++ .../10_files/11_xml_edits/set_attribute_001.cf | 4 ++++ .../10_files/11_xml_edits/set_attribute_002.cf | 4 ++++ .../10_files/11_xml_edits/set_attribute_003.cf | 4 ++++ .../10_files/11_xml_edits/set_text_001.cf | 4 ++++ .../10_files/11_xml_edits/set_text_002.cf | 4 ++++ ...ng_symlinks_does_not_constantly_report_change.cf | 2 +- .../acceptance/10_files/copy_from_preserve_false.cf | 3 +++ tests/acceptance/10_files/files_with_spaces.cf | 4 ---- ...e_missing_variable_is_empty_string_by_default.cf | 4 ++++ .../mustache_render_multiline_template_data.cf | 4 ++++ ...tache_edit_template_string_vs_string_mustache.cf | 3 +++ .../templating/mustache_expect_list_find_string.cf | 4 ++++ .../templating/mustache_top_level_iteration.cf | 4 ++++ tests/acceptance/10_files/this_promiser.cf | 5 ++++- .../14_reports/00_output/unresolved_vars.cf | 3 +++ .../14_reports/00_output/unresolved_with.cf | 3 +++ tests/acceptance/16_cf-serverd/serial/007.cf | 4 ++++ tests/acceptance/16_cf-serverd/serial/008.cf | 4 ++++ tests/acceptance/16_cf-serverd/serial/010.cf | 4 ++++ tests/acceptance/16_cf-serverd/serial/011.cf | 4 ++++ .../serial/copy_from_ciphers_success.cf | 4 ++++ .../serial/copy_from_digest_different.cf | 4 ++++ .../serial/copy_from_digest_different_expand_ip.cf | 4 ++++ ..._from_digest_different_expand_ip_and_shortcut.cf | 3 +++ .../copy_from_digest_different_expand_shortcut.cf | 4 ++++ .../copy_from_encrypted_md5_zero_length_file.cf | 4 ++++ .../serial/copy_from_expand_ip_directory.cf | 4 ++++ ...stent_file_connection_closed-classic_protocol.cf | 4 ++++ .../copy_from_inexistent_file_connection_closed.cf | 4 ++++ .../serial/copy_from_md5_zero_length_file.cf | 4 ++++ .../16_cf-serverd/serial/copy_from_tls_1_3_fail.cf | 3 +++ .../serial/copy_from_tls_1_3_success.cf | 2 ++ .../16_cf-serverd/serial/copy_missing_ok.cf | 4 ++++ ...bundles_all_allowed_regex_disallowed_admitted.cf | 3 +++ .../serial/cfruncommand_argv0_quoted.cf | 3 +++ .../22_cf-runagent/serial/cfruncommand_open.cf | 3 +++ .../serial/runagent_-B_bundle1_admitted_1.cf | 3 +++ .../runagent_-B_bundle1_bundle2_admitted_1.cf | 3 +++ .../serial/runagent_-B_bundle2_admitted.cf | 3 +++ ...runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf | 3 +++ .../runagent_-D_role1-B_bundle1_admitted_1.cf | 3 +++ .../serial/runagent_-D_role1_-D_role2_admitted.cf | 3 +++ .../serial/runagent_-D_role1_admitted_1.cf | 3 +++ .../serial/runagent_-D_role1_admitted_2.cf | 3 +++ .../serial/runagent_-D_role1_admitted_3.cf | 3 +++ .../serial/runagent_-D_role1_role2_admitted_1.cf | 3 +++ .../serial/runagent_-D_role1_role2_admitted_2.cf | 3 +++ .../serial/runagent_-D_role2_-B_bundle2_admitted.cf | 3 +++ .../serial/runagent_-D_role2_admitted_1.cf | 3 +++ .../serial/runagent_-D_role2_admitted_2.cf | 3 +++ .../24_cmd_line_arguments/parsed_policy.cf | 3 +++ .../25_cf-execd/mail_1st_run_empty_new_log.cf | 7 +++++++ .../25_cf-execd/mail_empty_old_and_new_log.cf | 7 +++++++ tests/acceptance/25_cf-execd/mail_exclude_filter.cf | 7 +++++++ .../25_cf-execd/mail_include_and_exclude_filters.cf | 7 +++++++ tests/acceptance/25_cf-execd/mail_include_filter.cf | 7 +++++++ tests/acceptance/25_cf-execd/mail_no_filter.cf | 7 +++++++ .../mailfilter_1st_run_everything_filtered.cf | 7 +++++++ .../mailfilter_empty_old_log_everything_filtered.cf | 7 +++++++ tests/acceptance/25_cf-execd/slow/dies_in_time.cf | 4 ++++ .../25_cf-execd/timed/mailfilter_repeated_runs.cf | 7 +++++++ tests/acceptance/26_cf-net/serial/cf-net_connect.cf | 2 ++ tests/acceptance/26_cf-net/serial/cf-net_get.cf | 3 +++ tests/acceptance/26_cf-net/serial/cf-net_help.cf | 2 ++ tests/acceptance/26_cf-net/serial/cf-net_stat.cf | 2 ++ .../acceptance/26_cf-net/serial/cf-net_stat_deny.cf | 2 ++ .../acceptance/26_cf-net/serial/cf-net_stat_dir.cf | 2 ++ tests/acceptance/27_cf-secret/decrypt.cf | 2 ++ .../acceptance/27_cf-secret/encrypt-decrypt-args.cf | 2 ++ tests/acceptance/27_cf-secret/encrypt-decrypt.cf | 2 ++ tests/acceptance/27_cf-secret/encrypt-no-key.cf | 3 +++ tests/acceptance/28_inform_testing/common.cf.sub | 4 ++++ tests/acceptance/29_simulate_mode/diff_mode.cf | 5 +++-- .../29_simulate_mode/manifest_full_mode.cf | 5 +++-- tests/acceptance/29_simulate_mode/manifest_mode.cf | 5 +++-- .../30_custom_promise_types/01_basic_module.cf | 3 +++ tests/acceptance/30_custom_promise_types/02_if.cf | 2 ++ .../30_custom_promise_types/05_meta_attr.cf | 2 ++ .../acceptance/30_custom_promise_types/11_unless.cf | 2 ++ .../30_custom_promise_types/12_multiple_promises.cf | 2 ++ .../30_custom_promise_types/13_binary_path.cf | 3 +++ .../14_multiple_promise_types_same_module.cf | 2 ++ .../15_conflicting_interpreters.cf | 2 ++ .../30_custom_promise_types/22_what_module_gets.cf | 2 ++ .../22_what_module_gets.cf.expected | 4 ++-- .../23_action_policy/dryrun_supported.cf | 2 ++ .../23_action_policy/dryrun_unsupported.cf | 2 ++ .../explicit_warn_fake_supported.cf | 2 ++ .../23_action_policy/explicit_warn_supported.cf | 2 ++ .../23_action_policy/explicit_warn_unsupported.cf | 2 ++ .../23_action_policy/simulate_supported.cf | 2 ++ .../23_action_policy/simulate_unsupported.cf | 2 ++ tests/acceptance/dcs.cf.sub | 13 +++++-------- tests/acceptance/testall | 9 ++++++++- tests/acceptance/tool_wrappers/template.bat | 5 ++--- 226 files changed, 765 insertions(+), 65 deletions(-) diff --git a/tests/acceptance/00_basics/01_compiler/string_contexts.cf b/tests/acceptance/00_basics/01_compiler/string_contexts.cf index 835fd8f3f6..980cf7ab04 100644 --- a/tests/acceptance/00_basics/01_compiler/string_contexts.cf +++ b/tests/acceptance/00_basics/01_compiler/string_contexts.cf @@ -12,6 +12,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + defaults: "s1" string => "1"; "s2" string => "2"; diff --git a/tests/acceptance/00_basics/01_compiler/with_iteration.cf b/tests/acceptance/00_basics/01_compiler/with_iteration.cf index 9ea16ee9a0..3b7a903a4a 100644 --- a/tests/acceptance/00_basics/01_compiler/with_iteration.cf +++ b/tests/acceptance/00_basics/01_compiler/with_iteration.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "probe" string => "0"; "iter" slist => { "1", "2", "3" }; diff --git a/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf b/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf index 3b7c5aa3bb..6755819227 100644 --- a/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf +++ b/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf @@ -19,6 +19,13 @@ bundle agent init running with dry-run."; } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf index 0b3cb8f34e..753e93cec3 100644 --- a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf +++ b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf @@ -36,9 +36,6 @@ bundle agent init bundle agent test { - meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; } bundle agent check diff --git a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf index d35bf53646..f41108d1e6 100644 --- a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf +++ b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf @@ -37,9 +37,6 @@ bundle agent init bundle agent test { - meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; } bundle agent check diff --git a/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf b/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf index d0ddd43db4..24a5516ed8 100644 --- a/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf +++ b/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf @@ -13,9 +13,11 @@ bundle common inventory !this_is_true:: "inputs" slist => { }; "bundles" slist => { "bad" }; - this_is_true:: + this_is_true.!windows:: "inputs" slist => { "$(this.promise_filename).sub" }; "bundles" slist => { "good" }; + windows:: + "bundles" slist => { "skip" }; } bundle agent bad @@ -23,3 +25,9 @@ bundle agent bad reports: "$(this.promise_filename) FAIL"; } + +bundle agent skip +{ + reports: + "$(this.promise_filename) Skip/unsupported"; +} diff --git a/tests/acceptance/00_basics/04_bundles/namespaced.cf b/tests/acceptance/00_basics/04_bundles/namespaced.cf index cc79f0eb34..6a10660840 100644 --- a/tests/acceptance/00_basics/04_bundles/namespaced.cf +++ b/tests/acceptance/00_basics/04_bundles/namespaced.cf @@ -16,6 +16,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; } bundle agent check diff --git a/tests/acceptance/00_basics/def.json/bad-json.cf b/tests/acceptance/00_basics/def.json/bad-json.cf index f89435572c..2eb0c23bf9 100644 --- a/tests/acceptance/00_basics/def.json/bad-json.cf +++ b/tests/acceptance/00_basics/def.json/bad-json.cf @@ -10,8 +10,12 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + methods: - "" usebundle => file_copy("$(this.promise_filename).json", "$(sys.inputdir)/def.json"); + "" usebundle => file_copy("$(this.promise_filename).json", "$(sys.inputdir)$(const.dirsep)def.json"); } ####################################################### @@ -22,5 +26,5 @@ bundle agent check "command" string => "$(sys.cf_promises) -v|$(G.grep) JSON"; methods: - "" usebundle => dcs_passif_output(".*Could not parse JSON file $(sys.inputdir)/def.json.*", "", $(command), $(this.promise_filename)); + "" usebundle => dcs_passif_output(".*Could not parse JSON file $(sys.inputdir)$(const.dirsep)def.json.*", "", $(command), $(this.promise_filename)); } diff --git a/tests/acceptance/00_basics/def.json/state.cf b/tests/acceptance/00_basics/def.json/state.cf index d7eeeccab1..e2a33b1396 100644 --- a/tests/acceptance/00_basics/def.json/state.cf +++ b/tests/acceptance/00_basics/def.json/state.cf @@ -8,6 +8,15 @@ body common control ####################################################### +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; +} + +####################################################### + bundle agent check { methods: diff --git a/tests/acceptance/00_basics/macros/if_triple.cf b/tests/acceptance/00_basics/macros/if_triple.cf index 9577f54a99..0d4a252e61 100644 --- a/tests/acceptance/00_basics/macros/if_triple.cf +++ b/tests/acceptance/00_basics/macros/if_triple.cf @@ -1,7 +1,6 @@ ###################################################### # # Test that @if works with patch level -# ##################################################### body common control @@ -13,7 +12,7 @@ body common control bundle agent init { files: - "$(G.testdir)/test.cf" + "$(G.testdir)$(const.dirsep)test.cf" create => "true", edit_template => "$(this.promise_filename).sub.template", template_method => "mustache"; @@ -22,9 +21,15 @@ bundle agent init bundle agent check { methods: - "check" usebundle => dcs_passif_output(".*$(G.testdir)/test.cf Pass.*", + # Note: dcs_passif_output expects first argument to be regexp. + # To convert Windows-style path (with backslashes) to a regex which will match this path, + # we need to convert all backslashes to double-backslashes. + # In the command below, each backslash is escaped twice: + # once for regex, and once for CFEngine string parser. + "check" usebundle => dcs_passif_output(regex_replace(".*$(G.testdir)$(const.dirsep)test.cf Pass.*", + "\\\\", "\\\\\\\\", "g"), ".*FAIL.*", - "$(sys.cf_agent) -D AUTO -Kf $(G.testdir)/test.cf", + "$(sys.cf_agent) -D AUTO -Kf $(G.testdir)$(const.dirsep)test.cf", $(this.promise_filename)); } diff --git a/tests/acceptance/01_vars/01_basic/sysvars.cf b/tests/acceptance/01_vars/01_basic/sysvars.cf index 0062b8ec5d..4758b01c3c 100644 --- a/tests/acceptance/01_vars/01_basic/sysvars.cf +++ b/tests/acceptance/01_vars/01_basic/sysvars.cf @@ -32,6 +32,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; } ####################################################### diff --git a/tests/acceptance/01_vars/01_basic/this_variables.cf b/tests/acceptance/01_vars/01_basic/this_variables.cf index d24a4cebab..fe30882040 100644 --- a/tests/acceptance/01_vars/01_basic/this_variables.cf +++ b/tests/acceptance/01_vars/01_basic/this_variables.cf @@ -18,6 +18,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "var" slist => { "var in test" }; "var_test" slist => { "var_test in test" }; diff --git a/tests/acceptance/01_vars/02_functions/cf_version.cf b/tests/acceptance/01_vars/02_functions/cf_version.cf index 242f2070ad..dd4a9e86d0 100644 --- a/tests/acceptance/01_vars/02_functions/cf_version.cf +++ b/tests/acceptance/01_vars/02_functions/cf_version.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "after_newer" string => "yes", if => cf_version_after("1.0.0"); diff --git a/tests/acceptance/01_vars/02_functions/data_expand.cf b/tests/acceptance/01_vars/02_functions/data_expand.cf index 3d45a407a5..c211a579f2 100644 --- a/tests/acceptance/01_vars/02_functions/data_expand.cf +++ b/tests/acceptance/01_vars/02_functions/data_expand.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "x" string => "foo"; "y" int => "200"; diff --git a/tests/acceptance/01_vars/02_functions/every_some_none.cf b/tests/acceptance/01_vars/02_functions/every_some_none.cf index 9e75f1c470..d8938e5752 100644 --- a/tests/acceptance/01_vars/02_functions/every_some_none.cf +++ b/tests/acceptance/01_vars/02_functions/every_some_none.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; methods: "pretest"; "collect"; diff --git a/tests/acceptance/01_vars/02_functions/execresult.cf b/tests/acceptance/01_vars/02_functions/execresult.cf index abe2e965ea..d4a64917fd 100644 --- a/tests/acceptance/01_vars/02_functions/execresult.cf +++ b/tests/acceptance/01_vars/02_functions/execresult.cf @@ -29,6 +29,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "dummy" string => "dummy"; } diff --git a/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf b/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf index f273355efa..91a4301b44 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf @@ -26,6 +26,8 @@ bundle agent test meta: "description" -> {"ENT-7478"} string => "If 'ifelapsed => 0' is used, execresult() should run the given command every time"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; methods: "foo" usebundle => check_date("foo"); diff --git a/tests/acceptance/01_vars/02_functions/execresult_select.cf b/tests/acceptance/01_vars/02_functions/execresult_select.cf index c1f0566693..4f3edda5a2 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_select.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_select.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3108" } string => "Test that you can select stderr/stdout in execresult"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "result_with_stdout_stderr" diff --git a/tests/acceptance/01_vars/02_functions/execresult_stderr.cf b/tests/acceptance/01_vars/02_functions/execresult_stderr.cf index 42a3675a26..d006607268 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_stderr.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_stderr.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3103" } string => "Test that execresult captures both stdout and stderr"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "result_with_stdout_stderr" diff --git a/tests/acceptance/01_vars/02_functions/filter.cf b/tests/acceptance/01_vars/02_functions/filter.cf index 541f14a536..5770348349 100644 --- a/tests/acceptance/01_vars/02_functions/filter.cf +++ b/tests/acceptance/01_vars/02_functions/filter.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "tests" slist => { "fgrep09", "exact1", "exactdot", "regexdot", "invert", "max2", "max0", "grep09" }; "lists" slist => { "s1", "d1", "d2", "dempty" }; diff --git a/tests/acceptance/01_vars/02_functions/findfiles.cf b/tests/acceptance/01_vars/02_functions/findfiles.cf index 585f34aba1..749caf0864 100644 --- a/tests/acceptance/01_vars/02_functions/findfiles.cf +++ b/tests/acceptance/01_vars/02_functions/findfiles.cf @@ -41,7 +41,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; + meta => { "redmine4730,ENT-2145" }; vars: "patterns[a]" string => "$(G.testdir)/?"; diff --git a/tests/acceptance/01_vars/02_functions/findfiles_up.cf b/tests/acceptance/01_vars/02_functions/findfiles_up.cf index 269b8a3e04..c89b8dc18d 100755 --- a/tests/acceptance/01_vars/02_functions/findfiles_up.cf +++ b/tests/acceptance/01_vars/02_functions/findfiles_up.cf @@ -78,6 +78,8 @@ bundle agent test meta: "description" -> { "CFE-3577" } string => "Test for expected results from policy function search_up"; + "test_skip_needs_work" string => "windows", + meta => { "ENT-10250" }; methods: "Test 0" diff --git a/tests/acceptance/01_vars/02_functions/format_edge_case.cf b/tests/acceptance/01_vars/02_functions/format_edge_case.cf index 818ae3168f..6a8bbebc75 100644 --- a/tests/acceptance/01_vars/02_functions/format_edge_case.cf +++ b/tests/acceptance/01_vars/02_functions/format_edge_case.cf @@ -12,6 +12,9 @@ body common control ########################################################## bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "str" string => format('%s', 'Hello, everyone! This is the LONGEST TEXT EVER! I was inspired by the various other longest texts ever on the internet, and I wanted to make my own. So here it is! This is going to be a WORLD RECORD! This is actually my third attempt at doing this. The first time, I didnt save it. The second time, the Neocities editor crashed. Now Im writing this in Notepad, then copying it into the Neocities editor instead of typing it directly in the Neocities editor to avoid crashing. It sucks that my past two attempts are gone now. Those actually got pretty long. Not the longest, but still pretty long. I hope this one wont get lost somehow. Anyways, lets talk about WAFFLES! I like waffles. Waffles are cool. Waffles is a funny word. Theres a Teen Titans Go episode called Waffles where the word Waffles is said a hundred-something times. Its pretty annoying. Theres also a Teen Titans Go episode about Pig Latin. Dont know what Pig Latin is? Its a language where you take all the consonants before the first vowel, move them to the end, and add -ay to the end. If the word begins with a vowel, you just add -way to the end. For example, Waffles becomes Afflesway. Ive been speaking Pig Latin fluently since the fourth grade, so it surprised me when I saw the episode for the first time. I speak Pig Latin with my sister sometimes. Its pretty fun. I like speaking it in public so that everyone around us gets confused. Thats never actually happened before, but if it ever does, twill be pretty funny. By the way, twill is a word I invented recently, and its a contraction of it will. I really hope it gains popularity in the near future, because twill is WAY more fun than saying itll. Itll is too boring. Nobody likes boring. This is nowhere near being the longest text ever, but eventually it will be! I might still be writing this a decade later, who knows? But right now, its not very long. But Ill just keep writing until it is the longest! Have you ever heard the song Dau Dau by Awesome Scampis? Its an amazing song. Look it up on YouTube! I play that song all the time around my sister! It drives her crazy, and I love it. Another way I like driving my sister crazy is by speaking my own made up language to her. She hates the languages I make! The only language that we both speak besides English is Pig Latin. I think you already knew that. Whatever. I think Im gonna go for now. Bye! Hi, Im back now. Im gonna contribute more to this soon-to-be giant wall of text. I just realised I have a giant stuffed frog on my bed. I forgot his name. Im pretty sure it was something stupid though. I think it was FROG in Morse Code or something. Morse Code is cool. I know a bit of it, but Im not very good at it. Im also not very good at French. I barely know anything in French, and my pronunciation probably sucks. But Im learning it, at least. Im also learning Esperanto. Its this language that was made up by some guy a long time ago to be the universal language. A lot of people speak it. I am such a language nerd. Half of this text is probably gonna be about languages. But hey, as long as its long! Ha, get it? As LONG as its LONG? Im so funny, right? No, Im not. I should probably get some sleep. Goodnight! Hello, Im back again. I basically have only two interests nowadays: languages and furries. What? Oh, sorry, I thought you knew I was a furry. Haha, oops. Anyway, yeah, Im a furry, but since Im a young furry, I cant really do as much as I would like to do in the fandom. When Im older, I would like to have a fursuit, go to furry conventions, all that stuff. But for now I can only dream of that. Sorry you had to deal with me talking about furries, but Im honestly very desperate for this to be the longest text ever. Last night I was watching nothing but fursuit unboxings. I think I need help. This one time, me and my mom were going to go to a furry Christmas party, but we didnt end up going because of the fact that there was alcohol on the premises, and that she didnt wanna have to be a mom dragging her son through a crowd of furries. Both of those reasons were understandable. Okay, hopefully I wont have to talk about furries anymore. I dont care if youre a furry reading this right now, I just dont wanna have to torture everyone else.'); "list" slist => { $(str) }; diff --git a/tests/acceptance/01_vars/02_functions/getindices.cf b/tests/acceptance/01_vars/02_functions/getindices.cf index f682f5d1f8..6c24c3b8be 100644 --- a/tests/acceptance/01_vars/02_functions/getindices.cf +++ b/tests/acceptance/01_vars/02_functions/getindices.cf @@ -38,6 +38,9 @@ bundle common b bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "user[name]" string => "zamboni"; "user[fullname][first]" string => "Diego"; diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf index 01e0561ec1..3e216bc491 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf @@ -38,8 +38,8 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "!any", - meta => { "redmine7116" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "values_data_1" slist => getindices("init.data[bar]"); diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf index 677b5a2d35..729f360b31 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf @@ -31,8 +31,8 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "!any", - meta => { "redmine7116" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: # expected: one, two diff --git a/tests/acceptance/01_vars/02_functions/gettags.cf b/tests/acceptance/01_vars/02_functions/gettags.cf index c7eeb3546e..c7c2df54b6 100644 --- a/tests/acceptance/01_vars/02_functions/gettags.cf +++ b/tests/acceptance/01_vars/02_functions/gettags.cf @@ -25,6 +25,10 @@ bundle common init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "tags1" slist => getclassmetatags("myclass"); "tags2" slist => getclassmetatags("myplainclass"); diff --git a/tests/acceptance/01_vars/02_functions/getuserinfo.cf b/tests/acceptance/01_vars/02_functions/getuserinfo.cf index 36c1d55308..829610105e 100644 --- a/tests/acceptance/01_vars/02_functions/getuserinfo.cf +++ b/tests/acceptance/01_vars/02_functions/getuserinfo.cf @@ -13,6 +13,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: # this is pretty much all we can test across platforms "info_root" string => nth(getuserinfo("root"), "username"); diff --git a/tests/acceptance/01_vars/02_functions/getvalues.cf b/tests/acceptance/01_vars/02_functions/getvalues.cf index 9087b7fbea..88909082c0 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "user[name]" string => "zamboni"; "user[fullname][first]" string => "Diego"; diff --git a/tests/acceptance/01_vars/02_functions/getvalues_containers.cf b/tests/acceptance/01_vars/02_functions/getvalues_containers.cf index c47506e79d..ac67a69aa5 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues_containers.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues_containers.cf @@ -15,6 +15,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "arr_v" slist => getvalues("init.arr"); diff --git a/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf b/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf index 25822c688d..44c7030ba9 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf @@ -37,6 +37,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "values_data" slist => getvalues("init.data"); "values_data2" slist => getvalues("init.data2"); diff --git a/tests/acceptance/01_vars/02_functions/ifelse.cf b/tests/acceptance/01_vars/02_functions/ifelse.cf index e33851efc3..6675c84872 100644 --- a/tests/acceptance/01_vars/02_functions/ifelse.cf +++ b/tests/acceptance/01_vars/02_functions/ifelse.cf @@ -23,6 +23,10 @@ bundle common init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + classes: "myclass2" expression => "any"; vars: diff --git a/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf b/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf index f1eddae20f..4ac101dec6 100644 --- a/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf +++ b/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf @@ -17,6 +17,8 @@ bundle agent test meta: "description" string => "Test that ifelse can use the result of isvariable as a class identifer"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: # Since init.passwd_file is defined, I expect the value to be diff --git a/tests/acceptance/01_vars/02_functions/inline_json.cf b/tests/acceptance/01_vars/02_functions/inline_json.cf index 0d27f9e642..ce1a8d9cd4 100644 --- a/tests/acceptance/01_vars/02_functions/inline_json.cf +++ b/tests/acceptance/01_vars/02_functions/inline_json.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "z" string => "100"; "foo" string => "bar"; diff --git a/tests/acceptance/01_vars/02_functions/join.cf b/tests/acceptance/01_vars/02_functions/join.cf index 964fcee246..a3ad4c833a 100644 --- a/tests/acceptance/01_vars/02_functions/join.cf +++ b/tests/acceptance/01_vars/02_functions/join.cf @@ -15,6 +15,10 @@ body common control bundle agent init { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "a" slist => { "b", "c", "a" }; "b" slist => { "100", "9", "10" }; diff --git a/tests/acceptance/01_vars/02_functions/length.cf b/tests/acceptance/01_vars/02_functions/length.cf index 7c50f21627..d7d093ad33 100644 --- a/tests/acceptance/01_vars/02_functions/length.cf +++ b/tests/acceptance/01_vars/02_functions/length.cf @@ -21,6 +21,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "normal_list" slist => { "b", "c", "a" }; # 3 "empty_list" slist => { }; # 0 diff --git a/tests/acceptance/01_vars/02_functions/maparray.cf b/tests/acceptance/01_vars/02_functions/maparray.cf index 0a8e99a5b6..e7e1d7ffe4 100644 --- a/tests/acceptance/01_vars/02_functions/maparray.cf +++ b/tests/acceptance/01_vars/02_functions/maparray.cf @@ -21,6 +21,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "load1" data => parsejson('[ 1, 2, 3]'); "load2" slist => { "eleme\"nt1", "element2", "element3" }; diff --git a/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf b/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf index a0feb0165d..fa4232aff2 100644 --- a/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf +++ b/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf @@ -22,6 +22,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "bundles[x][y][z1]" string => "xyz1"; "bundles[x][y][z23]" slist => { "xyz2", "xyz3" }; diff --git a/tests/acceptance/01_vars/02_functions/maplist.cf b/tests/acceptance/01_vars/02_functions/maplist.cf index 202f94f2d8..6c9066ce4a 100644 --- a/tests/acceptance/01_vars/02_functions/maplist.cf +++ b/tests/acceptance/01_vars/02_functions/maplist.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "testlist" slist => { "zero", "two", "three's", "four-fore:quatre", "last" }; "empty" slist => { }; diff --git a/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf b/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf index 1cedd35a62..ef2557ad1c 100644 --- a/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf +++ b/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf @@ -12,6 +12,8 @@ bundle agent test meta: "description" string => "Test that plain json strings can be merged"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "merged" data => mergedata( '[]', '{ "one": "1" }', '{ "two":"2"}' ); diff --git a/tests/acceptance/01_vars/02_functions/network/url_get.cf b/tests/acceptance/01_vars/02_functions/network/url_get.cf index 35f6535f98..d00d8d410c 100644 --- a/tests/acceptance/01_vars/02_functions/network/url_get.cf +++ b/tests/acceptance/01_vars/02_functions/network/url_get.cf @@ -35,6 +35,8 @@ bundle agent test { meta: "test_skip_unsupported" string => "!feature_curl"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "kept" data => mergedata( diff --git a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf index 86db569bcb..0c2d3f7ac2 100644 --- a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf @@ -24,8 +24,11 @@ bundle agent init bundle common test_common { - vars: + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "data" data => readjson("$(this.promise_filename).json", "100k"); "datastr" string => format("%S", data); diff --git a/tests/acceptance/01_vars/02_functions/readdata.cf b/tests/acceptance/01_vars/02_functions/readdata.cf index 588d2369b9..0485a19ea7 100644 --- a/tests/acceptance/01_vars/02_functions/readdata.cf +++ b/tests/acceptance/01_vars/02_functions/readdata.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10252" }; + vars: "explicit_csv" data => readdata("$(this.promise_filename).csv", "CSV"); "explicit_env" data => readdata("$(this.promise_filename).env", "ENV"); diff --git a/tests/acceptance/01_vars/02_functions/readdata_yaml.cf b/tests/acceptance/01_vars/02_functions/readdata_yaml.cf index 25c1e5df00..712cd8ae41 100644 --- a/tests/acceptance/01_vars/02_functions/readdata_yaml.cf +++ b/tests/acceptance/01_vars/02_functions/readdata_yaml.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: feature_yaml:: "explicit_yaml" data => readdata("$(this.promise_filename).yaml", "YAML"); diff --git a/tests/acceptance/01_vars/02_functions/regex_replace.cf b/tests/acceptance/01_vars/02_functions/regex_replace.cf index aacfc4bd7d..b08d5cfbc9 100644 --- a/tests/acceptance/01_vars/02_functions/regex_replace.cf +++ b/tests/acceptance/01_vars/02_functions/regex_replace.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "test" string => "abcdefghij"; diff --git a/tests/acceptance/01_vars/02_functions/reverse.cf b/tests/acceptance/01_vars/02_functions/reverse.cf index 88fb5fe040..dde4e97a6a 100644 --- a/tests/acceptance/01_vars/02_functions/reverse.cf +++ b/tests/acceptance/01_vars/02_functions/reverse.cf @@ -24,6 +24,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "sa" slist => reverse("init.a"); "sb" slist => reverse("init.b"); diff --git a/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf b/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf index 815ac9e40d..ed265b78c4 100644 --- a/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf +++ b/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf @@ -34,6 +34,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "list1" slist => { "a", "b", "c", "d", "e", "f" }; "list2" slist => { "a", "b", "c", "d", "e", "f" }; diff --git a/tests/acceptance/01_vars/02_functions/shuffle-exact.cf b/tests/acceptance/01_vars/02_functions/shuffle-exact.cf index a2c9b921b2..bc54c104f2 100644 --- a/tests/acceptance/01_vars/02_functions/shuffle-exact.cf +++ b/tests/acceptance/01_vars/02_functions/shuffle-exact.cf @@ -32,8 +32,8 @@ bundle agent test # for some reason, shuffle() produces different results on 64bit RHEL 4 # and Debian 4 than everywhere else "test_soft_fail" - string => "(centos_4|centos_5|debian_4).64_bit", - meta => { "CFE-2301" }; + string => "((centos_4|centos_5|debian_4).64_bit)|windows", + meta => { "CFE-2301,ENT-10254" }; vars: "lists" slist => { "a", "b" }; "seeds" slist => { "skruf", "cormorant", "dollhouse" }; diff --git a/tests/acceptance/01_vars/02_functions/sort.cf b/tests/acceptance/01_vars/02_functions/sort.cf index ebf2e48339..ae10bb3c4b 100644 --- a/tests/acceptance/01_vars/02_functions/sort.cf +++ b/tests/acceptance/01_vars/02_functions/sort.cf @@ -61,8 +61,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "hpux|sunos_5_9|windows", + "test_soft_fail" string => "hpux|sunos_5_9", meta => { "redmine4934", "redmine5107" }; + "test_flakey_fail" string => "windows", + meta => { "ENT-10254" }; vars: diff --git a/tests/acceptance/01_vars/02_functions/storejson.cf b/tests/acceptance/01_vars/02_functions/storejson.cf index 70375aee4d..6574b38220 100644 --- a/tests/acceptance/01_vars/02_functions/storejson.cf +++ b/tests/acceptance/01_vars/02_functions/storejson.cf @@ -9,6 +9,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "mylist" slist => { "x", "y" }; "data" data => parsejson('{ diff --git a/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf b/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf index ef12c462b0..d209fc3d29 100644 --- a/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf +++ b/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf @@ -10,6 +10,9 @@ body common control ########################################################## bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "data" string => storejson('{ "A very long text": "Hello, everyone! This is the LONGEST TEXT EVER! I was inspired by the various other longest texts ever on the internet, and I wanted to make my own. So here it is! This is going to be a WORLD RECORD! This is actually my third attempt at doing this. The first time, I didnt save it. The second time, the Neocities editor crashed. Now Im writing this in Notepad, then copying it into the Neocities editor instead of typing it directly in the Neocities editor to avoid crashing. It sucks that my past two attempts are gone now. Those actually got pretty long. Not the longest, but still pretty long. I hope this one wont get lost somehow. Anyways, lets talk about WAFFLES! I like waffles. Waffles are cool. Waffles is a funny word. Theres a Teen Titans Go episode called Waffles where the word Waffles is said a hundred-something times. Its pretty annoying. Theres also a Teen Titans Go episode about Pig Latin. Dont know what Pig Latin is? Its a language where you take all the consonants before the first vowel, move them to the end, and add -ay to the end. If the word begins with a vowel, you just add -way to the end. For example, Waffles becomes Afflesway. Ive been speaking Pig Latin fluently since the fourth grade, so it surprised me when I saw the episode for the first time. I speak Pig Latin with my sister sometimes. Its pretty fun. I like speaking it in public so that everyone around us gets confused. Thats never actually happened before, but if it ever does, twill be pretty funny. By the way, twill is a word I invented recently, and its a contraction of it will. I really hope it gains popularity in the near future, because twill is WAY more fun than saying itll. Itll is too boring. Nobody likes boring. This is nowhere near being the longest text ever, but eventually it will be! I might still be writing this a decade later, who knows? But right now, its not very long. But Ill just keep writing until it is the longest! Have you ever heard the song Dau Dau by Awesome Scampis? Its an amazing song. Look it up on YouTube! I play that song all the time around my sister! It drives her crazy, and I love it. Another way I like driving my sister crazy is by speaking my own made up language to her. She hates the languages I make! The only language that we both speak besides English is Pig Latin. I think you already knew that. Whatever. I think Im gonna go for now. Bye! Hi, Im back now. Im gonna contribute more to this soon-to-be giant wall of text. I just realised I have a giant stuffed frog on my bed. I forgot his name. Im pretty sure it was something stupid though. I think it was FROG in Morse Code or something. Morse Code is cool. I know a bit of it, but Im not very good at it. Im also not very good at French. I barely know anything in French, and my pronunciation probably sucks. But Im learning it, at least. Im also learning Esperanto. Its this language that was made up by some guy a long time ago to be the universal language. A lot of people speak it. I am such a language nerd. Half of this text is probably gonna be about languages. But hey, as long as its long! Ha, get it? As LONG as its LONG? Im so funny, right? No, Im not. I should probably get some sleep. Goodnight! Hello, Im back again. I basically have only two interests nowadays: languages and furries. What? Oh, sorry, I thought you knew I was a furry. Haha, oops. Anyway, yeah, Im a furry, but since Im a young furry, I cant really do as much as I would like to do in the fandom. When Im older, I would like to have a fursuit, go to furry conventions, all that stuff. But for now I can only dream of that. Sorry you had to deal with me talking about furries, but Im honestly very desperate for this to be the longest text ever. Last night I was watching nothing but fursuit unboxings. I think I need help. This one time, me and my mom were going to go to a furry Christmas party, but we didnt end up going because of the fact that there was alcohol on the premises, and that she didnt wanna have to be a mom dragging her son through a crowd of furries. Both of those reasons were understandable. Okay, hopefully I wont have to talk about furries anymore. I dont care if youre a furry reading this right now, I just dont wanna have to torture everyone else."}'); } diff --git a/tests/acceptance/01_vars/02_functions/strftime.cf b/tests/acceptance/01_vars/02_functions/strftime.cf index e4ec61da24..0beb211a2e 100644 --- a/tests/acceptance/01_vars/02_functions/strftime.cf +++ b/tests/acceptance/01_vars/02_functions/strftime.cf @@ -50,6 +50,10 @@ bundle edit_line init_insert bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10253" }; + vars: "vals" slist => { strftime('gmtime', '%F %T', 100000000), diff --git a/tests/acceptance/01_vars/02_functions/string_mustache.cf b/tests/acceptance/01_vars/02_functions/string_mustache.cf index 0ac07f76a5..e966c5b1fb 100644 --- a/tests/acceptance/01_vars/02_functions/string_mustache.cf +++ b/tests/acceptance/01_vars/02_functions/string_mustache.cf @@ -14,6 +14,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "out11" string => string_mustache("desert = {{vars.init.desert}}"); diff --git a/tests/acceptance/01_vars/02_functions/string_replace.cf b/tests/acceptance/01_vars/02_functions/string_replace.cf index c3caf164ca..220de85782 100644 --- a/tests/acceptance/01_vars/02_functions/string_replace.cf +++ b/tests/acceptance/01_vars/02_functions/string_replace.cf @@ -16,6 +16,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "test" string => "abcdefghij\t\n"; "test2" string => "(){}[].*?"; diff --git a/tests/acceptance/01_vars/02_functions/string_trim.cf b/tests/acceptance/01_vars/02_functions/string_trim.cf index 13b46a3a2d..c361445814 100644 --- a/tests/acceptance/01_vars/02_functions/string_trim.cf +++ b/tests/acceptance/01_vars/02_functions/string_trim.cf @@ -9,6 +9,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "abcd1" string => string_trim("abcd"); "abcd2" string => string_trim(" abcd"); diff --git a/tests/acceptance/01_vars/02_functions/sublist.cf b/tests/acceptance/01_vars/02_functions/sublist.cf index af137477c7..2fe5a4bc63 100644 --- a/tests/acceptance/01_vars/02_functions/sublist.cf +++ b/tests/acceptance/01_vars/02_functions/sublist.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "test" slist => { 1,2,3, diff --git a/tests/acceptance/01_vars/02_functions/sum_and_product.cf b/tests/acceptance/01_vars/02_functions/sum_and_product.cf index 86ccbc32b4..3807b376ac 100644 --- a/tests/acceptance/01_vars/02_functions/sum_and_product.cf +++ b/tests/acceptance/01_vars/02_functions/sum_and_product.cf @@ -21,6 +21,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "normal_list" slist => { "1", "2", "3" }; "empty_list" slist => { }; diff --git a/tests/acceptance/01_vars/02_functions/text_xform.cf b/tests/acceptance/01_vars/02_functions/text_xform.cf index 191dfb166b..9d31b3c30c 100644 --- a/tests/acceptance/01_vars/02_functions/text_xform.cf +++ b/tests/acceptance/01_vars/02_functions/text_xform.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "tests" slist => { "q1", "q2", "q3", "q4" }; "offsets" ilist => { "-1", "-2", "-5", "-10", "-20", "-26", "-27", "-28", "-10240", diff --git a/tests/acceptance/01_vars/02_functions/type.cf b/tests/acceptance/01_vars/02_functions/type.cf index 4326d3cfa1..1aea1a7746 100644 --- a/tests/acceptance/01_vars/02_functions/type.cf +++ b/tests/acceptance/01_vars/02_functions/type.cf @@ -32,6 +32,8 @@ bundle agent test meta: "description" -> { "CFE-2240" } string => "Test for expected results from policy function type"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "test_00" string => type("init._data"); diff --git a/tests/acceptance/01_vars/02_functions/url_get_local.cf b/tests/acceptance/01_vars/02_functions/url_get_local.cf index 9c2dcb2ae1..907c00bffe 100644 --- a/tests/acceptance/01_vars/02_functions/url_get_local.cf +++ b/tests/acceptance/01_vars/02_functions/url_get_local.cf @@ -33,6 +33,8 @@ bundle agent test { meta: "test_skip_unsupported" string => "!feature_curl"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "kept" data => mergedata( diff --git a/tests/acceptance/01_vars/02_functions/validdata.cf b/tests/acceptance/01_vars/02_functions/validdata.cf index c25d3d0b8f..f2d134ca99 100644 --- a/tests/acceptance/01_vars/02_functions/validdata.cf +++ b/tests/acceptance/01_vars/02_functions/validdata.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "valid_json" string => "should appear", if => validdata(readfile("$(this.promise_filename).json", inf), "JSON"); diff --git a/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf index fda15ae3df..e1f6686f0e 100644 --- a/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf +++ b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-4080" } string => "Test validjson() with trailing bogus data"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } ############################################################################## diff --git a/tests/acceptance/01_vars/02_functions/variablesmatching.cf b/tests/acceptance/01_vars/02_functions/variablesmatching.cf index 074513b4ab..0aa93783d7 100644 --- a/tests/acceptance/01_vars/02_functions/variablesmatching.cf +++ b/tests/acceptance/01_vars/02_functions/variablesmatching.cf @@ -22,6 +22,10 @@ bundle common init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "vars" slist => variablesmatching("default:init.test_fbeae67f3e347b5e0032302200141131.*"); "x_vars" slist => variablesmatching("default:init.test_fbeae67f3e347b5e0032302200141131.*", "x"); diff --git a/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf b/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf index 5d1c24392e..feebc3b298 100644 --- a/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf +++ b/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf @@ -19,6 +19,10 @@ bundle common init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "base_list" slist => { "a", "b", "c", "aaa", "bbb", "ccc" }; "base_data" data => '{ "x": 100, "y": "z" }'; diff --git a/tests/acceptance/01_vars/04_containers/inline_json.cf b/tests/acceptance/01_vars/04_containers/inline_json.cf index 40287b0188..be6e57d68e 100644 --- a/tests/acceptance/01_vars/04_containers/inline_json.cf +++ b/tests/acceptance/01_vars/04_containers/inline_json.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "included" string => "( included text )"; "options1" data => ' diff --git a/tests/acceptance/01_vars/04_containers/inline_yaml.cf b/tests/acceptance/01_vars/04_containers/inline_yaml.cf index 7d518a5db3..f087ef9cda 100644 --- a/tests/acceptance/01_vars/04_containers/inline_yaml.cf +++ b/tests/acceptance/01_vars/04_containers/inline_yaml.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: feature_yaml:: "included" string => "( included text )"; diff --git a/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf b/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf index dde9ecac55..5f80261932 100644 --- a/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf +++ b/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf @@ -20,6 +20,8 @@ bundle agent test string => "Test that we can iterate over an array inside of a data container without first extracting it. And that the order of iteration is preserved."; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "data3" data => '{ "iteration_order":[ "b", "c", "a" ], "b":{ "key": "bkeyval" }, "c":{"key":"ckeyval"}, "a":{"key":"akeyval"}}'; diff --git a/tests/acceptance/01_vars/deep_delayed_expansion/main.cf b/tests/acceptance/01_vars/deep_delayed_expansion/main.cf index 3f134b4c31..86f99bcbe2 100644 --- a/tests/acceptance/01_vars/deep_delayed_expansion/main.cf +++ b/tests/acceptance/01_vars/deep_delayed_expansion/main.cf @@ -8,6 +8,8 @@ bundle agent test { meta: "description" string => "Test that variables containing other variales are de-referenced"; + "test_soft_fail" string => "windows", + meta => { "ENT-10256" }; } bundle agent check diff --git a/tests/acceptance/02_classes/01_basic/from_json_booleans.cf b/tests/acceptance/02_classes/01_basic/from_json_booleans.cf index c9db5ed37f..9d16d94888 100644 --- a/tests/acceptance/02_classes/01_basic/from_json_booleans.cf +++ b/tests/acceptance/02_classes/01_basic/from_json_booleans.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + classes: "canary" expression => "any", meta => { "collect" }; # just a baseline test "from_$(json)" expression => "$(json)", meta => { "collect" }; # iterates through non-nulls diff --git a/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf b/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf index 6015526242..d22cc90389 100644 --- a/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf +++ b/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf @@ -71,7 +71,7 @@ bundle agent test commands: - "/bin/true" + "$(G.true)" handle => "delay", comment => "This is a benign promise that is used to delay detection of failure classes until after normal order begins."; diff --git a/tests/acceptance/02_classes/02_functions/iprange.cf b/tests/acceptance/02_classes/02_functions/iprange.cf index fdc991f68c..f95c30188f 100644 --- a/tests/acceptance/02_classes/02_functions/iprange.cf +++ b/tests/acceptance/02_classes/02_functions/iprange.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + classes: "expected_missing" expression => iprange("8.8.8.8/31"), meta => { "collect" }; diff --git a/tests/acceptance/02_classes/02_functions/isipinsubnet.cf b/tests/acceptance/02_classes/02_functions/isipinsubnet.cf index 6cff4f4db0..2d89d0619b 100644 --- a/tests/acceptance/02_classes/02_functions/isipinsubnet.cf +++ b/tests/acceptance/02_classes/02_functions/isipinsubnet.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + classes: "zeroes_range_match" expression => isipinsubnet("0.0.0.0/0", "1.2.3.4"), meta => { "collect" }; diff --git a/tests/acceptance/02_classes/03_os/powershell.cf b/tests/acceptance/02_classes/03_os/powershell.cf index be2c89d6d7..9599a3b818 100644 --- a/tests/acceptance/02_classes/03_os/powershell.cf +++ b/tests/acceptance/02_classes/03_os/powershell.cf @@ -23,6 +23,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; vars: "dummy" string => "dummy"; } diff --git a/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf b/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf index f7896b9e47..49a79b08c0 100644 --- a/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf +++ b/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf @@ -25,9 +25,6 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4747" }; - "test_flakey_fail" string => "aix_7_1", meta => { "CFE-3313" }; diff --git a/tests/acceptance/05_processes/01_matching/owner.cf b/tests/acceptance/05_processes/01_matching/owner.cf index 7ea23b8123..c0b842c747 100644 --- a/tests/acceptance/05_processes/01_matching/owner.cf +++ b/tests/acceptance/05_processes/01_matching/owner.cf @@ -24,6 +24,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "ok_list" slist => { "pass_root_1", "pass_root_2", "pass_nouser_3", "pass_nouser_4", diff --git a/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf b/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf index b1dc7c9697..6815f2028c 100644 --- a/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf +++ b/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf @@ -12,6 +12,9 @@ bundle agent test meta: "description" -> { "CFE-1968" } string => "Test that process_select body can have (failing) function calls"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "canonified_uid" string => canonify(getuid("nosuchuser")); diff --git a/tests/acceptance/05_processes/01_matching/timed/stime.cf b/tests/acceptance/05_processes/01_matching/timed/stime.cf index fb6e3bd741..e1d0af8854 100644 --- a/tests/acceptance/05_processes/01_matching/timed/stime.cf +++ b/tests/acceptance/05_processes/01_matching/timed/stime.cf @@ -12,6 +12,8 @@ bundle agent init # Adding the test case revealed that these platforms do not work, but we # don't know why. "test_skip_needs_work" string => "solaris|hpux"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; vars: # Random, but unique string for this test case. diff --git a/tests/acceptance/05_processes/process_stop.cf b/tests/acceptance/05_processes/process_stop.cf index 9094a44d48..b4935cbd01 100644 --- a/tests/acceptance/05_processes/process_stop.cf +++ b/tests/acceptance/05_processes/process_stop.cf @@ -9,6 +9,8 @@ bundle agent test meta: "description" -> { "ENT-4988" } string => "Test some basic expectations when using process_stop in processes type promises"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; processes: diff --git a/tests/acceptance/07_packages/001.cf b/tests/acceptance/07_packages/001.cf index b35e0228d3..a0a1e55c04 100644 --- a/tests/acceptance/07_packages/001.cf +++ b/tests/acceptance/07_packages/001.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; "version" string => "1.0i"; diff --git a/tests/acceptance/07_packages/002.cf b/tests/acceptance/07_packages/002.cf index 3b6cc4fd54..983f5eb156 100644 --- a/tests/acceptance/07_packages/002.cf +++ b/tests/acceptance/07_packages/002.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; "version" string => "1.0i"; diff --git a/tests/acceptance/07_packages/003.cf b/tests/acceptance/07_packages/003.cf index c8cd82da4f..1497178bdb 100644 --- a/tests/acceptance/07_packages/003.cf +++ b/tests/acceptance/07_packages/003.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/004.cf b/tests/acceptance/07_packages/004.cf index 31adeeb8b9..4baf261f30 100644 --- a/tests/acceptance/07_packages/004.cf +++ b/tests/acceptance/07_packages/004.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/005.cf b/tests/acceptance/07_packages/005.cf index 48720bab52..9147b167d2 100644 --- a/tests/acceptance/07_packages/005.cf +++ b/tests/acceptance/07_packages/005.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/006.cf b/tests/acceptance/07_packages/006.cf index fc86899025..8d171f03fc 100644 --- a/tests/acceptance/07_packages/006.cf +++ b/tests/acceptance/07_packages/006.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/package_module_interpreter.cf b/tests/acceptance/07_packages/package_module_interpreter.cf index 64b80a68a9..86ef4c5259 100644 --- a/tests/acceptance/07_packages/package_module_interpreter.cf +++ b/tests/acceptance/07_packages/package_module_interpreter.cf @@ -20,7 +20,7 @@ body package_module test_module query_installed_ifelapsed => "60"; query_updates_ifelapsed => "14400"; default_options => { "$(G.testfile)" }; - interpreter => "/bin/sh"; # NOTE: no hashbang in the test_module script + interpreter => "$(G.sh)"; # /bin/sh; NOTE: no hashbang in the test_module script } bundle agent test @@ -29,6 +29,8 @@ bundle agent test "description" string => "Test that the interpreter for the package module script can be set", meta => { "CFE-2880" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; packages: "first_pkg" diff --git a/tests/acceptance/07_packages/package_module_path.cf b/tests/acceptance/07_packages/package_module_path.cf index 7b5e082c83..7590bd64fb 100644 --- a/tests/acceptance/07_packages/package_module_path.cf +++ b/tests/acceptance/07_packages/package_module_path.cf @@ -30,6 +30,8 @@ bundle agent test "description" string => "Test that the interpreter for the package module script can be set", meta => { "CFE-2880" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; packages: "first_pkg" diff --git a/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf b/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf index 88cad6a819..d3fa859c39 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" -> { "CFE-3099" } string => "Test that arrays defined by modules can contain @ just like classic arrays."; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: diff --git a/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf b/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf index 2c3283b369..dfe1a565ed 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" -> { "CFE-2768" } string => "Test that arrays defined by modules can contain slashes just like classic arrays."; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: diff --git a/tests/acceptance/08_commands/01_modules/module-array-indexing.cf b/tests/acceptance/08_commands/01_modules/module-array-indexing.cf index 7af352dc1e..9082c2e564 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-indexing.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-indexing.cf @@ -14,9 +14,6 @@ body common control bundle agent test { - meta: - "test_suppress_fail" string => "windows"; - commands: "$(G.cat) $(this.promise_filename).txt" module => "true"; diff --git a/tests/acceptance/08_commands/01_modules/module_file_test.cf b/tests/acceptance/08_commands/01_modules/module_file_test.cf index 955f868a1c..958dd7868e 100644 --- a/tests/acceptance/08_commands/01_modules/module_file_test.cf +++ b/tests/acceptance/08_commands/01_modules/module_file_test.cf @@ -26,6 +26,8 @@ bundle agent test meta: "description" string => "Test module file protocol"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: any:: diff --git a/tests/acceptance/08_commands/01_modules/set-persistent-class.cf b/tests/acceptance/08_commands/01_modules/set-persistent-class.cf index e3c5b0b0fe..07de575b34 100644 --- a/tests/acceptance/08_commands/01_modules/set-persistent-class.cf +++ b/tests/acceptance/08_commands/01_modules/set-persistent-class.cf @@ -12,6 +12,13 @@ body common control version => "1.0"; } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/08_commands/01_modules/set-tags.cf b/tests/acceptance/08_commands/01_modules/set-tags.cf index 6d59cbb3da..530c1c84d4 100644 --- a/tests/acceptance/08_commands/01_modules/set-tags.cf +++ b/tests/acceptance/08_commands/01_modules/set-tags.cf @@ -24,6 +24,9 @@ bundle common init bundle agent test { + meta: + "test_flakey_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.cat) $(init.script_name)" contain => in_shell, diff --git a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf index 090efade28..79746b5d24 100644 --- a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf +++ b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf @@ -11,8 +11,9 @@ bundle agent test "description" -> { "ENT-7725" } string => "Test that vars defined by modules without explicit tags still have automatic tags identifying the source"; - "test_skip_unsupported" + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }, comment => "The subtest policy uses /bin/echo"; commands: diff --git a/tests/acceptance/08_commands/02_syntax/arglist.cf b/tests/acceptance/08_commands/02_syntax/arglist.cf index 0417377bea..7ac630f5fb 100644 --- a/tests/acceptance/08_commands/02_syntax/arglist.cf +++ b/tests/acceptance/08_commands/02_syntax/arglist.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.echo)" arglist => { "=abc=2'3\"4" }, module => "true"; # this will generate the command `echo =def=567 =ghi=8'9"a` diff --git a/tests/acceptance/08_commands/03_shells/shelltypes.cf b/tests/acceptance/08_commands/03_shells/shelltypes.cf index 28ef5f2187..2e5f28255a 100644 --- a/tests/acceptance/08_commands/03_shells/shelltypes.cf +++ b/tests/acceptance/08_commands/03_shells/shelltypes.cf @@ -34,6 +34,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; classes: "$(init.shelltypes)" expression => regcmp(".*(Succeeded|Powershell is only supported on Windows).*", execresult("$(sys.cf_agent) -D $(init.shelltypes) -Kf $(init.origtestdir)$(const.dirsep)tryshell.cf.sub", "noshell")); diff --git a/tests/acceptance/09_services/outcomes.cf b/tests/acceptance/09_services/outcomes.cf index 5ae95e23ef..fca336d67a 100644 --- a/tests/acceptance/09_services/outcomes.cf +++ b/tests/acceptance/09_services/outcomes.cf @@ -6,6 +6,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-2161" }; + vars: "services" slist => { "single" }; "policies" slist => { "enable", "disable", "start", "stop", "restart", "reload", "custom" }; diff --git a/tests/acceptance/09_services/reload.cf b/tests/acceptance/09_services/reload.cf index 968ddb764e..ec3b6f7dbf 100644 --- a/tests/acceptance/09_services/reload.cf +++ b/tests/acceptance/09_services/reload.cf @@ -25,7 +25,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/restart.cf b/tests/acceptance/09_services/restart.cf index c479139d96..77ef03eed8 100644 --- a/tests/acceptance/09_services/restart.cf +++ b/tests/acceptance/09_services/restart.cf @@ -25,7 +25,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/service_cannot_be_resolved.cf b/tests/acceptance/09_services/service_cannot_be_resolved.cf index 0e3a4b5573..4c3f865c1e 100644 --- a/tests/acceptance/09_services/service_cannot_be_resolved.cf +++ b/tests/acceptance/09_services/service_cannot_be_resolved.cf @@ -21,7 +21,7 @@ bundle common test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + meta => { "redmine4772,ENT-2161" }; classes: "resolution_warning" expression => returnszero("$(command) Service | $(G.grep) 'cannot be resolved' 2>&1", "useshell"); diff --git a/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf b/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf index 49708a868a..015b0a2ced 100644 --- a/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf +++ b/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf @@ -13,6 +13,9 @@ bundle agent test "description" -> { "ENT-5406" } string => "Test that standard_services can be used from non-default namespace"; + "test_soft_fail" string => "windows", + meta => { "ENT-2161" }; + methods: "Test" usebundle => ENT_5406:ns_test; } diff --git a/tests/acceptance/09_services/start.cf b/tests/acceptance/09_services/start.cf index 8b9df08b53..aa75db174b 100644 --- a/tests/acceptance/09_services/start.cf +++ b/tests/acceptance/09_services/start.cf @@ -25,7 +25,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/stop.cf b/tests/acceptance/09_services/stop.cf index 8b3608fa3d..2ad8c80c55 100644 --- a/tests/acceptance/09_services/stop.cf +++ b/tests/acceptance/09_services/stop.cf @@ -25,7 +25,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf b/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf index d1c57eca62..7c0ac6e174 100644 --- a/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf +++ b/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf @@ -48,6 +48,9 @@ bundle agent test "description" -> { "CFE-3955" } string => "template_method cfengine creates promiser by default"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: # File should be created by default and rendered with content "$(G.testfile).test_1" diff --git a/tests/acceptance/10_files/01_create/perms-mode.cf b/tests/acceptance/10_files/01_create/perms-mode.cf index 5cd6205cfa..d86cdb8594 100644 --- a/tests/acceptance/10_files/01_create/perms-mode.cf +++ b/tests/acceptance/10_files/01_create/perms-mode.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + vars: freebsd|solaris:: "modes" slist => { "1", "333", "100", "200", "777", "o=x", "ugo=wx", "u=x", "u=w", "ugo=rwx" }; diff --git a/tests/acceptance/10_files/02_maintain/016.cf b/tests/acceptance/10_files/02_maintain/016.cf index 2c8c6ee3bf..3bacebe06d 100644 --- a/tests/acceptance/10_files/02_maintain/016.cf +++ b/tests/acceptance/10_files/02_maintain/016.cf @@ -35,6 +35,10 @@ body contain shell bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/destfile" copy_from => cp_2_file("$(G.testdir)/afile"); diff --git a/tests/acceptance/10_files/02_maintain/changes_depth_search.cf b/tests/acceptance/10_files/02_maintain/changes_depth_search.cf index 99d4724057..61de4fcd03 100644 --- a/tests/acceptance/10_files/02_maintain/changes_depth_search.cf +++ b/tests/acceptance/10_files/02_maintain/changes_depth_search.cf @@ -89,6 +89,10 @@ subfile.same,N,New file found"); bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Dpass1 -Kf $(this.promise_filename).sub"; "$(sys.cf_agent) -Dpass2 -Kf $(this.promise_filename).sub"; diff --git a/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf b/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf index 3ffb4f8e6e..02b7b474ba 100644 --- a/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf +++ b/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf @@ -27,6 +27,10 @@ file,R,File removed"); bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Dpass1 -Kf $(this.promise_filename).sub"; "$(sys.cf_agent) -Dpass2 -Kf $(this.promise_filename).sub"; diff --git a/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf b/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf index 574c5e2cd7..a2f9479a79 100644 --- a/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf +++ b/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf @@ -35,6 +35,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).update.updated" edit_line => insert_text; diff --git a/tests/acceptance/10_files/02_maintain/fifos.cf b/tests/acceptance/10_files/02_maintain/fifos.cf index 7b47bd07e4..7e1fe09ab1 100644 --- a/tests/acceptance/10_files/02_maintain/fifos.cf +++ b/tests/acceptance/10_files/02_maintain/fifos.cf @@ -10,9 +10,6 @@ body common control bundle agent init { - meta: - "test_skip_unsupported" string => "!has_mkfifo"; - vars: "test_fifo" string => "$(G.testfile).fifo"; @@ -22,6 +19,9 @@ bundle agent init bundle agent test { + meta: + "test_skip_unsupported" string => "!has_mkfifo|windows"; + files: "$(init.test_fifo)" create => "false", diff --git a/tests/acceptance/10_files/04_match/match_scope.cf b/tests/acceptance/10_files/04_match/match_scope.cf index 146c979c03..5ce45b60fc 100644 --- a/tests/acceptance/10_files/04_match/match_scope.cf +++ b/tests/acceptance/10_files/04_match/match_scope.cf @@ -31,6 +31,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + vars: "foo" string => "foo"; diff --git a/tests/acceptance/10_files/08_field_edits/file_content.cf b/tests/acceptance/10_files/08_field_edits/file_content.cf index 592d23bb80..8f2e9f5978 100644 --- a/tests/acceptance/10_files/08_field_edits/file_content.cf +++ b/tests/acceptance/10_files/08_field_edits/file_content.cf @@ -44,6 +44,10 @@ body edit_defaults init_empty bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).actual.singleline" create => "true", diff --git a/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf b/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf index 25630e880d..7187a58b34 100644 --- a/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf +++ b/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf @@ -43,6 +43,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).actual" create => "true", diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf index 681cdecb5c..2df2c6c3a3 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_template => "$(init.datadir)/$(init.filelist).cftemplate", diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf index df014570d6..33b35afad4 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_line => insert_line; diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf index ba5f8d13a4..4981106520 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_line => insert_line; diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf index f3a94ab560..cd00b69c5e 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_template => "$(init.datadir)/$(init.filelist).mustache", diff --git a/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf b/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf index 4f0a600e8d..5ff334e0de 100644 --- a/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf +++ b/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf @@ -8,6 +8,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "data" string => readfile("$(this.promise_filename).txt", "16431"); files: diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf index 3c39ccdc77..f66a8468c8 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/Host[ @name=\"cfe_host\" | Alias = cfe_alias ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf index c3a935e7bb..c16317aaa1 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/Host[ Alias = cfe_alias | @name=\"cfe_host\" ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf index d4388c2085..9f4e653f15 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/OneFish/TwoFish/RedFish/BlueFish/Host[ Alias = cfe_alias | @name=\"cfe_host\" ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf index 263420a8ce..ee4d2742e3 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf @@ -61,6 +61,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf index 11d0db2b92..e40fec30ff 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "type"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf index 566a8bbf58..3c57480ff4 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf @@ -59,6 +59,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf index c24b79fcfd..e6bb71b1d8 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf index daef9a93b4..7d219b608f 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf @@ -78,6 +78,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " diff --git a/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf index df413c0711..e677aba6c7 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf @@ -52,6 +52,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " "windows", + meta => { "ENT-10215" }; + vars: "host" string => " "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf b/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf index 5cd86d4c77..655bab0658 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf b/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf index 2fca31c18c..8c71f3b706 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf @@ -78,6 +78,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " diff --git a/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf b/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf index 9ea96177af..f80f8cb340 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf @@ -52,6 +52,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "content" string => " "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf b/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf index ca92b33833..2c0347fcec 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "type"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf b/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf index c25ba69d10..14b342a244 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf @@ -61,6 +61,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_text_001.cf b/tests/acceptance/10_files/11_xml_edits/set_text_001.cf index 139e748c69..6f9ac85802 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_text_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_text_001.cf @@ -60,6 +60,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_text_002.cf b/tests/acceptance/10_files/11_xml_edits/set_text_002.cf index f75c6d2954..291ecb9c1f 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf b/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf index dde6fe9a95..fe1b5d5cd0 100644 --- a/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf +++ b/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf @@ -25,7 +25,7 @@ bundle agent test test there"; "test_soft_fail" - string => "any", + string => "!windows", meta => { "redmine7692" }; } diff --git a/tests/acceptance/10_files/copy_from_preserve_false.cf b/tests/acceptance/10_files/copy_from_preserve_false.cf index 5b30fbbe71..70a7375919 100644 --- a/tests/acceptance/10_files/copy_from_preserve_false.cf +++ b/tests/acceptance/10_files/copy_from_preserve_false.cf @@ -38,6 +38,9 @@ bundle agent test string => "Test that preserve false in body copy_from doesn't modify permissions of the promised file"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: # We promise that the target is a copy of the source file Since preserve diff --git a/tests/acceptance/10_files/files_with_spaces.cf b/tests/acceptance/10_files/files_with_spaces.cf index 93db9c2592..01124151da 100644 --- a/tests/acceptance/10_files/files_with_spaces.cf +++ b/tests/acceptance/10_files/files_with_spaces.cf @@ -21,10 +21,6 @@ bundle agent test "description" string => "Test that file paths with spaces can be created without special treatment"; - "test_soft_fail" - string => "windows", - meta => { "redmine7934" }; - vars: "file[1]" string => "file with space.txt"; "file[2]" string => "path with/a space.txt"; diff --git a/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf b/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf index 37e7e2e183..028bc10f08 100644 --- a/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf +++ b/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf @@ -32,6 +32,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(init.template_target)" edit_template => "$(this.promise_filename).mustache", diff --git a/tests/acceptance/10_files/mustache_render_multiline_template_data.cf b/tests/acceptance/10_files/mustache_render_multiline_template_data.cf index eff73e17c2..12b98f1870 100644 --- a/tests/acceptance/10_files/mustache_render_multiline_template_data.cf +++ b/tests/acceptance/10_files/mustache_render_multiline_template_data.cf @@ -13,6 +13,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "template_target" string => "$(G.testfile)"; diff --git a/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf b/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf index 3b5ddaa88c..510a706865 100644 --- a/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf +++ b/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf @@ -22,6 +22,9 @@ bundle agent test string => "Test that there is no difference when rendering the same mustache template with edit_template and edit_template_string"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "pghbadirectives" data => '[ diff --git a/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf b/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf index fc7a8701f7..69e115abb8 100644 --- a/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf +++ b/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf @@ -48,6 +48,10 @@ bundle agent init_filestat(n, f) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + methods: "mustache good" usebundle => file_mustache_jsonstring($(template), '{"mykeys": ["template expects list of strings"]}', diff --git a/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf b/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf index 414ccdec1e..5830168242 100644 --- a/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf +++ b/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf @@ -16,6 +16,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "mydata1" data => '{ "a": 100 }'; "mydata2" data => '[ "p", "q" ]'; diff --git a/tests/acceptance/10_files/this_promiser.cf b/tests/acceptance/10_files/this_promiser.cf index 5b3e62253a..c56ebc84ae 100644 --- a/tests/acceptance/10_files/this_promiser.cf +++ b/tests/acceptance/10_files/this_promiser.cf @@ -55,6 +55,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.true)" classes => promiser0_generic; @@ -154,7 +157,7 @@ body file_select by_exec_cmd # Redmine #3530 { leaf_name => {"ba"}; - exec_program => "/bin/ls $(this.promiser)"; + exec_program => "$(G.ls) $(this.promiser)"; file_result => "leaf_name.exec_program"; } diff --git a/tests/acceptance/14_reports/00_output/unresolved_vars.cf b/tests/acceptance/14_reports/00_output/unresolved_vars.cf index 6cd0ede62b..475b773ac4 100644 --- a/tests/acceptance/14_reports/00_output/unresolved_vars.cf +++ b/tests/acceptance/14_reports/00_output/unresolved_vars.cf @@ -34,6 +34,9 @@ bundle agent test "description" -> { "CFE-3776" } string => "Test that reports with unresolved variables are only emitted during the last pass of evaluation"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Kf $(this.promise_filename).sub > $(G.testfile).actual" contain => shell; diff --git a/tests/acceptance/14_reports/00_output/unresolved_with.cf b/tests/acceptance/14_reports/00_output/unresolved_with.cf index 6965f5e9df..ba6ff0480b 100644 --- a/tests/acceptance/14_reports/00_output/unresolved_with.cf +++ b/tests/acceptance/14_reports/00_output/unresolved_with.cf @@ -26,6 +26,9 @@ bundle agent test "description" -> { "CFE-3776" } string => "Test that with reports its content during the last pass even when that content has unresolved variables "; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Kf $(this.promise_filename).sub > $(G.testfile).actual" contain => shell; diff --git a/tests/acceptance/16_cf-serverd/serial/007.cf b/tests/acceptance/16_cf-serverd/serial/007.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/007.cf +++ b/tests/acceptance/16_cf-serverd/serial/007.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/008.cf b/tests/acceptance/16_cf-serverd/serial/008.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/008.cf +++ b/tests/acceptance/16_cf-serverd/serial/008.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/010.cf b/tests/acceptance/16_cf-serverd/serial/010.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/010.cf +++ b/tests/acceptance/16_cf-serverd/serial/010.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/011.cf b/tests/acceptance/16_cf-serverd/serial/011.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/011.cf +++ b/tests/acceptance/16_cf-serverd/serial/011.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf index 21678b3bde..9585f5cbd1 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf index 7ae9a7c2ee..9882be5491 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/source_file", "Source and Destination are DIFFERENT_A"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf index 1c5c42b703..f327f6ca7f 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1.txt", "Source and Destination are different_A"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf index 731721978b..f327f6ca7f 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf @@ -8,6 +8,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1.txt", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf index 1c504c8422..139a1e35ba 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf index 5e2d54e74b..b99eaa6243 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_empty("$(G.testdir)/source_file"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf index f43712bf14..c79ff63c7e 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf @@ -15,6 +15,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1_DIR1/ADMIT_FILE", "ADMIT_FILE A CONTENTS"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf index a600670708..f3e45f0131 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf index a600670708..f3e45f0131 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf index 5e2d54e74b..b99eaa6243 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_empty("$(G.testdir)/source_file"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf index 33473895eb..f580826488 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf @@ -13,6 +13,9 @@ bundle agent test "description" -> {"ENT-4617"} string => "Test that requiring TLS 1.3 works fine"; + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf index aa41db3bae..867d21ad96 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf @@ -13,6 +13,8 @@ bundle agent test "description" -> {"ENT-4617"} string => "Test that CFEngine connections over TLS 1.3 work fine"; + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf b/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf index 4cd3aac5c6..9ae428b473 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # ensure destination files are not there "any" usebundle => dcs_fini("$(G.testdir)/dir"); diff --git a/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf b/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf index 8bc0b49463..84a92cb499 100644 --- a/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf b/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf index 4ffbb09f35..83901b0d19 100644 --- a/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf +++ b/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf b/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf index 1abdc628e6..ea6acae5c3 100644 --- a/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf +++ b/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf index 6fe4422f51..66cc006c40 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf index c4f18222bb..d9f0ab8898 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf index eaa2daae37..421913028a 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf index 1c038f3575..9c2b39bf4d 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf index 18de7a3704..cbaa462bcd 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf index c20bc3453d..2182a5ca01 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf index 8ba30680a1..4f4fd72db2 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf index c01aeeecb5..0b0cb1f4f2 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf index 202358fd10..070d03b888 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf index 3cf9662b30..bd587cb715 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf index d64ea86453..3314a10f09 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf index 3e372725c4..0cc93ef624 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf index 2d7ee1f0fc..e8ec9e91cf 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf index 37f964e00c..6b9724740a 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf b/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf index d74f7d8a80..d073ded8f5 100644 --- a/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf +++ b/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf @@ -21,6 +21,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "arg_list" slist => { "none", "cf", "json", "cf-full", "json-full" }; diff --git a/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf b/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf index 423ef8170e..accdd80788 100644 --- a/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf +++ b/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf @@ -28,6 +28,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf b/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf index 9c48deb1ad..627a891db7 100644 --- a/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf +++ b/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf @@ -33,6 +33,13 @@ bundle agent init link_from => linkfrom("$(sys.workdir)/outputs/old.log", "symlink"); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mail_exclude_filter.cf b/tests/acceptance/25_cf-execd/mail_exclude_filter.cf index 41f35b3dee..62e868752d 100644 --- a/tests/acceptance/25_cf-execd/mail_exclude_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_exclude_filter.cf @@ -25,6 +25,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf b/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf index 6023b6a474..26ecb478d3 100644 --- a/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf +++ b/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf @@ -34,6 +34,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_include_filter.cf b/tests/acceptance/25_cf-execd/mail_include_filter.cf index b97e96c452..b5532d33da 100644 --- a/tests/acceptance/25_cf-execd/mail_include_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_include_filter.cf @@ -25,6 +25,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_no_filter.cf b/tests/acceptance/25_cf-execd/mail_no_filter.cf index 633e64f22d..c26b9bd775 100644 --- a/tests/acceptance/25_cf-execd/mail_no_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_no_filter.cf @@ -22,6 +22,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf b/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf index 346f8927fb..4dec4da34e 100644 --- a/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf +++ b/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf @@ -32,6 +32,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf b/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf index 8b19d6207f..bd01a2f260 100644 --- a/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf +++ b/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf @@ -38,6 +38,13 @@ bundle agent init link_from => linkfrom("$(sys.workdir)/outputs/old.log", "symlink"); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/slow/dies_in_time.cf b/tests/acceptance/25_cf-execd/slow/dies_in_time.cf index 758ca963f5..e95942b2f6 100644 --- a/tests/acceptance/25_cf-execd/slow/dies_in_time.cf +++ b/tests/acceptance/25_cf-execd/slow/dies_in_time.cf @@ -74,6 +74,10 @@ echo DONE > $(G.testdir)/exec_command.status bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + commands: "$(sys.cf_execd) -f $(this.promise_dirname)/kill_myself.execd.srv" diff --git a/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf b/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf index 29b611e793..1bcd8181b2 100644 --- a/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf +++ b/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf @@ -107,6 +107,13 @@ bundle agent init "any" usebundle => run_cf_execd(@(expected5), @(unexpected)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/26_cf-net/serial/cf-net_connect.cf b/tests/acceptance/26_cf-net/serial/cf-net_connect.cf index f5b0521ce5..033183ac17 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_connect.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_connect.cf @@ -34,6 +34,8 @@ bundle agent test contain => myshell; meta: "description" string => "Connect and authenticate with cf-serverd"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_get.cf b/tests/acceptance/26_cf-net/serial/cf-net_get.cf index 12511dde21..3d0d78ee18 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_get.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_get.cf @@ -34,6 +34,9 @@ bundle agent test contain => myshell; meta: "description" string => "STAT+GET policy file from cf-serverd"; + "test_skip_needs_work" string => "windows", + comment => "for some reason, softfailing this test is not enough", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_help.cf b/tests/acceptance/26_cf-net/serial/cf-net_help.cf index db8c487748..ebfbe74a8e 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_help.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_help.cf @@ -29,6 +29,8 @@ bundle agent test contain => myshell; meta: "description" string => "Argument parsing and help output"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat.cf index 8d9c2f0c30..2fdb01740e 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Stat a regular file (this policy file)"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf index 6f4d18d3ec..ecea92f941 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Attempt to stat file without permission"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf index 80f1d5563a..685beb317c 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Stat a directory"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/27_cf-secret/decrypt.cf b/tests/acceptance/27_cf-secret/decrypt.cf index 1dbca5ce79..0baf3c522c 100644 --- a/tests/acceptance/27_cf-secret/decrypt.cf +++ b/tests/acceptance/27_cf-secret/decrypt.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" string => "Test that cf-secret can still decrypt content encrypted at the time of initial implementation"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; commands: "$(sys.cf_secret)" diff --git a/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf b/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf index d1979688cf..1a3208686e 100644 --- a/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf +++ b/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf @@ -21,6 +21,8 @@ bundle agent test "description" string => "Test cf-secret with different arguments/order"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; vars: "text" string => "This secret sauce should be encrypted and decrypted."; diff --git a/tests/acceptance/27_cf-secret/encrypt-decrypt.cf b/tests/acceptance/27_cf-secret/encrypt-decrypt.cf index 25fb244d8d..57a77623f5 100644 --- a/tests/acceptance/27_cf-secret/encrypt-decrypt.cf +++ b/tests/acceptance/27_cf-secret/encrypt-decrypt.cf @@ -21,6 +21,8 @@ bundle agent test "description" string => "Test that cf-secret basic key based encryption and decryption work"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; vars: "text" diff --git a/tests/acceptance/27_cf-secret/encrypt-no-key.cf b/tests/acceptance/27_cf-secret/encrypt-no-key.cf index ddc1ba9f93..ce84d42363 100644 --- a/tests/acceptance/27_cf-secret/encrypt-no-key.cf +++ b/tests/acceptance/27_cf-secret/encrypt-no-key.cf @@ -47,6 +47,9 @@ bundle agent test "description" -> { "CFE-3874" } string => "Test that encrypting with no host- / key argument defaults to encrypting for localhost."; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; + commands: # Encrypt test file "$(sys.cf_secret)" diff --git a/tests/acceptance/28_inform_testing/common.cf.sub b/tests/acceptance/28_inform_testing/common.cf.sub index 4a6ed12b57..2d031bf945 100644 --- a/tests/acceptance/28_inform_testing/common.cf.sub +++ b/tests/acceptance/28_inform_testing/common.cf.sub @@ -50,6 +50,10 @@ body delete init_delete bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10406" }, + if => not( strcmp( "insert_lines_noop.cf", "$(sys.policy_entry_basename)" ) ); vars: "cf_agent" string => ifelse(isvariable("sys.cf_agent"), "$(sys.cf_agent)", "/var/cfengine/bin/cf-agent"); "filter_list" slist => { " -e '/filestat bailing/d' ", diff --git a/tests/acceptance/29_simulate_mode/diff_mode.cf b/tests/acceptance/29_simulate_mode/diff_mode.cf index 494f17be78..1d031b2e80 100644 --- a/tests/acceptance/29_simulate_mode/diff_mode.cf +++ b/tests/acceptance/29_simulate_mode/diff_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5302" } string => "Test that files promises in --simulate=diff mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/29_simulate_mode/manifest_full_mode.cf b/tests/acceptance/29_simulate_mode/manifest_full_mode.cf index 84991051b1..c4906d5406 100644 --- a/tests/acceptance/29_simulate_mode/manifest_full_mode.cf +++ b/tests/acceptance/29_simulate_mode/manifest_full_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5301" } string => "Test that files promises in --simulate=manifest-full mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/29_simulate_mode/manifest_mode.cf b/tests/acceptance/29_simulate_mode/manifest_mode.cf index 841e76513c..dda53e7f42 100644 --- a/tests/acceptance/29_simulate_mode/manifest_mode.cf +++ b/tests/acceptance/29_simulate_mode/manifest_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5301" } string => "Test that files promises in --simulate=manifest mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/30_custom_promise_types/01_basic_module.cf b/tests/acceptance/30_custom_promise_types/01_basic_module.cf index e19c9a535b..812c362b7f 100644 --- a/tests/acceptance/30_custom_promise_types/01_basic_module.cf +++ b/tests/acceptance/30_custom_promise_types/01_basic_module.cf @@ -43,6 +43,9 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can add a promise module and evaluate a custom promise"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/02_if.cf b/tests/acceptance/30_custom_promise_types/02_if.cf index a54b9664a1..6c3ae9c0e9 100644 --- a/tests/acceptance/30_custom_promise_types/02_if.cf +++ b/tests/acceptance/30_custom_promise_types/02_if.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3391" } string => "Test that custom promises work with if attribute"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "false_variable" diff --git a/tests/acceptance/30_custom_promise_types/05_meta_attr.cf b/tests/acceptance/30_custom_promise_types/05_meta_attr.cf index 4426b031ef..7e38995dce 100644 --- a/tests/acceptance/30_custom_promise_types/05_meta_attr.cf +++ b/tests/acceptance/30_custom_promise_types/05_meta_attr.cf @@ -45,6 +45,8 @@ bundle agent test meta: "description" -> { "CFE-3440" } string => "Test that you can use a meta attribute with a custom promise"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/11_unless.cf b/tests/acceptance/30_custom_promise_types/11_unless.cf index d845fde90b..8ca6cdf629 100644 --- a/tests/acceptance/30_custom_promise_types/11_unless.cf +++ b/tests/acceptance/30_custom_promise_types/11_unless.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3431" } string => "Test that custom promises work with unless attribute"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "false_variable" diff --git a/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf b/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf index 7683de71d9..17fea8d49b 100644 --- a/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf +++ b/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf @@ -51,6 +51,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can evaluate multiple custom promises of the same type"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/13_binary_path.cf b/tests/acceptance/30_custom_promise_types/13_binary_path.cf index ea1ba96939..bf85e2bb73 100644 --- a/tests/acceptance/30_custom_promise_types/13_binary_path.cf +++ b/tests/acceptance/30_custom_promise_types/13_binary_path.cf @@ -12,6 +12,9 @@ promise agent binary bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; binary: "foobar" classes => if_ok("binary_ok"); diff --git a/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf b/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf index 19525601cf..bc8e134598 100644 --- a/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf +++ b/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf @@ -57,6 +57,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can use the same custom module for two promise types"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf b/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf index 09781d7c84..410a7d76c0 100644 --- a/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf +++ b/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you cannot use a promise module with two different interpreters"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf index b64c1a3f4e..8ad75fd22f 100644 --- a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf +++ b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf @@ -38,6 +38,8 @@ bundle agent test meta: "description" -> { "CFE-3723" } string => "Test that input from cf-agent to promise module matches expected data"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; example: cfengine:: diff --git a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected index 25d30cdbfe..d06f1bc7c9 100644 --- a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected +++ b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected @@ -4,7 +4,7 @@ operation=validate_promise log_level=info promise_type=example promiser=Promiser -line_number=44 +line_number=46 filename=./30_custom_promise_types/22_what_module_gets.cf attribute_attributeName=attributeValue @@ -12,7 +12,7 @@ operation=evaluate_promise log_level=info promise_type=example promiser=Promiser -line_number=44 +line_number=46 filename=./30_custom_promise_types/22_what_module_gets.cf attribute_attributeName=attributeValue diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf index ed6aff3067..dbcdbd4f5c 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that dry-run can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf index 3d0fdbf645..01cb2f2431 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --dry-run produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf index e6ff2c80f2..7a0ba4207f 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that a bug in a module is reported if it advertises action_policy feature, but doesn't properly implement it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf index 5030fb32e5..9472c4d3a3 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that action_policy can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf index 18f8620447..52b33ccc1d 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that action_policy produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf index 7cf0b12c15..b8dd3d28ba 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --simulate can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf index cfbf87327e..1232467af5 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --simulate produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/dcs.cf.sub b/tests/acceptance/dcs.cf.sub index a12db971d5..5182123191 100644 --- a/tests/acceptance/dcs.cf.sub +++ b/tests/acceptance/dcs.cf.sub @@ -83,27 +83,24 @@ bundle common G "paths[usr_local_bin]" string => "/usr/local/bin"; "paths[usr_contrib_bin]" string => "/usr/contrib/bin"; windows:: - "paths[mingw_msys_1_0_bin]" string => "c:\\mingw\\msys\\1.0\\bin"; - "paths[msys_1_0_bin]" string => "c:\\msys\\1.0\\bin"; - "paths[msys_bin]" string => "c:\\msys\\bin"; - "paths[pstools]" string => "c:\\PSTools"; - "paths[strawberry_perl_bin]" string => "c:\\strawberry\\perl\\bin"; + "paths[msys64_usr_bin]" string => "c:\\msys64\\usr\\bin"; + "paths[temp_msys64_usr_bin]" string => "d:\\a\\_temp\\msys64\\usr\\bin"; "paths[tool_wrappers]" string => "$(this.promise_dirname)\\tool_wrappers"; any:: "paths_indices" slist => getindices("paths"); # dereferenced path of the executable - "deref_paths[$(paths[$(paths_indices)])][$(cmds)]" string => + "deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)]" string => filestat("$(paths[$(paths_indices)])$(const.dirsep)$(cmds)$(exeext)", "linktarget"); classes: # General commands. "$(paths_indices)_$(cmds)$(exeext)" expression => - fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)])"); + fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)])"); "has_$(cmds)" expression => - fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)])"), + fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)])"), scope => "namespace"; # Special cases. diff --git a/tests/acceptance/testall b/tests/acceptance/testall index 79cf1d39c2..aac5305646 100755 --- a/tests/acceptance/testall +++ b/tests/acceptance/testall @@ -457,7 +457,7 @@ runtest() { fi if uname | grep MINGW > /dev/null then - PLATFORM_WORKDIR="$(echo $WORKDIR | sed -e 's%^/\([a-cA-Z]\)/%\1:/%' | sed -e 's%/%\\%g')" + PLATFORM_WORKDIR="$(echo $WORKDIR | sed -e 's%^/\([a-zA-Z]\)/%\1:/%' | sed -e 's%/%\\%g')" DS="\\" else PLATFORM_WORKDIR="$WORKDIR" @@ -733,6 +733,13 @@ export CFENGINE_TEST_OVERRIDE_WORKDIR TEMP CFENGINE_TEST_OVERRIDE_EXTENSION_LIBR ;; esac done + if [ "$GITHUB_ACTIONS" = "true" ] && [ "$RUNNER_OS" = "Windows" ] + then + # on Github Actions Windows runners, `rm -rf` moves files into /d/d/ directory. + # To clean this "Recycle bin", we delete this directory. + # Otherwise, runner promptly run out of disk space. + rm -rf /d/d/ + fi fi if [ -z "$QUIET" ] diff --git a/tests/acceptance/tool_wrappers/template.bat b/tests/acceptance/tool_wrappers/template.bat index b7a310d004..5beff82862 100644 --- a/tests/acceptance/tool_wrappers/template.bat +++ b/tests/acceptance/tool_wrappers/template.bat @@ -1,6 +1,5 @@ @echo off -if exist c:\mingw\msys\1.0\bin\sh.exe c:\mingw\msys\1.0\bin\sh.exe -c "%*" & goto end -if exist c:\msys\1.0\bin\sh.exe c:\msys\1.0\bin\sh.exe -c "%*" & goto end -if exist c:\msys\bin\sh.exe c:\msys\bin\sh.exe -c "%*" & goto end +if exist c:\msys64\usr\bin\sh.exe c:\msys64\usr\bin\sh.exe -c "%*" & goto end +if exist d:\a\_temp\msys64\usr\bin\sh.exe d:\a\_temp\msys64\usr\bin\sh.exe -c "%*" & goto end :end From b270937ed344eee7abeba3bd26664753cd846afe Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Tue, 18 Jul 2023 15:17:42 +0200 Subject: [PATCH 064/255] un-soft-fail passing tests After removing .gitattributes file, some tests started passing Ticket: ENT-10254 Changelog: none (cherry picked from commit 1c93e72c9aa1e83dc504fbd42e1883cd240a5f2e) --- tests/acceptance/00_basics/01_compiler/string_contexts.cf | 4 ---- tests/acceptance/00_basics/01_compiler/with_iteration.cf | 4 ---- tests/acceptance/00_basics/def.json/state.cf | 3 --- tests/acceptance/01_vars/01_basic/this_variables.cf | 3 --- tests/acceptance/01_vars/02_functions/cf_version.cf | 3 --- tests/acceptance/01_vars/02_functions/data_expand.cf | 3 --- tests/acceptance/01_vars/02_functions/every_some_none.cf | 3 --- tests/acceptance/01_vars/02_functions/filter.cf | 3 --- tests/acceptance/01_vars/02_functions/format_edge_case.cf | 3 --- tests/acceptance/01_vars/02_functions/getindices.cf | 3 --- .../getindices_returns_expected_list_from_array.cf | 4 ---- .../getindices_returns_expected_list_from_datacontainer.cf | 4 ---- tests/acceptance/01_vars/02_functions/gettags.cf | 4 ---- tests/acceptance/01_vars/02_functions/getvalues.cf | 4 ---- tests/acceptance/01_vars/02_functions/getvalues_containers.cf | 4 ---- ...ll_values_for_given_datacontainer_index_merging_strings.cf | 4 ---- tests/acceptance/01_vars/02_functions/ifelse.cf | 4 ---- tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf | 2 -- tests/acceptance/01_vars/02_functions/inline_json.cf | 4 ---- tests/acceptance/01_vars/02_functions/join.cf | 4 ---- tests/acceptance/01_vars/02_functions/length.cf | 4 ---- tests/acceptance/01_vars/02_functions/maparray.cf | 4 ---- tests/acceptance/01_vars/02_functions/maparray_multi_index.cf | 4 ---- tests/acceptance/01_vars/02_functions/maplist.cf | 4 ---- .../acceptance/01_vars/02_functions/mergedata-json-strings.cf | 2 -- tests/acceptance/01_vars/02_functions/network/url_get.cf | 2 -- tests/acceptance/01_vars/02_functions/nth_datacontainer.cf | 4 ---- tests/acceptance/01_vars/02_functions/readdata_yaml.cf | 4 ---- tests/acceptance/01_vars/02_functions/regex_replace.cf | 4 ---- tests/acceptance/01_vars/02_functions/reverse.cf | 4 ---- .../02_functions/setop_unique_difference_intersection.cf | 3 --- tests/acceptance/01_vars/02_functions/storejson.cf | 3 --- tests/acceptance/01_vars/02_functions/storejson_edge_case.cf | 3 --- tests/acceptance/01_vars/02_functions/string_mustache.cf | 4 ---- tests/acceptance/01_vars/02_functions/string_replace.cf | 4 ---- tests/acceptance/01_vars/02_functions/string_trim.cf | 4 ---- tests/acceptance/01_vars/02_functions/sublist.cf | 4 ---- tests/acceptance/01_vars/02_functions/sum_and_product.cf | 4 ---- tests/acceptance/01_vars/02_functions/text_xform.cf | 4 ---- tests/acceptance/01_vars/02_functions/type.cf | 2 -- tests/acceptance/01_vars/02_functions/validdata.cf | 4 ---- tests/acceptance/01_vars/02_functions/variablesmatching.cf | 4 ---- .../acceptance/01_vars/02_functions/wrap_container_fncalls.cf | 4 ---- tests/acceptance/01_vars/04_containers/inline_json.cf | 4 ---- tests/acceptance/01_vars/04_containers/inline_yaml.cf | 4 ---- .../01_vars/04_containers/iterate_over_data_array.cf | 2 -- tests/acceptance/02_classes/01_basic/from_json_booleans.cf | 4 ---- tests/acceptance/02_classes/02_functions/iprange.cf | 4 ---- tests/acceptance/02_classes/02_functions/isipinsubnet.cf | 4 ---- .../acceptance/10_files/09_insert_lines/insert-large-lines.cf | 3 --- .../mustache_missing_variable_is_empty_string_by_default.cf | 4 ---- .../10_files/mustache_render_multiline_template_data.cf | 4 ---- .../10_files/templating/mustache_top_level_iteration.cf | 4 ---- 53 files changed, 190 deletions(-) diff --git a/tests/acceptance/00_basics/01_compiler/string_contexts.cf b/tests/acceptance/00_basics/01_compiler/string_contexts.cf index 980cf7ab04..835fd8f3f6 100644 --- a/tests/acceptance/00_basics/01_compiler/string_contexts.cf +++ b/tests/acceptance/00_basics/01_compiler/string_contexts.cf @@ -12,10 +12,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - defaults: "s1" string => "1"; "s2" string => "2"; diff --git a/tests/acceptance/00_basics/01_compiler/with_iteration.cf b/tests/acceptance/00_basics/01_compiler/with_iteration.cf index 3b7a903a4a..9ea16ee9a0 100644 --- a/tests/acceptance/00_basics/01_compiler/with_iteration.cf +++ b/tests/acceptance/00_basics/01_compiler/with_iteration.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "probe" string => "0"; "iter" slist => { "1", "2", "3" }; diff --git a/tests/acceptance/00_basics/def.json/state.cf b/tests/acceptance/00_basics/def.json/state.cf index e2a33b1396..5fee065ed2 100644 --- a/tests/acceptance/00_basics/def.json/state.cf +++ b/tests/acceptance/00_basics/def.json/state.cf @@ -10,9 +10,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; } ####################################################### diff --git a/tests/acceptance/01_vars/01_basic/this_variables.cf b/tests/acceptance/01_vars/01_basic/this_variables.cf index fe30882040..d24a4cebab 100644 --- a/tests/acceptance/01_vars/01_basic/this_variables.cf +++ b/tests/acceptance/01_vars/01_basic/this_variables.cf @@ -18,9 +18,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "var" slist => { "var in test" }; "var_test" slist => { "var_test in test" }; diff --git a/tests/acceptance/01_vars/02_functions/cf_version.cf b/tests/acceptance/01_vars/02_functions/cf_version.cf index dd4a9e86d0..242f2070ad 100644 --- a/tests/acceptance/01_vars/02_functions/cf_version.cf +++ b/tests/acceptance/01_vars/02_functions/cf_version.cf @@ -15,9 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "after_newer" string => "yes", if => cf_version_after("1.0.0"); diff --git a/tests/acceptance/01_vars/02_functions/data_expand.cf b/tests/acceptance/01_vars/02_functions/data_expand.cf index c211a579f2..3d45a407a5 100644 --- a/tests/acceptance/01_vars/02_functions/data_expand.cf +++ b/tests/acceptance/01_vars/02_functions/data_expand.cf @@ -15,9 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "x" string => "foo"; "y" int => "200"; diff --git a/tests/acceptance/01_vars/02_functions/every_some_none.cf b/tests/acceptance/01_vars/02_functions/every_some_none.cf index d8938e5752..9e75f1c470 100644 --- a/tests/acceptance/01_vars/02_functions/every_some_none.cf +++ b/tests/acceptance/01_vars/02_functions/every_some_none.cf @@ -15,9 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; methods: "pretest"; "collect"; diff --git a/tests/acceptance/01_vars/02_functions/filter.cf b/tests/acceptance/01_vars/02_functions/filter.cf index 5770348349..541f14a536 100644 --- a/tests/acceptance/01_vars/02_functions/filter.cf +++ b/tests/acceptance/01_vars/02_functions/filter.cf @@ -15,9 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "tests" slist => { "fgrep09", "exact1", "exactdot", "regexdot", "invert", "max2", "max0", "grep09" }; "lists" slist => { "s1", "d1", "d2", "dempty" }; diff --git a/tests/acceptance/01_vars/02_functions/format_edge_case.cf b/tests/acceptance/01_vars/02_functions/format_edge_case.cf index 6a8bbebc75..818ae3168f 100644 --- a/tests/acceptance/01_vars/02_functions/format_edge_case.cf +++ b/tests/acceptance/01_vars/02_functions/format_edge_case.cf @@ -12,9 +12,6 @@ body common control ########################################################## bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "str" string => format('%s', 'Hello, everyone! This is the LONGEST TEXT EVER! I was inspired by the various other longest texts ever on the internet, and I wanted to make my own. So here it is! This is going to be a WORLD RECORD! This is actually my third attempt at doing this. The first time, I didnt save it. The second time, the Neocities editor crashed. Now Im writing this in Notepad, then copying it into the Neocities editor instead of typing it directly in the Neocities editor to avoid crashing. It sucks that my past two attempts are gone now. Those actually got pretty long. Not the longest, but still pretty long. I hope this one wont get lost somehow. Anyways, lets talk about WAFFLES! I like waffles. Waffles are cool. Waffles is a funny word. Theres a Teen Titans Go episode called Waffles where the word Waffles is said a hundred-something times. Its pretty annoying. Theres also a Teen Titans Go episode about Pig Latin. Dont know what Pig Latin is? Its a language where you take all the consonants before the first vowel, move them to the end, and add -ay to the end. If the word begins with a vowel, you just add -way to the end. For example, Waffles becomes Afflesway. Ive been speaking Pig Latin fluently since the fourth grade, so it surprised me when I saw the episode for the first time. I speak Pig Latin with my sister sometimes. Its pretty fun. I like speaking it in public so that everyone around us gets confused. Thats never actually happened before, but if it ever does, twill be pretty funny. By the way, twill is a word I invented recently, and its a contraction of it will. I really hope it gains popularity in the near future, because twill is WAY more fun than saying itll. Itll is too boring. Nobody likes boring. This is nowhere near being the longest text ever, but eventually it will be! I might still be writing this a decade later, who knows? But right now, its not very long. But Ill just keep writing until it is the longest! Have you ever heard the song Dau Dau by Awesome Scampis? Its an amazing song. Look it up on YouTube! I play that song all the time around my sister! It drives her crazy, and I love it. Another way I like driving my sister crazy is by speaking my own made up language to her. She hates the languages I make! The only language that we both speak besides English is Pig Latin. I think you already knew that. Whatever. I think Im gonna go for now. Bye! Hi, Im back now. Im gonna contribute more to this soon-to-be giant wall of text. I just realised I have a giant stuffed frog on my bed. I forgot his name. Im pretty sure it was something stupid though. I think it was FROG in Morse Code or something. Morse Code is cool. I know a bit of it, but Im not very good at it. Im also not very good at French. I barely know anything in French, and my pronunciation probably sucks. But Im learning it, at least. Im also learning Esperanto. Its this language that was made up by some guy a long time ago to be the universal language. A lot of people speak it. I am such a language nerd. Half of this text is probably gonna be about languages. But hey, as long as its long! Ha, get it? As LONG as its LONG? Im so funny, right? No, Im not. I should probably get some sleep. Goodnight! Hello, Im back again. I basically have only two interests nowadays: languages and furries. What? Oh, sorry, I thought you knew I was a furry. Haha, oops. Anyway, yeah, Im a furry, but since Im a young furry, I cant really do as much as I would like to do in the fandom. When Im older, I would like to have a fursuit, go to furry conventions, all that stuff. But for now I can only dream of that. Sorry you had to deal with me talking about furries, but Im honestly very desperate for this to be the longest text ever. Last night I was watching nothing but fursuit unboxings. I think I need help. This one time, me and my mom were going to go to a furry Christmas party, but we didnt end up going because of the fact that there was alcohol on the premises, and that she didnt wanna have to be a mom dragging her son through a crowd of furries. Both of those reasons were understandable. Okay, hopefully I wont have to talk about furries anymore. I dont care if youre a furry reading this right now, I just dont wanna have to torture everyone else.'); "list" slist => { $(str) }; diff --git a/tests/acceptance/01_vars/02_functions/getindices.cf b/tests/acceptance/01_vars/02_functions/getindices.cf index 6c24c3b8be..f682f5d1f8 100644 --- a/tests/acceptance/01_vars/02_functions/getindices.cf +++ b/tests/acceptance/01_vars/02_functions/getindices.cf @@ -38,9 +38,6 @@ bundle common b bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "user[name]" string => "zamboni"; "user[fullname][first]" string => "Diego"; diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf index 3e216bc491..27342861ab 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf @@ -37,10 +37,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "values_data_1" slist => getindices("init.data[bar]"); "values_data_2" slist => getindices("init.data[zebra][lion]"); diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf index 729f360b31..6fc8f93606 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf @@ -30,10 +30,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: # expected: one, two "values_data" slist => getindices("init.data[bar]"); diff --git a/tests/acceptance/01_vars/02_functions/gettags.cf b/tests/acceptance/01_vars/02_functions/gettags.cf index c7c2df54b6..c7eeb3546e 100644 --- a/tests/acceptance/01_vars/02_functions/gettags.cf +++ b/tests/acceptance/01_vars/02_functions/gettags.cf @@ -25,10 +25,6 @@ bundle common init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "tags1" slist => getclassmetatags("myclass"); "tags2" slist => getclassmetatags("myplainclass"); diff --git a/tests/acceptance/01_vars/02_functions/getvalues.cf b/tests/acceptance/01_vars/02_functions/getvalues.cf index 88909082c0..9087b7fbea 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "user[name]" string => "zamboni"; "user[fullname][first]" string => "Diego"; diff --git a/tests/acceptance/01_vars/02_functions/getvalues_containers.cf b/tests/acceptance/01_vars/02_functions/getvalues_containers.cf index ac67a69aa5..c47506e79d 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues_containers.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues_containers.cf @@ -15,10 +15,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "arr_v" slist => getvalues("init.arr"); diff --git a/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf b/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf index 44c7030ba9..25822c688d 100644 --- a/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf +++ b/tests/acceptance/01_vars/02_functions/getvalues_returns_all_values_for_given_datacontainer_index_merging_strings.cf @@ -37,10 +37,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "values_data" slist => getvalues("init.data"); "values_data2" slist => getvalues("init.data2"); diff --git a/tests/acceptance/01_vars/02_functions/ifelse.cf b/tests/acceptance/01_vars/02_functions/ifelse.cf index 6675c84872..e33851efc3 100644 --- a/tests/acceptance/01_vars/02_functions/ifelse.cf +++ b/tests/acceptance/01_vars/02_functions/ifelse.cf @@ -23,10 +23,6 @@ bundle common init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - classes: "myclass2" expression => "any"; vars: diff --git a/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf b/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf index 4ac101dec6..f1eddae20f 100644 --- a/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf +++ b/tests/acceptance/01_vars/02_functions/ifelse_isvariable.cf @@ -17,8 +17,6 @@ bundle agent test meta: "description" string => "Test that ifelse can use the result of isvariable as a class identifer"; - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: # Since init.passwd_file is defined, I expect the value to be diff --git a/tests/acceptance/01_vars/02_functions/inline_json.cf b/tests/acceptance/01_vars/02_functions/inline_json.cf index ce1a8d9cd4..0d27f9e642 100644 --- a/tests/acceptance/01_vars/02_functions/inline_json.cf +++ b/tests/acceptance/01_vars/02_functions/inline_json.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "z" string => "100"; "foo" string => "bar"; diff --git a/tests/acceptance/01_vars/02_functions/join.cf b/tests/acceptance/01_vars/02_functions/join.cf index a3ad4c833a..964fcee246 100644 --- a/tests/acceptance/01_vars/02_functions/join.cf +++ b/tests/acceptance/01_vars/02_functions/join.cf @@ -15,10 +15,6 @@ body common control bundle agent init { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "a" slist => { "b", "c", "a" }; "b" slist => { "100", "9", "10" }; diff --git a/tests/acceptance/01_vars/02_functions/length.cf b/tests/acceptance/01_vars/02_functions/length.cf index d7d093ad33..7c50f21627 100644 --- a/tests/acceptance/01_vars/02_functions/length.cf +++ b/tests/acceptance/01_vars/02_functions/length.cf @@ -21,10 +21,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "normal_list" slist => { "b", "c", "a" }; # 3 "empty_list" slist => { }; # 0 diff --git a/tests/acceptance/01_vars/02_functions/maparray.cf b/tests/acceptance/01_vars/02_functions/maparray.cf index e7e1d7ffe4..0a8e99a5b6 100644 --- a/tests/acceptance/01_vars/02_functions/maparray.cf +++ b/tests/acceptance/01_vars/02_functions/maparray.cf @@ -21,10 +21,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "load1" data => parsejson('[ 1, 2, 3]'); "load2" slist => { "eleme\"nt1", "element2", "element3" }; diff --git a/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf b/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf index fa4232aff2..a0feb0165d 100644 --- a/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf +++ b/tests/acceptance/01_vars/02_functions/maparray_multi_index.cf @@ -22,10 +22,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "bundles[x][y][z1]" string => "xyz1"; "bundles[x][y][z23]" slist => { "xyz2", "xyz3" }; diff --git a/tests/acceptance/01_vars/02_functions/maplist.cf b/tests/acceptance/01_vars/02_functions/maplist.cf index 6c9066ce4a..202f94f2d8 100644 --- a/tests/acceptance/01_vars/02_functions/maplist.cf +++ b/tests/acceptance/01_vars/02_functions/maplist.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "testlist" slist => { "zero", "two", "three's", "four-fore:quatre", "last" }; "empty" slist => { }; diff --git a/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf b/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf index ef2557ad1c..1cedd35a62 100644 --- a/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf +++ b/tests/acceptance/01_vars/02_functions/mergedata-json-strings.cf @@ -12,8 +12,6 @@ bundle agent test meta: "description" string => "Test that plain json strings can be merged"; - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "merged" data => mergedata( '[]', '{ "one": "1" }', '{ "two":"2"}' ); diff --git a/tests/acceptance/01_vars/02_functions/network/url_get.cf b/tests/acceptance/01_vars/02_functions/network/url_get.cf index d00d8d410c..35f6535f98 100644 --- a/tests/acceptance/01_vars/02_functions/network/url_get.cf +++ b/tests/acceptance/01_vars/02_functions/network/url_get.cf @@ -35,8 +35,6 @@ bundle agent test { meta: "test_skip_unsupported" string => "!feature_curl"; - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "kept" data => mergedata( diff --git a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf index 0c2d3f7ac2..cdcc1fe67a 100644 --- a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf @@ -24,10 +24,6 @@ bundle agent init bundle common test_common { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "data" data => readjson("$(this.promise_filename).json", "100k"); "datastr" string => format("%S", data); diff --git a/tests/acceptance/01_vars/02_functions/readdata_yaml.cf b/tests/acceptance/01_vars/02_functions/readdata_yaml.cf index 712cd8ae41..25c1e5df00 100644 --- a/tests/acceptance/01_vars/02_functions/readdata_yaml.cf +++ b/tests/acceptance/01_vars/02_functions/readdata_yaml.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: feature_yaml:: "explicit_yaml" data => readdata("$(this.promise_filename).yaml", "YAML"); diff --git a/tests/acceptance/01_vars/02_functions/regex_replace.cf b/tests/acceptance/01_vars/02_functions/regex_replace.cf index b08d5cfbc9..aacfc4bd7d 100644 --- a/tests/acceptance/01_vars/02_functions/regex_replace.cf +++ b/tests/acceptance/01_vars/02_functions/regex_replace.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "test" string => "abcdefghij"; diff --git a/tests/acceptance/01_vars/02_functions/reverse.cf b/tests/acceptance/01_vars/02_functions/reverse.cf index dde4e97a6a..88fb5fe040 100644 --- a/tests/acceptance/01_vars/02_functions/reverse.cf +++ b/tests/acceptance/01_vars/02_functions/reverse.cf @@ -24,10 +24,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "sa" slist => reverse("init.a"); "sb" slist => reverse("init.b"); diff --git a/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf b/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf index ed265b78c4..815ac9e40d 100644 --- a/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf +++ b/tests/acceptance/01_vars/02_functions/setop_unique_difference_intersection.cf @@ -34,9 +34,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "list1" slist => { "a", "b", "c", "d", "e", "f" }; "list2" slist => { "a", "b", "c", "d", "e", "f" }; diff --git a/tests/acceptance/01_vars/02_functions/storejson.cf b/tests/acceptance/01_vars/02_functions/storejson.cf index 6574b38220..70375aee4d 100644 --- a/tests/acceptance/01_vars/02_functions/storejson.cf +++ b/tests/acceptance/01_vars/02_functions/storejson.cf @@ -9,9 +9,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "mylist" slist => { "x", "y" }; "data" data => parsejson('{ diff --git a/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf b/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf index d209fc3d29..ef12c462b0 100644 --- a/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf +++ b/tests/acceptance/01_vars/02_functions/storejson_edge_case.cf @@ -10,9 +10,6 @@ body common control ########################################################## bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "data" string => storejson('{ "A very long text": "Hello, everyone! This is the LONGEST TEXT EVER! I was inspired by the various other longest texts ever on the internet, and I wanted to make my own. So here it is! This is going to be a WORLD RECORD! This is actually my third attempt at doing this. The first time, I didnt save it. The second time, the Neocities editor crashed. Now Im writing this in Notepad, then copying it into the Neocities editor instead of typing it directly in the Neocities editor to avoid crashing. It sucks that my past two attempts are gone now. Those actually got pretty long. Not the longest, but still pretty long. I hope this one wont get lost somehow. Anyways, lets talk about WAFFLES! I like waffles. Waffles are cool. Waffles is a funny word. Theres a Teen Titans Go episode called Waffles where the word Waffles is said a hundred-something times. Its pretty annoying. Theres also a Teen Titans Go episode about Pig Latin. Dont know what Pig Latin is? Its a language where you take all the consonants before the first vowel, move them to the end, and add -ay to the end. If the word begins with a vowel, you just add -way to the end. For example, Waffles becomes Afflesway. Ive been speaking Pig Latin fluently since the fourth grade, so it surprised me when I saw the episode for the first time. I speak Pig Latin with my sister sometimes. Its pretty fun. I like speaking it in public so that everyone around us gets confused. Thats never actually happened before, but if it ever does, twill be pretty funny. By the way, twill is a word I invented recently, and its a contraction of it will. I really hope it gains popularity in the near future, because twill is WAY more fun than saying itll. Itll is too boring. Nobody likes boring. This is nowhere near being the longest text ever, but eventually it will be! I might still be writing this a decade later, who knows? But right now, its not very long. But Ill just keep writing until it is the longest! Have you ever heard the song Dau Dau by Awesome Scampis? Its an amazing song. Look it up on YouTube! I play that song all the time around my sister! It drives her crazy, and I love it. Another way I like driving my sister crazy is by speaking my own made up language to her. She hates the languages I make! The only language that we both speak besides English is Pig Latin. I think you already knew that. Whatever. I think Im gonna go for now. Bye! Hi, Im back now. Im gonna contribute more to this soon-to-be giant wall of text. I just realised I have a giant stuffed frog on my bed. I forgot his name. Im pretty sure it was something stupid though. I think it was FROG in Morse Code or something. Morse Code is cool. I know a bit of it, but Im not very good at it. Im also not very good at French. I barely know anything in French, and my pronunciation probably sucks. But Im learning it, at least. Im also learning Esperanto. Its this language that was made up by some guy a long time ago to be the universal language. A lot of people speak it. I am such a language nerd. Half of this text is probably gonna be about languages. But hey, as long as its long! Ha, get it? As LONG as its LONG? Im so funny, right? No, Im not. I should probably get some sleep. Goodnight! Hello, Im back again. I basically have only two interests nowadays: languages and furries. What? Oh, sorry, I thought you knew I was a furry. Haha, oops. Anyway, yeah, Im a furry, but since Im a young furry, I cant really do as much as I would like to do in the fandom. When Im older, I would like to have a fursuit, go to furry conventions, all that stuff. But for now I can only dream of that. Sorry you had to deal with me talking about furries, but Im honestly very desperate for this to be the longest text ever. Last night I was watching nothing but fursuit unboxings. I think I need help. This one time, me and my mom were going to go to a furry Christmas party, but we didnt end up going because of the fact that there was alcohol on the premises, and that she didnt wanna have to be a mom dragging her son through a crowd of furries. Both of those reasons were understandable. Okay, hopefully I wont have to talk about furries anymore. I dont care if youre a furry reading this right now, I just dont wanna have to torture everyone else."}'); } diff --git a/tests/acceptance/01_vars/02_functions/string_mustache.cf b/tests/acceptance/01_vars/02_functions/string_mustache.cf index e966c5b1fb..0ac07f76a5 100644 --- a/tests/acceptance/01_vars/02_functions/string_mustache.cf +++ b/tests/acceptance/01_vars/02_functions/string_mustache.cf @@ -14,10 +14,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "out11" string => string_mustache("desert = {{vars.init.desert}}"); diff --git a/tests/acceptance/01_vars/02_functions/string_replace.cf b/tests/acceptance/01_vars/02_functions/string_replace.cf index 220de85782..c3caf164ca 100644 --- a/tests/acceptance/01_vars/02_functions/string_replace.cf +++ b/tests/acceptance/01_vars/02_functions/string_replace.cf @@ -16,10 +16,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "test" string => "abcdefghij\t\n"; "test2" string => "(){}[].*?"; diff --git a/tests/acceptance/01_vars/02_functions/string_trim.cf b/tests/acceptance/01_vars/02_functions/string_trim.cf index c361445814..13b46a3a2d 100644 --- a/tests/acceptance/01_vars/02_functions/string_trim.cf +++ b/tests/acceptance/01_vars/02_functions/string_trim.cf @@ -9,10 +9,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "abcd1" string => string_trim("abcd"); "abcd2" string => string_trim(" abcd"); diff --git a/tests/acceptance/01_vars/02_functions/sublist.cf b/tests/acceptance/01_vars/02_functions/sublist.cf index 2fe5a4bc63..af137477c7 100644 --- a/tests/acceptance/01_vars/02_functions/sublist.cf +++ b/tests/acceptance/01_vars/02_functions/sublist.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "test" slist => { 1,2,3, diff --git a/tests/acceptance/01_vars/02_functions/sum_and_product.cf b/tests/acceptance/01_vars/02_functions/sum_and_product.cf index 3807b376ac..86ccbc32b4 100644 --- a/tests/acceptance/01_vars/02_functions/sum_and_product.cf +++ b/tests/acceptance/01_vars/02_functions/sum_and_product.cf @@ -21,10 +21,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "normal_list" slist => { "1", "2", "3" }; "empty_list" slist => { }; diff --git a/tests/acceptance/01_vars/02_functions/text_xform.cf b/tests/acceptance/01_vars/02_functions/text_xform.cf index 9d31b3c30c..191dfb166b 100644 --- a/tests/acceptance/01_vars/02_functions/text_xform.cf +++ b/tests/acceptance/01_vars/02_functions/text_xform.cf @@ -7,10 +7,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "tests" slist => { "q1", "q2", "q3", "q4" }; "offsets" ilist => { "-1", "-2", "-5", "-10", "-20", "-26", "-27", "-28", "-10240", diff --git a/tests/acceptance/01_vars/02_functions/type.cf b/tests/acceptance/01_vars/02_functions/type.cf index 1aea1a7746..4326d3cfa1 100644 --- a/tests/acceptance/01_vars/02_functions/type.cf +++ b/tests/acceptance/01_vars/02_functions/type.cf @@ -32,8 +32,6 @@ bundle agent test meta: "description" -> { "CFE-2240" } string => "Test for expected results from policy function type"; - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "test_00" string => type("init._data"); diff --git a/tests/acceptance/01_vars/02_functions/validdata.cf b/tests/acceptance/01_vars/02_functions/validdata.cf index f2d134ca99..c25d3d0b8f 100644 --- a/tests/acceptance/01_vars/02_functions/validdata.cf +++ b/tests/acceptance/01_vars/02_functions/validdata.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "valid_json" string => "should appear", if => validdata(readfile("$(this.promise_filename).json", inf), "JSON"); diff --git a/tests/acceptance/01_vars/02_functions/variablesmatching.cf b/tests/acceptance/01_vars/02_functions/variablesmatching.cf index 0aa93783d7..074513b4ab 100644 --- a/tests/acceptance/01_vars/02_functions/variablesmatching.cf +++ b/tests/acceptance/01_vars/02_functions/variablesmatching.cf @@ -22,10 +22,6 @@ bundle common init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "vars" slist => variablesmatching("default:init.test_fbeae67f3e347b5e0032302200141131.*"); "x_vars" slist => variablesmatching("default:init.test_fbeae67f3e347b5e0032302200141131.*", "x"); diff --git a/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf b/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf index feebc3b298..5d1c24392e 100644 --- a/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf +++ b/tests/acceptance/01_vars/02_functions/wrap_container_fncalls.cf @@ -19,10 +19,6 @@ bundle common init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "base_list" slist => { "a", "b", "c", "aaa", "bbb", "ccc" }; "base_data" data => '{ "x": 100, "y": "z" }'; diff --git a/tests/acceptance/01_vars/04_containers/inline_json.cf b/tests/acceptance/01_vars/04_containers/inline_json.cf index be6e57d68e..40287b0188 100644 --- a/tests/acceptance/01_vars/04_containers/inline_json.cf +++ b/tests/acceptance/01_vars/04_containers/inline_json.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "included" string => "( included text )"; "options1" data => ' diff --git a/tests/acceptance/01_vars/04_containers/inline_yaml.cf b/tests/acceptance/01_vars/04_containers/inline_yaml.cf index f087ef9cda..7d518a5db3 100644 --- a/tests/acceptance/01_vars/04_containers/inline_yaml.cf +++ b/tests/acceptance/01_vars/04_containers/inline_yaml.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: feature_yaml:: "included" string => "( included text )"; diff --git a/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf b/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf index 5f80261932..dde9ecac55 100644 --- a/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf +++ b/tests/acceptance/01_vars/04_containers/iterate_over_data_array.cf @@ -20,8 +20,6 @@ bundle agent test string => "Test that we can iterate over an array inside of a data container without first extracting it. And that the order of iteration is preserved."; - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "data3" data => '{ "iteration_order":[ "b", "c", "a" ], "b":{ "key": "bkeyval" }, "c":{"key":"ckeyval"}, "a":{"key":"akeyval"}}'; diff --git a/tests/acceptance/02_classes/01_basic/from_json_booleans.cf b/tests/acceptance/02_classes/01_basic/from_json_booleans.cf index 9d16d94888..c9db5ed37f 100644 --- a/tests/acceptance/02_classes/01_basic/from_json_booleans.cf +++ b/tests/acceptance/02_classes/01_basic/from_json_booleans.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - classes: "canary" expression => "any", meta => { "collect" }; # just a baseline test "from_$(json)" expression => "$(json)", meta => { "collect" }; # iterates through non-nulls diff --git a/tests/acceptance/02_classes/02_functions/iprange.cf b/tests/acceptance/02_classes/02_functions/iprange.cf index f95c30188f..fdc991f68c 100644 --- a/tests/acceptance/02_classes/02_functions/iprange.cf +++ b/tests/acceptance/02_classes/02_functions/iprange.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - classes: "expected_missing" expression => iprange("8.8.8.8/31"), meta => { "collect" }; diff --git a/tests/acceptance/02_classes/02_functions/isipinsubnet.cf b/tests/acceptance/02_classes/02_functions/isipinsubnet.cf index 2d89d0619b..6cff4f4db0 100644 --- a/tests/acceptance/02_classes/02_functions/isipinsubnet.cf +++ b/tests/acceptance/02_classes/02_functions/isipinsubnet.cf @@ -15,10 +15,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - classes: "zeroes_range_match" expression => isipinsubnet("0.0.0.0/0", "1.2.3.4"), meta => { "collect" }; diff --git a/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf b/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf index 5ff334e0de..4f0a600e8d 100644 --- a/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf +++ b/tests/acceptance/10_files/09_insert_lines/insert-large-lines.cf @@ -8,9 +8,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; vars: "data" string => readfile("$(this.promise_filename).txt", "16431"); files: diff --git a/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf b/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf index 028bc10f08..37e7e2e183 100644 --- a/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf +++ b/tests/acceptance/10_files/mustache_missing_variable_is_empty_string_by_default.cf @@ -32,10 +32,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - files: "$(init.template_target)" edit_template => "$(this.promise_filename).mustache", diff --git a/tests/acceptance/10_files/mustache_render_multiline_template_data.cf b/tests/acceptance/10_files/mustache_render_multiline_template_data.cf index 12b98f1870..eff73e17c2 100644 --- a/tests/acceptance/10_files/mustache_render_multiline_template_data.cf +++ b/tests/acceptance/10_files/mustache_render_multiline_template_data.cf @@ -13,10 +13,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "template_target" string => "$(G.testfile)"; diff --git a/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf b/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf index 5830168242..414ccdec1e 100644 --- a/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf +++ b/tests/acceptance/10_files/templating/mustache_top_level_iteration.cf @@ -16,10 +16,6 @@ body common control bundle agent test { - meta: - "test_soft_fail" string => "windows", - meta => { "ENT-10254" }; - vars: "mydata1" data => '{ "a": 100 }'; "mydata2" data => '[ "p", "q" ]'; From eb5c80173c5b9f4326fa0d8e56c1ae15494cc09c Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Wed, 19 Jul 2023 14:22:15 +0200 Subject: [PATCH 065/255] Convert win lineendings to Unix for tests which need it on Windows Ticket: ENT-10433 Changelog: none (cherry picked from commit 9a9d10d874c345a3fa8b15c8802f3e7700a86d63) --- .../01_basic/namespaces/bundle_qualified_refs/1/main.cf | 7 +++++++ .../01_basic/namespaces/bundle_qualified_refs/2/main.cf | 7 +++++++ .../iterate_over_data_container_with_nulls.cf | 3 +++ .../04_containers/multiple_cmerge_variable_dynamic.cf | 4 ++++ .../04_containers/multiple_cmerge_variable_static.cf | 4 ++++ .../01_vars/04_containers/pass_variable_container.cf | 4 ++++ .../01_vars/04_containers/pass_variable_container_index.cf | 4 ++++ .../14_reports/00_output/report_printfile_from_bot.cf | 2 ++ .../14_reports/00_output/report_printfile_from_top.cf | 2 ++ .../21_methods/call_methods_using_array_expansion.cf | 4 ++++ tests/acceptance/dcs.cf.sub | 1 + 11 files changed, 42 insertions(+) diff --git a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf index aa880882f8..f7e36e8ead 100644 --- a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf +++ b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf @@ -13,6 +13,13 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + commands: + windows:: + "$(G.dos2unix) $(this.promise_dirname)/expected_output.txt" -> { "ENT-10433" }; +} + bundle agent test { meta: diff --git a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf index 1099dedeff..4dd235b4c9 100644 --- a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf +++ b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf @@ -13,6 +13,13 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + commands: + windows:: + "$(G.dos2unix) $(this.promise_dirname)/expected_output.txt" -> { "ENT-10433" }; +} + bundle agent test { meta: diff --git a/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf b/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf index 5b6bdec183..795bd02e1e 100644 --- a/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf +++ b/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf @@ -7,6 +7,9 @@ body common control bundle agent init { + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; files: "$(G.testdir)/actual.txt" diff --git a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf index ed2a131f78..f910fa561f 100644 --- a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf +++ b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf @@ -31,6 +31,10 @@ bundle agent init vars: "autorun" slist => bundlesmatching(".*", "autorun"); + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + files: "$(G.testfile)" edit_line => empty; diff --git a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf index 8f4bd66d61..b60b96afbb 100644 --- a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf +++ b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf @@ -12,6 +12,10 @@ bundle agent init vars: "autorun" slist => bundlesmatching(".*", "autorun"); + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + files: "$(G.testfile)" edit_line => empty; diff --git a/tests/acceptance/01_vars/04_containers/pass_variable_container.cf b/tests/acceptance/01_vars/04_containers/pass_variable_container.cf index fd55182721..40727d8a3f 100644 --- a/tests/acceptance/01_vars/04_containers/pass_variable_container.cf +++ b/tests/acceptance/01_vars/04_containers/pass_variable_container.cf @@ -18,6 +18,10 @@ bundle agent init meta: "tags" slist => { "find" }; + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + vars: # We want to be sure we can reference this data subsequently "d" data => parsejson( '{ diff --git a/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf b/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf index cd9f642688..35bfe052ca 100644 --- a/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf +++ b/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf @@ -17,6 +17,10 @@ bundle agent init { meta: "tags" slist => { "find" }; + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + } bundle agent test diff --git a/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf b/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf index 4956118b88..7f140f924a 100644 --- a/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf +++ b/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf @@ -22,6 +22,8 @@ bundle agent check classes: "passed" expression => strcmp("$(test.expected)", "$(test.actual)"); reports: + windows:: + "$(this.promise_filename) SFAIL/ENT-10433"; DEBUG:: "Expected: '$(test.expected)'"; "Found: '$(test.actual)'"; diff --git a/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf b/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf index 66a9ec34f3..f0c0c3adf0 100644 --- a/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf +++ b/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf @@ -22,6 +22,8 @@ bundle agent check classes: "passed" expression => strcmp("$(test.expected)", "$(test.actual)"); reports: + windows:: + "$(this.promise_filename) SFAIL/ENT-10433"; DEBUG:: "Expected: '$(test.expected)'"; "Found: '$(test.actual)'"; diff --git a/tests/acceptance/21_methods/call_methods_using_array_expansion.cf b/tests/acceptance/21_methods/call_methods_using_array_expansion.cf index dbddadbaea..dfa945a782 100644 --- a/tests/acceptance/21_methods/call_methods_using_array_expansion.cf +++ b/tests/acceptance/21_methods/call_methods_using_array_expansion.cf @@ -13,6 +13,10 @@ body common control bundle agent init { + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected.txt" -> { "ENT-10433" }; + files: "$(G.testdir)/reports.txt" delete => tidy; diff --git a/tests/acceptance/dcs.cf.sub b/tests/acceptance/dcs.cf.sub index 5182123191..15bba3cd3d 100644 --- a/tests/acceptance/dcs.cf.sub +++ b/tests/acceptance/dcs.cf.sub @@ -24,6 +24,7 @@ bundle common G # General commands. "cmds" slist => { "date", "dd", + "dos2unix", "diff", "cat", "colordiff", From 07592050808c24032e94875c34854ab0cadd45ad Mon Sep 17 00:00:00 2001 From: Aleksei Shpakovskii Date: Fri, 15 Sep 2023 15:02:56 +0200 Subject: [PATCH 066/255] Change suppress fail to soft fail on known failing tests Ticket: ENT-10470 Issue was that these failures were visible in Jenkins, turning build "unstable". (cherry picked from commit 3d880734536a1d7c0d17f893153edf483b96b266) --- tests/acceptance/08_commands/01_modules/long-module-lines.cf | 4 ++-- tests/acceptance/09_services/custom.cf | 2 +- tests/acceptance/09_services/disable.cf | 2 +- tests/acceptance/09_services/enable.cf | 2 +- tests/acceptance/09_services/reload.cf | 2 +- tests/acceptance/09_services/restart.cf | 2 +- tests/acceptance/09_services/service_cannot_be_resolved.cf | 2 +- tests/acceptance/09_services/start.cf | 2 +- tests/acceptance/09_services/stop.cf | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/acceptance/08_commands/01_modules/long-module-lines.cf b/tests/acceptance/08_commands/01_modules/long-module-lines.cf index f6e523d157..b0535649a3 100644 --- a/tests/acceptance/08_commands/01_modules/long-module-lines.cf +++ b/tests/acceptance/08_commands/01_modules/long-module-lines.cf @@ -26,8 +26,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine1884" }; + "test_soft_fail" string => "windows", + meta => { "ENT-1623" }; commands: "$(init.script_name)" module => "true"; diff --git a/tests/acceptance/09_services/custom.cf b/tests/acceptance/09_services/custom.cf index dce6d60fe1..0830031e72 100644 --- a/tests/acceptance/09_services/custom.cf +++ b/tests/acceptance/09_services/custom.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/disable.cf b/tests/acceptance/09_services/disable.cf index a717a6e106..ad8d97aa1d 100644 --- a/tests/acceptance/09_services/disable.cf +++ b/tests/acceptance/09_services/disable.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/enable.cf b/tests/acceptance/09_services/enable.cf index 1a3424539f..86445a1963 100644 --- a/tests/acceptance/09_services/enable.cf +++ b/tests/acceptance/09_services/enable.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/reload.cf b/tests/acceptance/09_services/reload.cf index ec3b6f7dbf..058b011fa8 100644 --- a/tests/acceptance/09_services/reload.cf +++ b/tests/acceptance/09_services/reload.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "redmine4772,ENT-2161" }; services: diff --git a/tests/acceptance/09_services/restart.cf b/tests/acceptance/09_services/restart.cf index 77ef03eed8..167557cd91 100644 --- a/tests/acceptance/09_services/restart.cf +++ b/tests/acceptance/09_services/restart.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "redmine4772,ENT-2161" }; services: diff --git a/tests/acceptance/09_services/service_cannot_be_resolved.cf b/tests/acceptance/09_services/service_cannot_be_resolved.cf index 4c3f865c1e..48161dd1d9 100644 --- a/tests/acceptance/09_services/service_cannot_be_resolved.cf +++ b/tests/acceptance/09_services/service_cannot_be_resolved.cf @@ -20,7 +20,7 @@ bundle agent init bundle common test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "redmine4772,ENT-2161" }; classes: diff --git a/tests/acceptance/09_services/start.cf b/tests/acceptance/09_services/start.cf index aa75db174b..9a9d9b7b86 100644 --- a/tests/acceptance/09_services/start.cf +++ b/tests/acceptance/09_services/start.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "redmine4772,ENT-2161" }; services: diff --git a/tests/acceptance/09_services/stop.cf b/tests/acceptance/09_services/stop.cf index 2ad8c80c55..212be2b2ff 100644 --- a/tests/acceptance/09_services/stop.cf +++ b/tests/acceptance/09_services/stop.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "redmine4772,ENT-2161" }; services: From fa168825f2be6b6502cbc48d01bd4238bcf506b4 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 1 Sep 2023 14:20:58 +0200 Subject: [PATCH 067/255] Added changelog for 3.21.3 Ticket: ENT-10561 Changelog: None Signed-off-by: Lars Erik Wik --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index db73fda858..eb4646c2cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +3.21.3: + - Cached policy function results now take into account number of arguments + and function name (CFE-4244) + - Improved the syntax description for validjson() (ENT-9759) + - Modified classesmatching() function to search parent bundles with inherit + => true (ENT-5850) + - packagesmatching() and packageupdatesmatching() now look for the software + inventory databases in the state directory and use them if found. This + change enables the usage of these functions in standalone policy files + without the demand for specifying the default package inventory attribute + in body common control. However, you still need the default package + inventory attribute specified in the policy framework for the software + inventory databases to exist in the first place and to be maintained. + (ENT-9083) + 3.21.2: - The CF3_WITH_LIBRARY and AC_CHECK_HEADERS were moved to outside of the check for with-libxml2=no (CFE-4023) - configure.ac: Enabled use of pkg-config to find libxml2 (CFE-4014) From f72d4304f938fd0f39577f776ece2ae6cedebb08 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Thu, 14 Sep 2023 20:46:29 +0200 Subject: [PATCH 068/255] Allow inheriting attributes using global variables in bodies having local parameters. This also prevents a memory corruption when an attribute contains external vars but no local vars. Ticket: CFE-4254 Changelog: Bodies can now inherit attributes containing global variables Signed-off-by: Alexis Mousset (cherry picked from commit a99a1ccc342bd6104c2503ff72f5c271e15ffa3a) Signed-off-by: Lars Erik Wik --- libpromises/rlist.c | 14 ++++- .../03_bodies/inherit_from_with_global_var.cf | 55 +++++++++++++++++++ 2 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf diff --git a/libpromises/rlist.c b/libpromises/rlist.c index 64ea0e6ac4..27703dd786 100644 --- a/libpromises/rlist.c +++ b/libpromises/rlist.c @@ -373,13 +373,14 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) Buffer *format = BufferNew(); StringCopy(item, buffer_from, max_size); + buffer_to[0] = '\0'; for (int iteration = 0; iteration < 10; iteration++) { bool replacement_made = false; int var_start = -1; char closing_brace = 0; - for (int c = 0; c < buffer_from[c]; c++) + for (int c = 0; buffer_from[c] != '\0'; c++) { if (buffer_from[c] == '$') { @@ -402,6 +403,7 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) { char saved = buffer_from[c]; buffer_from[c] = '\0'; + const char *repl = JsonObjectGetAsString(map, buffer_from + var_start + 2); buffer_from[c] = saved; @@ -433,7 +435,15 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) } } - char *ret = xstrdup(buffer_to); + char* ret; + if (buffer_to[0] == '\0') { + // If nothing has been written to buffer_to, we pass the input verbatim. + // This function only evaluates body parameters, but the body can also reference the global + // context. + ret = xstrdup(buffer_from); + } else { + ret = xstrdup(buffer_to); + } BufferDestroy(format); free(buffer_to); diff --git a/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf b/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf new file mode 100644 index 0000000000..c9dec4f368 --- /dev/null +++ b/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf @@ -0,0 +1,55 @@ +####################################################### +# +# Test that bodies can inherit attributes containing global variables +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ + vars: + "class" string => "_pass"; +} + +####################################################### + +body classes parent(p) +{ + promise_kept => { "${init.class}" }; +} + +body classes static(p) +{ + inherit_from => parent(p); +} + +bundle agent test { + meta: + "description" -> { "CFE-4254" } + string => "Test that bodies can inherit attributes containing global variables"; + + vars: + "test" string => "test", + classes => static("placeholder"); +} + +####################################################### + +bundle agent check +{ + methods: + _pass:: + "pass" usebundle => dcs_pass("$(this.promise_filename)"); + + !_pass:: + "pass" usebundle => dcs_fail("$(this.promise_filename)"); +} From 16c5c66d4389d7c557e7c67d684f344a917c87ee Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 27 Sep 2023 09:04:05 -0500 Subject: [PATCH 069/255] Added selinux policy to allow cf-hub to initiate scheduled reports https://github.com/cfengine/nova/commit/8b8726e7b2896d601f05d1b4392abef705d1489a changed cf-hub behavior for ENT-9825 This change fixes an issue with hubs that have SELinux set to enforce. Hubs which do not have SELinux set to enforce are unaffected by this issue. Ticket: ENT-10696 Changelog: title (cherry picked from commit 48ed76f8d5cb3c2cee72b456960362108a119a45) --- misc/selinux/cfengine-enterprise.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index 1c1981011f..b89a6d2bb9 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -356,6 +356,8 @@ type cfengine_hub_t; typeattribute cfengine_hub_t domain; role system_r types cfengine_hub_t; +# cf-hub uses setuid/setgid to initiate scheduled reports as cfapache:cfpostgres +allow cfengine_hub_t self:capability { setgid setuid }; # /var/cfengine/bin/cf-hub has the 'cfengine_hub_exec_t' context which is an # entrypoint for the 'cfengine_hub_t' domain type cfengine_hub_exec_t; From eff4b281ade278fe0dce7ea1a9938f4451d432f0 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 28 Sep 2023 15:19:07 -0500 Subject: [PATCH 070/255] Added changelog entry for ENT-10647 fix Fixed and improved postgresql server state handling in package scriptlets Ticket: ENT-10647 Changelog: none --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index eb4646c2cf..d725114cd1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ 3.21.3: + - Fixed and improved postgresql server state handling in package installer + scriptlets (ENT-10647) - Cached policy function results now take into account number of arguments and function name (CFE-4244) - Improved the syntax description for validjson() (ENT-9759) From ac61e42695ee067a17962d905984aa679b798a8e Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Oct 2023 17:40:39 +0200 Subject: [PATCH 071/255] Bumped .CFVERSION number to 3.21.4 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index c60ca5ac9c..4a463074a9 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.3 +3.21.4 From 03efc196cce6a0f1263ffc316a294655395121e5 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Oct 2023 15:19:05 -0500 Subject: [PATCH 072/255] Fixed two acceptance tests which could only run once before failing Their first run they change an original/source file and so on subsequent runs the tests failed due to the original being incorrect. Ticket: ENT-10761 Changelog: none (cherry picked from commit c8af66eb2b802230b92e8cb6708dfd1c7903c633) --- tests/acceptance/31_tickets/ENT-8788/1/main.cf | 15 ++++++++++++--- tests/acceptance/31_tickets/ENT-8788/2/main.cf | 15 ++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/tests/acceptance/31_tickets/ENT-8788/1/main.cf b/tests/acceptance/31_tickets/ENT-8788/1/main.cf index aebde408fc..d02bf2652b 100644 --- a/tests/acceptance/31_tickets/ENT-8788/1/main.cf +++ b/tests/acceptance/31_tickets/ENT-8788/1/main.cf @@ -11,6 +11,16 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + vars: + "original_file" string => "$(this.promise_dirname)/start.xml.txt"; + "test_file" string => "$(sys.workdir)/start.xml.test"; + files: + "$(test_file)" + copy_from => local_cp("${original_file}"); +} + bundle agent test { meta: @@ -19,11 +29,10 @@ bundle agent test meta => { "ENT-8788" }; vars: - "test_file" string => "$(this.promise_dirname)/start.xml.txt"; "new_content_file" string => "$(this.promise_dirname)/newcontent.xml.txt"; files: - "$(test_file)" + "$(init.test_file)" create => "false", edit_defaults => size("500k"), edit_line => insert_file_as_block_relative_to_first_or_last_line( @@ -38,7 +47,7 @@ bundle agent check { methods: - "Pass/Fail" usebundle => dcs_check_diff($(test.test_file), + "Pass/Fail" usebundle => dcs_check_diff($(init.test_file), "$(this.promise_dirname)/desired-result.xml.txt", $(this.promise_filename)); } diff --git a/tests/acceptance/31_tickets/ENT-8788/2/main.cf b/tests/acceptance/31_tickets/ENT-8788/2/main.cf index 0f5226643e..0dd281f65b 100644 --- a/tests/acceptance/31_tickets/ENT-8788/2/main.cf +++ b/tests/acceptance/31_tickets/ENT-8788/2/main.cf @@ -11,6 +11,16 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + vars: + "original_file" string => "$(this.promise_dirname)/start.xml.txt"; + "test_file" string => "$(sys.workdir)/start.xml.test"; + files: + "$(test_file)" + copy_from => local_cp("${original_file}"); +} + bundle agent test { meta: @@ -19,11 +29,10 @@ bundle agent test meta => { "ENT-8788" }; vars: - "test_file" string => "$(this.promise_dirname)/start.xml.txt"; "new_content_file" string => "$(this.promise_dirname)/newcontent.xml.txt"; files: - "$(test_file)" + "$(init.test_file)" create => "false", edit_defaults => size("500k"), edit_line => insert_file_as_block_relative_to_first_or_last_line( @@ -38,7 +47,7 @@ bundle agent check { methods: - "Pass/Fail" usebundle => dcs_check_diff($(test.test_file), + "Pass/Fail" usebundle => dcs_check_diff($(init.test_file), "$(this.promise_dirname)/desired-result.xml.txt", $(this.promise_filename)); } From 34e58ed1e2a6f5567330b2831a9d4e2c251ba856 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Oct 2023 09:40:57 -0500 Subject: [PATCH 073/255] Improved locale override in masterfiles stage scripts LANG is not sufficient to guard against odd environment vars, LC_ALL is a master override so prefer that. Ticket: ENT-10753 Changelog: title (cherry picked from commit 3cefecb184b3d0a371a22436220eae1b2dcd94f8) --- contrib/masterfiles-stage/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 30b401be39..3d45d8e4bf 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -190,7 +190,7 @@ git_cfbs_deploy_refspec() { # (See long comment at end of function def.) # The chipmunk in cfbs output breaks things without this or similar - export LANG=en_US.utf-8 + export LC_ALL=en_US.utf-8 # Ensure absolute pathname is given [ "${1:0:1}" = / ] || From 0ef208dbe87af4048d7e7180addaca0644148ca3 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 1 Nov 2023 11:49:40 +0100 Subject: [PATCH 074/255] Fixed infinite loop on error bug while reading interface exception file Fixed bug where the agent may enter an infinite loop while trying to read the interface exception file. The problem comes from the fact that the while loop for reading each line in the file checks for end-of-file, but not error. If an error occurs, end-of-file will never be reached, hence the loop will never break. Ticket: None Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 301a764dd1333640290cfeed44bf876c11977db2) --- libenv/unix_iface.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index e6e0b5b849..6ae6a8bc8e 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -849,7 +849,15 @@ static void InitIgnoreInterfaces() while (!feof(fin)) { regex[0] = '\0'; - int scanCount = fscanf(fin,"%255s",regex); + int scanCount = fscanf(fin, "%255s", regex); + if (ferror(fin) != 0) + { + Log(LOG_LEVEL_ERR, + "Failed to read interface exception file %s: %s", + filename, + GetErrorStr()); + break; + } if (scanCount != 0 && *regex != '\0') { From 34bd927df3349cf92dc66ed249d2dc50fed661b8 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 31 Oct 2023 15:48:10 +0100 Subject: [PATCH 075/255] Allow CFEngine daemons to access to proc_security_t files These are security parameters of the system found under /proc/sys/kernel. Allow **read** access is fine although our daemons normally shoudln't require this information (`cf-agent` is allowed this access already). Ticket: ENT-9684 Changelog: SELinux no longer blocks CFEngine deamons in reading security parameters from /proc/sys/kernel (cherry picked from commit 1ab88593de30b48bede16bfed50f501f564168a4) --- misc/selinux/cfengine-enterprise.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index b89a6d2bb9..b7b703aeef 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -34,6 +34,7 @@ require { type proc_t; type proc_net_t; type proc_xen_t; + type proc_security_t; type cfengine_serverd_exec_t; type http_port_t; type ldap_port_t; @@ -237,6 +238,7 @@ allow cfengine_execd_t init_t:unix_stream_socket connectto; allow cfengine_execd_t journalctl_exec_t:file getattr; allow cfengine_execd_t ping_exec_t:file getattr; allow cfengine_execd_t proc_net_t:file { getattr open read }; +allow cfengine_execd_t proc_security_t:file { getattr open read }; allow cfengine_execd_t rpm_exec_t:file getattr; allow cfengine_execd_t rpm_var_lib_t:dir search; allow cfengine_execd_t rpm_var_lib_t:file open; @@ -293,6 +295,8 @@ allow cfengine_monitord_t tty_device_t:chr_file getattr; allow cfengine_monitord_t user_devpts_t:chr_file getattr; allow cfengine_monitord_t sysctl_t:dir read; allow cfengine_monitord_t ssh_exec_t:file getattr; +allow cfengine_monitord_t proc_net_t:file { getattr open read }; +allow cfengine_monitord_t proc_security_t:file { getattr open read }; # TODO: this should not be needed allow cfengine_monitord_t proc_xen_t:dir search; @@ -338,6 +342,7 @@ allow cfengine_serverd_t init_t:file { getattr open read }; allow cfengine_serverd_t journalctl_exec_t:file getattr; allow cfengine_serverd_t ping_exec_t:file getattr; allow cfengine_serverd_t proc_net_t:file { getattr open read }; +allow cfengine_serverd_t proc_security_t:file { getattr open read }; allow cfengine_serverd_t rpm_exec_t:file getattr; allow cfengine_serverd_t self:process setrlimit; allow cfengine_serverd_t self:tcp_socket { accept listen }; @@ -437,6 +442,7 @@ allow cfengine_hub_t net_conf_t:file { getattr open read }; allow cfengine_hub_t passwd_file_t:file { getattr open read }; allow cfengine_hub_t ping_exec_t:file getattr; allow cfengine_hub_t proc_net_t:file { getattr open read }; +allow cfengine_hub_t proc_security_t:file { getattr open read }; allow cfengine_hub_t proc_t:dir read; allow cfengine_hub_t rpm_exec_t:file getattr; allow cfengine_hub_t self:capability { dac_override chown dac_read_search }; From 592d04cb05a74504d55771d579b8dc1b301a4aba Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 13:28:40 +0100 Subject: [PATCH 076/255] Allow cf-hub to request loading of the TLS kernel module Ticket: ENT-9727 Changelog: cf-hub is now allowed to use the TLS kernel module on SELinux-enabled systems (cherry picked from commit 982fb68892009cf7b30c8316a9ddfd17db87b8e8) --- misc/selinux/cfengine-enterprise.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index b7b703aeef..bb71ff355b 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -166,6 +166,7 @@ require { class association { sendto recvfrom setcontext polmatch }; class security setsecparam; class service { start stop status reload enable disable }; + class system { module_request }; class memprotect mmap_zero; class peer recv; class chr_file { getattr }; @@ -472,6 +473,9 @@ allow cfengine_hub_t var_t:dir read; allow cfengine_hub_t ssh_exec_t:file getattr; allow cfengine_hub_t tmp_t:dir read; +# Use of the TLS kernel module +allow cfengine_hub_t kernel_t:system module_request; + # TODO: these should not be needed allow cfengine_hub_t ifconfig_exec_t:file { execute execute_no_trans open read getattr map }; allow cfengine_hub_t shell_exec_t:file map; From 79021cbd7b321e7219e0dff24b855cd27eb0af05 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 13:30:10 +0100 Subject: [PATCH 077/255] Add missing SELinux rules for httpd querying users On RHEL 9 there so-called dynamic users handled by systemd. httpd needs to be able access the related directory and socket to query user information. Ticket: ENT-9727 Changelog: None (cherry picked from commit 91bd050e269ae6238d9e804fed2d02c0d1910745) --- misc/selinux/cfengine-enterprise.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index bb71ff355b..1c394b8fd3 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -74,6 +74,7 @@ require { type syslogd_var_run_t; type system_dbusd_t; type system_dbusd_var_run_t; + type systemd_userdbd_runtime_t; type tmp_t; type tmpfs_t; role system_r; @@ -632,6 +633,11 @@ allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename }; allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read }; allow cfengine_httpd_t var_t:dir read; +# PAM module for dynamic users +allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; +allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; +allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; + # apparently, httpd creates some temporary bits in /tmp that it needs to mmap() allow cfengine_httpd_t tmp_t:file map; From 7ab715c9978b20550844bbffeab5af9fa73a3fae Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 13:31:44 +0100 Subject: [PATCH 078/255] Various small SELinux fixes Allowing systemd to properly start and check our services, PostgreSQL to create and open the `/tmp/.s.PGSQL.5432.lock` file, ifconfig spawned by cf-hub to actually run as ifconfig_t, etc. Ticket: ENT-9727 Changelog: None (cherry picked from commit 3439279fd1a3ea37e1c3ab1de4055245dec139bd) --- misc/selinux/cfengine-enterprise.te | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te index 1c394b8fd3..3188e40c98 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te @@ -53,6 +53,7 @@ require { type hugetlbfs_t; type init_exec_t; type init_var_run_t; + type ifconfig_t; type ifconfig_exec_t; type journalctl_exec_t; type cfengine_execd_t; @@ -155,7 +156,8 @@ require { class dccp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; class ib_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; class mpls_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr }; + class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr sigchld }; + class fd use; class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto watch watch_reads }; class fifo_file { create open getattr setattr read write append rename link unlink ioctl lock relabelfrom relabelto }; class dir { getattr read search open write add_name remove_name lock ioctl create setattr rmdir }; @@ -240,6 +242,7 @@ allow cfengine_execd_t init_t:unix_stream_socket connectto; allow cfengine_execd_t journalctl_exec_t:file getattr; allow cfengine_execd_t ping_exec_t:file getattr; allow cfengine_execd_t proc_net_t:file { getattr open read }; +allow cfengine_execd_t proc_net_t:lnk_file { getattr read }; allow cfengine_execd_t proc_security_t:file { getattr open read }; allow cfengine_execd_t rpm_exec_t:file getattr; allow cfengine_execd_t rpm_var_lib_t:dir search; @@ -344,6 +347,7 @@ allow cfengine_serverd_t init_t:file { getattr open read }; allow cfengine_serverd_t journalctl_exec_t:file getattr; allow cfengine_serverd_t ping_exec_t:file getattr; allow cfengine_serverd_t proc_net_t:file { getattr open read }; +allow cfengine_serverd_t proc_net_t:lnk_file { getattr read }; allow cfengine_serverd_t proc_security_t:file { getattr open read }; allow cfengine_serverd_t rpm_exec_t:file getattr; allow cfengine_serverd_t self:process setrlimit; @@ -444,6 +448,7 @@ allow cfengine_hub_t net_conf_t:file { getattr open read }; allow cfengine_hub_t passwd_file_t:file { getattr open read }; allow cfengine_hub_t ping_exec_t:file getattr; allow cfengine_hub_t proc_net_t:file { getattr open read }; +allow cfengine_hub_t proc_net_t:lnk_file { getattr read }; allow cfengine_hub_t proc_security_t:file { getattr open read }; allow cfengine_hub_t proc_t:dir read; allow cfengine_hub_t rpm_exec_t:file getattr; @@ -478,7 +483,9 @@ allow cfengine_hub_t tmp_t:dir read; allow cfengine_hub_t kernel_t:system module_request; # TODO: these should not be needed -allow cfengine_hub_t ifconfig_exec_t:file { execute execute_no_trans open read getattr map }; +# this is a macro invocation, the file has to be processed with +# make -f /usr/share/selinux/devel/Makefile +sysnet_domtrans_ifconfig(cfengine_hub_t) allow cfengine_hub_t shell_exec_t:file map; allow cfengine_hub_t shell_exec_t:file { execute execute_no_trans }; allow cfengine_hub_t proc_xen_t:dir search; @@ -507,12 +514,14 @@ allow cfengine_postgres_t cfengine_postgres_exec_t:file { ioctl read getattr loc # TODO: Why are 'map', 'execute' and 'execute_no_trans' needed for postgres? allow cfengine_postgres_t cfengine_var_lib_t:file map; -allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write }; - +allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write rename }; +allow cfengine_postgres_t cfengine_var_lib_t:lnk_file read; allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create read remove_name search write }; allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind; +allow cfengine_postgres_t cert_t:dir search; +allow cfengine_postgres_t cert_t:file { getattr open read }; allow cfengine_postgres_t hugetlbfs_t:file map; allow cfengine_postgres_t hugetlbfs_t:file { read write }; allow cfengine_postgres_t init_t:unix_stream_socket { getattr ioctl read write }; # pg_ctl, systemd, PAM? @@ -525,6 +534,7 @@ allow cfengine_postgres_t proc_t:file { getattr open read }; allow cfengine_postgres_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_postgres_t self:tcp_socket { bind create listen setopt read write }; allow cfengine_postgres_t self:udp_socket { bind connect create getattr getopt read write }; +allow cfengine_postgres_t self:unix_stream_socket connectto; allow cfengine_postgres_t sssd_public_t:dir search; allow cfengine_postgres_t sssd_public_t:file map; allow cfengine_postgres_t sssd_public_t:file { getattr open read }; @@ -532,7 +542,7 @@ allow cfengine_postgres_t sssd_var_lib_t:sock_file write; allow cfengine_postgres_t sssd_var_lib_t:dir search; allow cfengine_postgres_t sssd_t:unix_stream_socket connectto; allow cfengine_postgres_t tmp_t:dir { add_name write remove_name }; -allow cfengine_postgres_t tmp_t:file { create write unlink }; +allow cfengine_postgres_t tmp_t:file { create open write unlink }; allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write }; allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name }; allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink getattr }; @@ -544,7 +554,7 @@ allow cfengine_postgres_t passwd_file_t:file { open read getattr }; # Needed for systemd to be able to check PostgreSQL's PID file allow init_t cfengine_var_lib_t:dir { read remove_name write }; -allow init_t cfengine_var_lib_t:file { getattr open read unlink }; +allow init_t cfengine_var_lib_t:file { getattr open read unlink ioctl }; # TODO: these should not be needed allow cfengine_postgres_t shell_exec_t:file map; From cbc8692c5d9b1bec253212b8cbd30655b3f2a515 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 15:48:12 +0100 Subject: [PATCH 079/255] Enable building platform-specific SELinux policies We need a different SELinux policy on RHEL 9 and RHEL 8 because the latter doesn't support all the types required by the policy for the former. Ticket: ENT-9727 Changelog: None (cherry picked from commit 3bf6540c0cb2fbd9f7c5dc0cb4f33fca83917cb4) --- .gitignore | 1 + configure.ac | 8 ++++++++ misc/selinux/Makefile.am | 7 +++++-- ...{cfengine-enterprise.te => cfengine-enterprise.te.all} | 0 4 files changed, 14 insertions(+), 2 deletions(-) rename misc/selinux/{cfengine-enterprise.te => cfengine-enterprise.te.all} (100%) diff --git a/.gitignore b/.gitignore index 2125c0e47a..805a2f0f0e 100644 --- a/.gitignore +++ b/.gitignore @@ -187,4 +187,5 @@ __pycache__ # SELinux policy build artifacts misc/selinux/cfengine-enterprise.pp misc/selinux/cfengine-enterprise.if +misc/selinux/cfengine-enterprise.te misc/selinux/tmp diff --git a/configure.ac b/configure.ac index 42f231c3f8..e45254b069 100644 --- a/configure.ac +++ b/configure.ac @@ -1648,6 +1648,13 @@ AC_ARG_WITH(selinux-policy, [], [with_selinux_policy=no]) AM_CONDITIONAL([WITH_SELINUX], [test "x$with_selinux_policy" != "xno"]) +if test "x$with_selinux_policy" != "xno"; then + platform_id=$(sed -r -e '/PLATFORM_ID/!d;s/PLATFORM_ID="platform:(@<:@^"@:>@+)"/\1/' < /etc/os-release) + if test -f ${srcdir}/misc/selinux/cfengine-enterprise.te.$platform_id; then + PLATFORM_SELINUX_POLICIES=cfengine-enterprise.te.$platform_id + AC_SUBST(PLATFORM_SELINUX_POLICIES) + fi +fi dnl ##################################################################### dnl Hostname and Version stuff @@ -1844,6 +1851,7 @@ fi if test "x$with_selinux_policy" != "xno"; then AC_MSG_RESULT([-> SELinux policy: enabled]) + AC_MSG_RESULT([-> SELinux platform policies: $PLATFORM_SELINUX_POLICIES]) else AC_MSG_RESULT([-> SELinux policy: disabled]) fi diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index b0639ef52f..788c5402ea 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -1,4 +1,7 @@ if WITH_SELINUX +cfengine-enterprise.te: cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) + cat cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) > cfengine-enterprise.te + cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc $(MAKE) -f /usr/share/selinux/devel/Makefile -j1 @@ -13,6 +16,6 @@ endif # explicit DISTFILES are required for these files to be part of a 'make dist' # tarball even without running './configure --with-selinux-policy' -DISTFILES = Makefile.in Makefile.am cfengine-enterprise.te cfengine-enterprise.fc +DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all -CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if +CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te.all similarity index 100% rename from misc/selinux/cfengine-enterprise.te rename to misc/selinux/cfengine-enterprise.te.all From caa60b67e94a198aff9cc783c5543d06f78761bd Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 16:11:53 +0100 Subject: [PATCH 080/255] Introduce RHEL 9 specific SELinux policy The type `systemd_userdbd_runtime_t` is only available on RHEL 9 and so RHEL 8 policy cannot contain it. Ticket: ENT-9727 Changelog: None (cherry picked from commit ba92b7b036710461f6965ff8e78e39208e61ef94) --- misc/selinux/Makefile.am | 1 + misc/selinux/cfengine-enterprise.te.all | 6 ------ misc/selinux/cfengine-enterprise.te.el9 | 8 ++++++++ 3 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 misc/selinux/cfengine-enterprise.te.el9 diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index 788c5402ea..870b866b30 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -17,5 +17,6 @@ endif # explicit DISTFILES are required for these files to be part of a 'make dist' # tarball even without running './configure --with-selinux-policy' DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all +DISTFILES += cfengine-enterprise.te.el9 CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 3188e40c98..d8d58639c8 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -75,7 +75,6 @@ require { type syslogd_var_run_t; type system_dbusd_t; type system_dbusd_var_run_t; - type systemd_userdbd_runtime_t; type tmp_t; type tmpfs_t; role system_r; @@ -643,11 +642,6 @@ allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename }; allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read }; allow cfengine_httpd_t var_t:dir read; -# PAM module for dynamic users -allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; -allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; -allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; - # apparently, httpd creates some temporary bits in /tmp that it needs to mmap() allow cfengine_httpd_t tmp_t:file map; diff --git a/misc/selinux/cfengine-enterprise.te.el9 b/misc/selinux/cfengine-enterprise.te.el9 new file mode 100644 index 0000000000..25b31a0c95 --- /dev/null +++ b/misc/selinux/cfengine-enterprise.te.el9 @@ -0,0 +1,8 @@ +require { + type systemd_userdbd_runtime_t; +} + +# PAM module for dynamic users +allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; +allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; +allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; From f66b6d42dde0fb65cce7b6dca869216d7df68485 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 6 Nov 2023 17:44:04 +0100 Subject: [PATCH 081/255] Do not add our services to cfengine3.service.wants on enable The `cfengine3.service` has `Wants` on all our services which ensures they are started when the `cfengine3.service` starts. If an individual service is enabled with `systemctl enable`, it should only be added to the respective systemd target in which it should start. (cherry picked from commit 4e661a70080b1c3786a58bdfaf7d0149d3e581f5) --- misc/systemd/cf-apache.service.in | 1 - misc/systemd/cf-execd.service.in | 1 - misc/systemd/cf-hub.service.in | 1 - misc/systemd/cf-monitord.service.in | 1 - misc/systemd/cf-postgres.service.in | 1 - misc/systemd/cf-reactor.service.in | 1 - misc/systemd/cf-runalerts.service.in | 1 - misc/systemd/cf-serverd.service.in | 1 - 8 files changed, 8 deletions(-) diff --git a/misc/systemd/cf-apache.service.in b/misc/systemd/cf-apache.service.in index 5b4373ec24..dea7c2356f 100644 --- a/misc/systemd/cf-apache.service.in +++ b/misc/systemd/cf-apache.service.in @@ -17,4 +17,3 @@ UMask=0177 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-execd.service.in b/misc/systemd/cf-execd.service.in index 95567bcfe0..66f1e235e3 100644 --- a/misc/systemd/cf-execd.service.in +++ b/misc/systemd/cf-execd.service.in @@ -14,4 +14,3 @@ KillMode=process [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-hub.service.in b/misc/systemd/cf-hub.service.in index 1c8c62aa46..a6027ce206 100644 --- a/misc/systemd/cf-hub.service.in +++ b/misc/systemd/cf-hub.service.in @@ -17,4 +17,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-monitord.service.in b/misc/systemd/cf-monitord.service.in index 7ceb1e78d6..351090d6e6 100644 --- a/misc/systemd/cf-monitord.service.in +++ b/misc/systemd/cf-monitord.service.in @@ -13,4 +13,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-postgres.service.in b/misc/systemd/cf-postgres.service.in index 609c90c4fa..393efad1ee 100644 --- a/misc/systemd/cf-postgres.service.in +++ b/misc/systemd/cf-postgres.service.in @@ -33,4 +33,3 @@ ExecReload=@bindir@/pg_ctl -w -D ${PGDATA} -l /var/log/postgresql.log reload -m [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-reactor.service.in b/misc/systemd/cf-reactor.service.in index e50248258f..9e751abec5 100644 --- a/misc/systemd/cf-reactor.service.in +++ b/misc/systemd/cf-reactor.service.in @@ -17,4 +17,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-runalerts.service.in b/misc/systemd/cf-runalerts.service.in index 9a79480e02..e87f199347 100644 --- a/misc/systemd/cf-runalerts.service.in +++ b/misc/systemd/cf-runalerts.service.in @@ -20,5 +20,4 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service WantedBy=cf-postgres.service diff --git a/misc/systemd/cf-serverd.service.in b/misc/systemd/cf-serverd.service.in index 50fb00b15f..03945f8fea 100644 --- a/misc/systemd/cf-serverd.service.in +++ b/misc/systemd/cf-serverd.service.in @@ -15,4 +15,3 @@ RestartSec=10 [Install] WantedBy=network-online.target -WantedBy=cfengine3.service From 4ab23bc2d09c95a1344a8aee0c885f3382a4630d Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 7 Nov 2023 09:54:59 +0100 Subject: [PATCH 082/255] Relax the condition for matching LMDB file in `cf-check dump` Instead of requiring that the file name ends with e.g. "cf_lock.lmdb", just check if the file name contains the string. This ensures that files like `cf_lock.lmdb.backup` match as well. And if someone renames their `cf_lastseen.lmdb` to `cf_lock.lmdb_cf_lastseen.lmdb` or something similar, it's not our fault they get wrong output. (cherry picked from commit 3e98366c36e4e7e991148108699e8bdd0494722b) --- cf-check/dump.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/cf-check/dump.c b/cf-check/dump.c index d059612b46..2a87c57f3b 100644 --- a/cf-check/dump.c +++ b/cf-check/dump.c @@ -277,16 +277,16 @@ static void print_struct_or_string( { if (structs) { - if (StringEndsWith(file, "cf_lastseen.lmdb") + if (StringContains(file, "cf_lastseen.lmdb") && StringStartsWith(key.mv_data, "q")) { print_struct_lastseen_quality(value, strip_strings); } - else if (StringEndsWith(file, "cf_lock.lmdb")) + else if (StringContains(file, "cf_lock.lmdb")) { print_struct_lock_data(value, strip_strings); } - else if (StringEndsWith(file, "cf_observations.lmdb")) + else if (StringContains(file, "cf_observations.lmdb")) { if (StringEqual(key.mv_data, "DATABASE_AGE")) { @@ -299,15 +299,18 @@ static void print_struct_or_string( print_struct_averages(value, strip_strings, tskey_filename); } } - else if (StringEndsWith(file, "history.lmdb")) + else if (StringEqual(file, "history.lmdb") || + StringEndsWith(file, FILE_SEPARATOR_STR"history.lmdb") || + StringEqual(file, "history.lmdb.backup") || + StringEndsWith(file, FILE_SEPARATOR_STR"history.lmdb.backup")) { print_struct_averages(value, strip_strings, tskey_filename); } - else if (StringEndsWith(file, "cf_state.lmdb")) + else if (StringContains(file, "cf_state.lmdb")) { print_struct_persistent_class(value, strip_strings); } - else if (StringEndsWith(file, "nova_agent_execution.lmdb")) + else if (StringContains(file, "nova_agent_execution.lmdb")) { if (StringEqual(key.mv_data, "delta_gavr")) { From def60948e8704445e16c990412ccaa190c45460b Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 7 Nov 2023 09:59:48 +0100 Subject: [PATCH 083/255] Drop VerifyThatDatabaseIsNotCorrupt() on locks DB This function totally doesn't do what its name says. It only checks if the DB was modified in the current boot and if not, it restores it from the latest backup. Which is done and the end of every agent run. So this function effectively reverts the locks DB to the state of the last agent run on every boot dropping significant data like daemon locks. Ticket: CFE-3982 Changelog: cf_lock.lmdb is no longer restored from backup on every boot (cherry picked from commit db4eaf808db82462b4b47f250877f97e13dcb7ef) --- libpromises/locks.c | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/libpromises/locks.c b/libpromises/locks.c index e891de9ce0..bcde830ba1 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -95,46 +95,10 @@ static void CopyLockDatabaseAtomically(const char *from, const char *to, const char *from_pretty_name, const char *to_pretty_name); -static void RestoreLockDatabase(void); - -static void VerifyThatDatabaseIsNotCorrupt_once(void) -{ - int uptime = GetUptimeSeconds(time(NULL)); - if (uptime <= 0) - { - Log(LOG_LEVEL_VERBOSE, - "Not able to determine uptime when verifying lock database. " - "Will assume the database is in order."); - return; - } - - char *db_path = DBIdToPath(dbid_locks); - struct stat statbuf; - if (stat(db_path, &statbuf) == 0) - { - if (statbuf.st_mtime < time(NULL) - uptime) - { - // We have rebooted since the database was last updated. - // Restore it from our backup. - RestoreLockDatabase(); - } - } - - free(db_path); -} - -static void VerifyThatDatabaseIsNotCorrupt(void) -{ - static pthread_once_t uptime_verified = PTHREAD_ONCE_INIT; - pthread_once(&uptime_verified, &VerifyThatDatabaseIsNotCorrupt_once); -} - CF_DB *OpenLock() { CF_DB *dbp; - VerifyThatDatabaseIsNotCorrupt(); - if (!OpenDB(&dbp, dbid_locks)) { return NULL; From fd6ea438f470a674abf335e9f868446de6f64011 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 7 Nov 2023 10:08:41 +0100 Subject: [PATCH 084/255] Make RestoreLockDatabase() a non-static function It's no longer being used in locks.c, but it can potentially be useful for being called explicitly. After all, it's a complementary function to BackupLockDatabase() which is also non-static. Ticket: CFE-3982 Changelog: None (cherry picked from commit d824b882cdc3f721a81cb6317e3230430767a9fc) --- libpromises/locks.c | 5 ++--- libpromises/locks.h | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libpromises/locks.c b/libpromises/locks.c index bcde830ba1..99923187dd 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -1038,11 +1038,10 @@ void GetLockName(char *lockname, const char *locktype, } } -static void RestoreLockDatabase(void) +void RestoreLockDatabase(void) { // We don't do any locking here (since we can't trust the database), but - // this should be right after bootup, so we should be the only one. - // Worst case someone else will just copy the same file to the same + // worst case someone else will just copy the same file to the same // location. char *db_path = DBIdToPath(dbid_locks); char *db_path_backup; diff --git a/libpromises/locks.h b/libpromises/locks.h index 28186d50a7..b46da61d52 100644 --- a/libpromises/locks.h +++ b/libpromises/locks.h @@ -38,6 +38,7 @@ void GetLockName(char *lockname, const char *locktype, const char *base, const Rlist *params); void PurgeLocks(void); void BackupLockDatabase(void); +void RestoreLockDatabase(void); // Used in enterprise/nova code: CF_DB *OpenLock(); From 205d78106df050634cb6dbce4303bcf3c7b0cbca Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 7 Nov 2023 11:10:08 +0100 Subject: [PATCH 085/255] Only kill potential CFEngine lock holders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a non CFEngine process has a matching PID and start time, we shouldn't try to kill it because it's practically impossible that it is a real holder of one of our locks in cf_lock.lmdb. Most likely it's an unfortunate process that ended up with the matching PID and start time after a reboot. Ticket: CFE-3982 Changelog: Only CFEngine processes are now killed as expired lock owners Co-authored-by: Benoît Peccatte (cherry picked from commit 6234c8cf64c6e20632d2cd99344b0f6730c2e251) --- libpromises/locks.c | 64 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/libpromises/locks.c b/libpromises/locks.c index 99923187dd..d2b2d9c704 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -518,6 +518,63 @@ static void PromiseTypeString(char *dst, size_t dst_size, const Promise *pp) } } +/** + * A helper best-effort function to prevent us from killing non CFEngine + * processes with matching PID-start_time combinations **when/where it's easy to + * check**. + */ +static bool IsCfengineLockHolder(pid_t pid) +{ + char procfile[PATH_MAX]; + snprintf(procfile, PATH_MAX, "/proc/%ju/comm", (uintmax_t) pid); + int f = open(procfile, O_RDONLY); + /* On platforms where /proc doesn't exist, we would have to do a more + complicated check probably not worth it in this helper best-effort + function. */ + if (f == -1) + { + /* assume true where we cannot check */ + return true; + } + + /* more than any possible CFEngine lock holder's name */ + char command[32] = {0}; + ssize_t n_read = FullRead(f, command, sizeof(command)); + close(f); + if ((n_read <= 1) || (n_read == sizeof(command))) + { + Log(LOG_LEVEL_VERBOSE, "Failed to get command for process %ju", (uintmax_t) pid); + /* assume true where we cannot check */ + return true; + } + if (command[n_read - 1] == '\n') + { + command[n_read - 1] = '\0'; + } + + /* potential CFEngine lock holders (others like cf-net, cf-key,... are not + * supposed/expected to be lock holders) */ + const char *const cfengine_procs[] = { + "cf-promises", + "lt-cf-agent", /* when running from a build with 'libtool --mode=execute' */ + "cf-agent", + "cf-execd", + "cf-serverd", + "cf-monitord", + "cf-hub", + NULL + }; + for (size_t i = 0; cfengine_procs[i] != NULL; i++) + { + if (StringEqual(cfengine_procs[i], command)) + { + return true; + } + } + Log(LOG_LEVEL_DEBUG, "'%s' not considered a CFEngine process", command); + return false; +} + static bool KillLockHolder(const char *lock) { bool ret; @@ -551,6 +608,13 @@ static bool KillLockHolder(const char *lock) CloseLock(dbp); + if (!IsCfengineLockHolder(lock_data.pid)) { + Log(LOG_LEVEL_VERBOSE, + "Lock holder with PID %ju was replaced by a non CFEngine process, ignoring request to kill it", + (uintmax_t) lock_data.pid); + return true; + } + if (GracefulTerminate(lock_data.pid, lock_data.process_start_time)) { Log(LOG_LEVEL_INFO, From 2cd30c5ff3202256e9855b5f5431ae29f9c9cb50 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 8 Nov 2023 11:03:56 -0600 Subject: [PATCH 086/255] Fixed inventoried policy release id when masterfiles-stage.sh deploys with cfbs When policy is tagged (with cf-promises -T) cf-promises looks for .git/HEAD and uses it's content as the policy release id in the generated cf_promises_release_id file. If .git/HEAD does not exist the policy tree is hashed and that value is used instead. For traditional deployments straight from version control, this works. When deploying from cfbs .git/HEAD needs to be copied to out/masterfiles or it won't be part of the tagged policy. This change adjusts the target appropriately when deploying with cfbs. Ticket: ENT-10832 Changelog: Title (cherry picked from commit 89ab485968e1eb420c9659395cb2f334a60935f7) --- contrib/masterfiles-stage/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 3d45d8e4bf..79e0b2b2f1 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -222,8 +222,8 @@ git_cfbs_deploy_refspec() { # Switch back to the original working dir cd "${_start_wrkdir}" # Grab HEAD so it can be used to populate cf_promises_release_id - mkdir -p "${temp_stage}/.git" - cp "${local_mirrored_repo}/HEAD" "${temp_stage}/.git/" + mkdir -p "${temp_stage}/out/masterfiles/.git" + cp "${local_mirrored_repo}/HEAD" "${temp_stage}/out/masterfiles/.git/" ########################## 3. SET PERMISSIONS ON POLICY SET chown -R root:root "${temp_stage}" || error_exit "Unable to chown '${temp_stage}'" From 4a863692bd9502241e5562945fff4ce30267105e Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 30 Oct 2023 17:57:56 +0100 Subject: [PATCH 087/255] Formatted InitIgnoreInterfaces() with clang-format Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 0d2b3115792d66c0c54427592d693b6e7888d388) --- libenv/unix_iface.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index 6ae6a8bc8e..bb7e9aac07 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -836,13 +836,19 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h static void InitIgnoreInterfaces() { FILE *fin; - char filename[CF_BUFSIZE],regex[256]; + char filename[CF_BUFSIZE], regex[256]; - snprintf(filename, sizeof(filename), "%s%c%s", GetInputDir(), FILE_SEPARATOR, CF_IGNORE_INTERFACES); + snprintf( + filename, + sizeof(filename), + "%s%c%s", + GetInputDir(), + FILE_SEPARATOR, + CF_IGNORE_INTERFACES); - if ((fin = fopen(filename,"r")) == NULL) + if ((fin = fopen(filename, "r")) == NULL) { - Log(LOG_LEVEL_VERBOSE, "No interface exception file %s",filename); + Log(LOG_LEVEL_VERBOSE, "No interface exception file %s", filename); return; } @@ -861,7 +867,7 @@ static void InitIgnoreInterfaces() if (scanCount != 0 && *regex != '\0') { - RlistPrependScalarIdemp(&IGNORE_INTERFACES, regex); + RlistPrependScalarIdemp(&IGNORE_INTERFACES, regex); } } From 49cc784cc20266bd9347ce5fde563eb110192001 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 30 Oct 2023 17:59:42 +0100 Subject: [PATCH 088/255] Moved ignore_interfaces.rx to $(sys.workdir) Moved expected location of ignore_interfaces.rx from $(sys.inputdir) to $(sys.workdir). If the file is found in $(sys.inputdir) but not in $(sys.workdir), we will still process it for backwards compatability, but issue a warning prompting the user to move it to the appropriate location. Ticket: ENT-9402 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 4a1bcca44aff407b1ebe3d2412bd609a96ff2ba2) --- libenv/unix_iface.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index bb7e9aac07..e60842035d 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -838,18 +838,42 @@ static void InitIgnoreInterfaces() FILE *fin; char filename[CF_BUFSIZE], regex[256]; - snprintf( + int ret = snprintf( filename, sizeof(filename), "%s%c%s", - GetInputDir(), + GetWorkDir(), FILE_SEPARATOR, CF_IGNORE_INTERFACES); + assert(ret >= 0 && (size_t) ret < sizeof(filename)); if ((fin = fopen(filename, "r")) == NULL) { - Log(LOG_LEVEL_VERBOSE, "No interface exception file %s", filename); - return; + /* LEGACY: The 'ignore_interfaces.rx' file was previously located in + * $(sys.inputdir). Consequently, if the file is found in this + * directory but not in $(sys.workdir), we will still process it, but + * issue a warning. */ + ret = snprintf( + filename, + sizeof(filename), + "%s%c%s", + GetInputDir(), + FILE_SEPARATOR, + CF_IGNORE_INTERFACES); + assert(ret >= 0 && (size_t) ret < sizeof(filename)); + + if ((fin = fopen(filename, "r")) == NULL) + { + Log(LOG_LEVEL_VERBOSE, "No interface exception file %s", filename); + return; + } + + Log(LOG_LEVEL_WARNING, + "Found interface exception file %s in %s but it should be in %s. " + "Please consider moving it to the appropriate location.", + CF_IGNORE_INTERFACES, + GetInputDir(), + GetWorkDir()); } while (!feof(fin)) From 24a04066966368e6cd072610a9891ced904b485d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 31 Oct 2023 18:00:52 +0100 Subject: [PATCH 089/255] Added error message based on errno to InitIgnoreInterfaces() Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit d370525c17f3bf4724fc63a957156b7b41fd1daf) --- libenv/unix_iface.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index e60842035d..a8c7043ed1 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -849,6 +849,11 @@ static void InitIgnoreInterfaces() if ((fin = fopen(filename, "r")) == NULL) { + Log((errno == ENOENT) ? LOG_LEVEL_VERBOSE : LOG_LEVEL_ERR, + "Failed to open interface exception file %s: %s", + filename, + GetErrorStr()); + /* LEGACY: The 'ignore_interfaces.rx' file was previously located in * $(sys.inputdir). Consequently, if the file is found in this * directory but not in $(sys.workdir), we will still process it, but @@ -864,7 +869,10 @@ static void InitIgnoreInterfaces() if ((fin = fopen(filename, "r")) == NULL) { - Log(LOG_LEVEL_VERBOSE, "No interface exception file %s", filename); + Log((errno == ENOENT) ? LOG_LEVEL_VERBOSE : LOG_LEVEL_ERR, + "Failed to open interface exception file %s: %s", + filename, + GetErrorStr()); return; } From e6d234520e1d4eed125b0b1e214aadcc2fc90bfa Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 10 Jun 2020 17:46:48 +0200 Subject: [PATCH 090/255] Do aligned access to LMDB data in cf-check Data stored in LMDB and accessed with the 'MDB_val.data' field is a pointer to a map of the LMDB file (set up with mmap()). This doesn't ensure proper alignment and so in order to avoid potential SIGBUS due to bad alignment (on architectures sensitive to these issues), we need to create local copies of the data before trying to access them in any way than just one byte at a time. Ticket: CFE-3373 Changelog: None (cherry picked from commit a7fbac9b2bd04092b8b7e415636026fa0d7b41b4) --- cf-check/dump.c | 46 ++++++++++++++++++++++++++++----------------- cf-check/validate.c | 10 ++++++---- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/cf-check/dump.c b/cf-check/dump.c index 2a87c57f3b..6ddc89cad6 100644 --- a/cf-check/dump.c +++ b/cf-check/dump.c @@ -103,9 +103,10 @@ static void print_struct_lastseen_quality( else { // TODO: improve names of struct members in QPoint and KeyHostSeen - const KeyHostSeen *const quality = value.mv_data; - const time_t lastseen = quality->lastseen; - const QPoint Q = quality->Q; + KeyHostSeen quality; + memcpy(&quality, value.mv_data, sizeof(quality)); + const time_t lastseen = quality.lastseen; + const QPoint Q = quality.Q; JsonElement *q_json = JsonObjectCreate(4); JsonObjectAppendReal(q_json, "q", Q.q); @@ -136,10 +137,11 @@ static void print_struct_lock_data( else { // TODO: improve names of struct members in LockData - const LockData *const lock = value.mv_data; - const pid_t pid = lock->pid; - const time_t time = lock->time; - const time_t process_start_time = lock->process_start_time; + LockData lock; + memcpy(&lock, value.mv_data, sizeof(lock)); + const pid_t pid = lock.pid; + const time_t time = lock.time; + const time_t process_start_time = lock.process_start_time; JsonElement *json = JsonObjectCreate(3); JsonObjectAppendInteger(json, "pid", pid); @@ -168,8 +170,9 @@ static void print_struct_averages( { // TODO: clean up Averages char **obnames = NULL; - const Averages *const averages = value.mv_data; - const time_t last_seen = averages->last_seen; + Averages averages; + memcpy(&averages, value.mv_data, sizeof(averages)); + const time_t last_seen = averages.last_seen; obnames = GetObservableNames(tskey_filename); JsonElement *all_observables = JsonObjectCreate(CF_OBSERVABLES); @@ -178,7 +181,7 @@ static void print_struct_averages( { char *name = obnames[i]; JsonElement *observable = JsonObjectCreate(4); - QPoint Q = averages->Q[i]; + QPoint Q = averages.Q[i]; JsonObjectAppendReal(observable, "q", Q.q); JsonObjectAppendReal(observable, "expect", Q.expect); @@ -216,7 +219,11 @@ static void print_struct_persistent_class( } else { - const PersistentClassInfo *const class_info = value.mv_data; + /* Make a copy to ensure proper alignment. We cannot just copy data to a + * local PersistentClassInfo variable because it contains a + * variable-length string at the end (see the struct definition). */ + PersistentClassInfo *class_info = malloc(value.mv_size); + memcpy(class_info, value.mv_data, value.mv_size); const unsigned int expires = class_info->expires; const PersistentClassPolicy policy = class_info->policy; const char *policy_str; @@ -250,6 +257,7 @@ static void print_struct_persistent_class( // String is not terminated, abort or fall back to default: debug_abort_if_reached(); print_json_string(value.mv_data, value.mv_size, strip_strings); + free(class_info); return; } @@ -264,6 +272,7 @@ static void print_struct_persistent_class( JsonWriteCompact(w, top_json); FileWriterDetach(w); JsonDestroy(top_json); + free(class_info); } } @@ -291,8 +300,9 @@ static void print_struct_or_string( if (StringEqual(key.mv_data, "DATABASE_AGE")) { assert(sizeof(double) == value.mv_size); - const double *const age = value.mv_data; - printf("%f", *age); + double age; + memcpy(&age, value.mv_data, sizeof(age)); + printf("%f", age); } else { @@ -315,14 +325,16 @@ static void print_struct_or_string( if (StringEqual(key.mv_data, "delta_gavr")) { assert(sizeof(double) == value.mv_size); - const double *const average = value.mv_data; - printf("%f", *average); + double average; + memcpy(&average, value.mv_data, sizeof(average)); + printf("%f", average); } else if (StringEqual(key.mv_data, "last_exec")) { assert(sizeof(time_t) == value.mv_size); - const time_t *const last_exec = value.mv_data; - printf("%ju", (uintmax_t) (*last_exec)); + time_t last_exec; + memcpy(&last_exec, value.mv_data, sizeof(last_exec)); + printf("%ju", (uintmax_t) (last_exec)); } else { diff --git a/cf-check/validate.c b/cf-check/validate.c index 0b1b70309d..185444f1fe 100644 --- a/cf-check/validate.c +++ b/cf-check/validate.c @@ -301,9 +301,10 @@ static void UpdateValidatorLastseen( const char direction = key_string[1]; if (direction == 'i' || direction == 'o') { - const KeyHostSeen *const data = value.mv_data; + KeyHostSeen data; + memcpy(&data, value.mv_data, sizeof(data)); - const time_t lastseen = data->lastseen; + const time_t lastseen = data.lastseen; const time_t current = time(NULL); Log(LOG_LEVEL_DEBUG, @@ -353,8 +354,9 @@ static void UpdateValidatorLock( const char *key_string = key.mv_data; - const LockData *const lock = value.mv_data; - const time_t lock_time = lock->time; + LockData lock; + memcpy(&lock, value.mv_data, sizeof(lock)); + const time_t lock_time = lock.time; const time_t current = time(NULL); Log(LOG_LEVEL_DEBUG, From 2f6df8d82ee7b2a808afd5ea8a8aff39bbb7340a Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 13 Nov 2023 16:43:14 +0100 Subject: [PATCH 091/255] Use `CF_LOCKHORIZON` to check whether to purge locks We have that constant so we should use it. Ticket: ENT-8201 Changelog: None (cherry picked from commit e6bd200f42b8883dc1a571a4026e522883a76d65) --- libpromises/locks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpromises/locks.c b/libpromises/locks.c index d2b2d9c704..7bc29adfc7 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -1214,7 +1214,7 @@ void PurgeLocks(void) if (ReadDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) { - if (now - lock_horizon.time < SECONDS_PER_WEEK * 4) + if ((now - lock_horizon.time) < CF_LOCKHORIZON) { Log(LOG_LEVEL_VERBOSE, "No lock purging scheduled"); CloseLock(dbp); From c47f9010df65f7d415370802dbef3651835c0229 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 13 Nov 2023 17:38:43 +0100 Subject: [PATCH 092/255] Add GetDBUsagePercentage() function So that we can check how full DBs are. For now only implemented for LMDB where we set/know the maximum size. Ticket: ENT-8201 Ticket: CFE-2136 Changelog: None (cherry picked from commit b775f2eed3d9b3dbc222d1cc513fb4a7f03c7ea3) --- libpromises/dbm_api.c | 6 ++++++ libpromises/dbm_api.h | 1 + libpromises/dbm_lmdb.c | 12 ++++++++++++ libpromises/dbm_priv.h | 2 ++ libpromises/dbm_quick.c | 6 ++++++ libpromises/dbm_tokyocab.c | 6 ++++++ 6 files changed, 33 insertions(+) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index b7ef186e50..97bd1869f6 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -548,6 +548,12 @@ bool CleanDB(DBHandle *handle) return ret; } +int GetDBUsagePercentage(const DBHandle *handle) +{ + assert(handle != NULL); + return DBPrivGetDBUsagePercentage(handle->filename); +} + /** * Freezes the DB so that it is never touched by this process again. In * particular, new OpenDB() calls are ignored and CloseAllDBExit() also ignores diff --git a/libpromises/dbm_api.h b/libpromises/dbm_api.h index 516d1add6d..e3d735e80a 100644 --- a/libpromises/dbm_api.h +++ b/libpromises/dbm_api.h @@ -78,6 +78,7 @@ void CloseDB(CF_DB *dbp); DBHandle *GetDBHandleFromFilename(const char *db_file_name); time_t GetDBOpenTimestamp(const DBHandle *handle); +int GetDBUsagePercentage(const DBHandle *handle); bool HasKeyDB(CF_DB *dbp, const char *key, int key_size); int ValueSizeDB(CF_DB *dbp, const char *key, int key_size); diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index 9475643744..39031318b1 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -700,6 +700,18 @@ bool DBPrivClean(DBPriv *db) return (mdb_drop(txn->txn, db->dbi, EMPTY_DB) != 0); } +int DBPrivGetDBUsagePercentage(const char *db_path) +{ + struct stat sb; + int ret = stat(db_path, &sb); + if (ret == -1) + { + Log(LOG_LEVEL_ERR, "Failed to get size of '%s': %s", db_path, GetErrorStr()); + return -1; + } + return (int) ((((float) sb.st_size) / LMDB_MAXSIZE) * 100); +} + void DBPrivCommit(DBPriv *db) { assert(db != NULL); diff --git a/libpromises/dbm_priv.h b/libpromises/dbm_priv.h index b3d6edf77b..c36a6a6988 100644 --- a/libpromises/dbm_priv.h +++ b/libpromises/dbm_priv.h @@ -54,6 +54,8 @@ void DBPrivCloseDB(DBPriv *hdbp); void DBPrivCommit(DBPriv *hdbp); bool DBPrivClean(DBPriv *hdbp); +int DBPrivGetDBUsagePercentage(const char *db_path); + bool DBPrivHasKey(DBPriv *db, const void *key, int key_size); int DBPrivGetValueSize(DBPriv *db, const void *key, int key_size); diff --git a/libpromises/dbm_quick.c b/libpromises/dbm_quick.c index 424e8c3337..c907499df5 100644 --- a/libpromises/dbm_quick.c +++ b/libpromises/dbm_quick.c @@ -206,6 +206,12 @@ bool DBPrivClean(DBPriv *db) return true; } +int DBPrivGetDBUsagePercentage(ARG_UNUSED const char *db_path) +{ + Log(LOG_LEVEL_WARNING, "Cannot determine usage of a QuickDB database"); + return -1; +} + bool DBPrivRead(DBPriv *db, const void *key, int key_size, void *dest, size_t dest_size) { if (!Lock(db)) diff --git a/libpromises/dbm_tokyocab.c b/libpromises/dbm_tokyocab.c index 56f8876f2a..667fdc39ef 100644 --- a/libpromises/dbm_tokyocab.c +++ b/libpromises/dbm_tokyocab.c @@ -245,6 +245,12 @@ bool DBPrivClean(DBPriv *db) return true; } +int DBPrivGetDBUsagePercentage(ARG_UNUSED const char *db_path) +{ + Log(LOG_LEVEL_WARNING, "Cannot determine usage of a TokyoCabinet database"); + return -1; +} + bool DBPrivHasKey(DBPriv *db, const void *key, int key_size) { // FIXME: distinguish between "entry not found" and "error occurred" From 0c89143c58761ea379c9b6158d8ce4ab2fe1bd76 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 14 Nov 2023 10:53:04 +0100 Subject: [PATCH 093/255] Make lock purging react to locks DB usage Ideally, locks should never need to be cleaned because the ones used by the current policy set should be periodically updated and the old ones that no longer match anything in policy should be very few in numbers and thus taking very little space. And we want to retain locks for more than 4 weeks whenever possible because for example locks used by our daemons to prevent multiple instances from running should stay intact while our daemons run which should ideally be for the whole boot time of a machine. Also, our documentation doesn't specify any hard expire interval for locks (any upper limit) so if possible, we should retain and respect even very old locks. If the locks DB grows too big, however, we need to do purging, potentially even more aggressively than just with the 4 week horizon if needed. Ticket: ENT-8201 Ticket: CFE-2136 Ticket: ENT-5898 Changelog: CFEngine locks are now purged dynamically based on the local locks DB usage/size ranging from no purging (<=25% usage) to purging of locks older than 1 week (>75% usage) (cherry picked from commit 0a4550807fa652c5038d971b766e779301f962f8) --- libpromises/locks.c | 42 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/libpromises/locks.c b/libpromises/locks.c index 7bc29adfc7..f3671d65ca 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -50,7 +50,6 @@ #endif #define CFLOGSIZE 1048576 /* Size of lock-log before rotation */ -#define CF_LOCKHORIZON ((time_t)(SECONDS_PER_WEEK * 4)) #define CF_MAXLOCKNUM 8192 #define CF_CRITIAL_SECTION "CF_CRITICAL_SECTION" @@ -62,6 +61,20 @@ #define LOG_LOCK_OP(__lock, __lock_sum, __lock_data) \ log_lock("Performing", __FUNCTION__, __lock, __lock_sum, __lock_data) +/** + * Map the locks DB usage percentage to the lock horizon interval (how old locks + * we want to keep). + */ +#define N_LOCK_HORIZON_USAGE_INTERVALS 4 /* 0-25, 26-50,... */ +static const time_t LOCK_HORIZON_USAGE_INTERVALS[N_LOCK_HORIZON_USAGE_INTERVALS] = { + 0, /* plenty of space, no cleanup needed (0 is a special + * value) */ + 4 * SECONDS_PER_WEEK, /* used to be the fixed value */ + 2 * SECONDS_PER_WEEK, /* a bit more aggressive, but still reasonable */ + SECONDS_PER_WEEK, /* as far as we want to go to avoid making long locks + * unreliable and practically non-functional */ +}; + typedef struct CfLockStack_ { char lock[CF_BUFSIZE]; char last[CF_BUFSIZE]; @@ -1210,11 +1223,30 @@ void PurgeLocks(void) return; } + int usage_pct = GetDBUsagePercentage(dbp); + if (usage_pct == -1) + { + /* error already logged */ + /* no usage info, assume 50% */ + usage_pct = 50; + } + + unsigned short interval_idx = MIN(usage_pct / (100 / N_LOCK_HORIZON_USAGE_INTERVALS), + N_LOCK_HORIZON_USAGE_INTERVALS - 1); + const time_t lock_horizon_interval = LOCK_HORIZON_USAGE_INTERVALS[interval_idx]; + if (lock_horizon_interval == 0) + { + Log(LOG_LEVEL_VERBOSE, "No lock purging needed (lock DB usage: %d %%)", usage_pct); + CloseLock(dbp); + return; + } + const time_t purge_horizon = now - lock_horizon_interval; + memset(&lock_horizon, 0, sizeof(lock_horizon)); if (ReadDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) { - if ((now - lock_horizon.time) < CF_LOCKHORIZON) + if (lock_horizon.time > purge_horizon) { Log(LOG_LEVEL_VERBOSE, "No lock purging scheduled"); CloseLock(dbp); @@ -1222,7 +1254,9 @@ void PurgeLocks(void) } } - Log(LOG_LEVEL_VERBOSE, "Looking for stale locks to purge"); + Log(LOG_LEVEL_VERBOSE, + "Looking for stale locks (older than %jd seconds) to purge", + (intmax_t) lock_horizon_interval); if (!NewDBCursor(dbp, &dbcp)) { @@ -1244,7 +1278,7 @@ void PurgeLocks(void) continue; } - if (now - entry->time > (time_t) CF_LOCKHORIZON) + if (entry->time < purge_horizon) { Log(LOG_LEVEL_VERBOSE, "Purging lock (%jd s elapsed): %s", (intmax_t) (now - entry->time), key); From 97cf63cd8ba9de63b4377b319731612e256c4087 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 14 Nov 2023 11:10:57 +0100 Subject: [PATCH 094/255] Improve code quality of PurgeLocks() Declare variables when they are used and give them better names. Also use the nicer names for DB types. Ticket: ENT-8201 Changelog: None (cherry picked from commit a2159f9454a99c5f44763d23eb0161cb5573cee6) --- libpromises/locks.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/libpromises/locks.c b/libpromises/locks.c index f3671d65ca..0c788f42eb 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -1210,20 +1210,15 @@ void BackupLockDatabase(void) void PurgeLocks(void) { - CF_DBC *dbcp; - char *key; - int ksize, vsize; - LockData lock_horizon; - LockData *entry = NULL; - time_t now = time(NULL); - - CF_DB *dbp = OpenLock(); - if (dbp == NULL) + DBHandle *db = OpenLock(); + if (db == NULL) { return; } - int usage_pct = GetDBUsagePercentage(dbp); + time_t now = time(NULL); + + int usage_pct = GetDBUsagePercentage(db); if (usage_pct == -1) { /* error already logged */ @@ -1237,19 +1232,19 @@ void PurgeLocks(void) if (lock_horizon_interval == 0) { Log(LOG_LEVEL_VERBOSE, "No lock purging needed (lock DB usage: %d %%)", usage_pct); - CloseLock(dbp); + CloseLock(db); return; } const time_t purge_horizon = now - lock_horizon_interval; + LockData lock_horizon; memset(&lock_horizon, 0, sizeof(lock_horizon)); - - if (ReadDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) + if (ReadDB(db, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) { if (lock_horizon.time > purge_horizon) { Log(LOG_LEVEL_VERBOSE, "No lock purging scheduled"); - CloseLock(dbp); + CloseLock(db); return; } } @@ -1258,22 +1253,26 @@ void PurgeLocks(void) "Looking for stale locks (older than %jd seconds) to purge", (intmax_t) lock_horizon_interval); - if (!NewDBCursor(dbp, &dbcp)) + DBCursor *cursor; + if (!NewDBCursor(db, &cursor)) { char *db_path = DBIdToPath(dbid_locks); Log(LOG_LEVEL_ERR, "Unable to get cursor for locks database '%s'", db_path); free(db_path); - CloseLock(dbp); + CloseLock(db); return; } - while (NextDB(dbcp, &key, &ksize, (void **)&entry, &vsize)) + char *key; + int ksize, vsize; + LockData *entry = NULL; + while (NextDB(cursor, &key, &ksize, (void **)&entry, &vsize)) { #ifdef LMDB LOG_LOCK_OP("", key, entry); #endif - if (STARTSWITH(key, "last.internal_bundle.track_license.handle")) + if (StringStartsWith(key, "last.internal_bundle.track_license.handle")) { continue; } @@ -1282,15 +1281,14 @@ void PurgeLocks(void) { Log(LOG_LEVEL_VERBOSE, "Purging lock (%jd s elapsed): %s", (intmax_t) (now - entry->time), key); - DBCursorDeleteEntry(dbcp); + DBCursorDeleteEntry(cursor); } } + DeleteDBCursor(cursor); Log(LOG_LEVEL_DEBUG, "Finished purging locks"); lock_horizon.time = now; - DeleteDBCursor(dbcp); - - WriteDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon)); - CloseLock(dbp); + WriteDB(db, "lock_horizon", &lock_horizon, sizeof(lock_horizon)); + CloseLock(db); } From da8a189c1e8ed0e5520458aa6054aeb1066f327d Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 15 Nov 2023 14:03:22 +0100 Subject: [PATCH 095/255] Rotate almost full LMDB files in cf-check repair Almost full LMDBs are dangerous, so they should be rotated as part of `cf-check repair`. Ticket: CFE-3374 Changelog: `cf-check repair` now rotates DB files with high usage (>95%) (cherry picked from commit 11ed41efe12b48a11a69939f99d548cc2969de48) --- cf-check/diagnose.c | 24 +++++++++++++ cf-check/diagnose.h | 2 ++ cf-check/repair.c | 80 +++++++++++++++++++++++++++++++++++++++--- cf-check/repair.h | 1 + libpromises/dbm_lmdb.c | 1 + 5 files changed, 104 insertions(+), 4 deletions(-) diff --git a/cf-check/diagnose.c b/cf-check/diagnose.c index 7689bca611..a7c621b746 100644 --- a/cf-check/diagnose.c +++ b/cf-check/diagnose.c @@ -39,6 +39,11 @@ size_t diagnose_files( #include #include +/* NOTE: Must be in sync with LMDB_MAXSIZE in libpromises/dbm_lmdb.c. */ +#ifndef LMDB_MAXSIZE +#define LMDB_MAXSIZE 104857600 +#endif + #define CF_CHECK_CREATE_STRING(name) \ #name, @@ -524,6 +529,25 @@ static char *follow_symlink(const char *path) return xstrdup(target_buf); } +bool lmdb_file_needs_rotation(const char *file, int *usage) +{ + struct stat sb; + if (stat(file, &sb) == 0) + { + int usage_pct = (((float) sb.st_size) / LMDB_MAXSIZE) * 100; + if (usage != NULL) + { + *usage = usage_pct; + } + return (usage_pct >= 95); + } + else + { + Log(LOG_LEVEL_ERR, "Failed to stat() '%s' when checking usage: %s", file, GetErrorStr()); + return false; + } +} + /** * @param[in] filenames DB files to diagnose/check * @param[out] corrupt place to store the resulting sequence of corrupted diff --git a/cf-check/diagnose.h b/cf-check/diagnose.h index 4bb01c7dde..5f6204b251 100644 --- a/cf-check/diagnose.h +++ b/cf-check/diagnose.h @@ -85,6 +85,8 @@ int lmdb_errno_to_cf_check_code(int r); int signal_to_cf_check_code(int sig); void report_mdb_error(const char *db_file, const char *op, int rc); +bool lmdb_file_needs_rotation(const char *file, int *usage); + size_t diagnose_files( const Seq *filenames, Seq **corrupt, bool foreground, bool validate, bool test_write); int diagnose_main(int argc, const char *const *argv); diff --git a/cf-check/repair.c b/cf-check/repair.c index d2ad3409d6..77e3f95aeb 100644 --- a/cf-check/repair.c +++ b/cf-check/repair.c @@ -80,7 +80,7 @@ int remove_files(Seq *files) return failures; } -static bool record_repair_timestamp(int fd_tstamp) +static bool record_timestamp(int fd_tstamp) { time_t this_timestamp = time(NULL); lseek(fd_tstamp, 0, SEEK_SET); @@ -158,7 +158,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) } else { - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -178,7 +178,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) } else { - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -200,7 +200,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) ret = -1; goto cleanup; } - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -217,6 +217,70 @@ int repair_lmdb_file(const char *file, int fd_tstamp) return ret; } +/** + * @param file LMDB file to rotate + * @param fd_tstamp An open FD to the repair timestamp file or -1 + * + * @note If #fd_tstamp != -1 then it is expected to be open and with file locks + * taken care of. If #fd_tstamp == -1, this function opens the rotation + * timestamp file on its own and takes care of the file locks. + */ +int rotate_lmdb_file(const char *file, int fd_tstamp) +{ + int ret; + FileLock lock = EMPTY_FILE_LOCK; + if (fd_tstamp == -1) + { + char *tstamp_file = StringFormat("%s.rotated", file); + int lock_ret = ExclusiveFileLockPath(&lock, tstamp_file, true); /* wait=true */ + free(tstamp_file); + if (lock_ret < 0) + { + /* Should never happen because we tried to wait for the lock. */ + Log(LOG_LEVEL_ERR, + "Failed to acquire lock for the '%s' DB repair timestamp file", + file); + ret = -1; + goto cleanup; + } + fd_tstamp = lock.fd; + } + + time_t now = time(NULL); + { + char *rotated_file = StringFormat("%s.rotated_%jd", file, (intmax_t) now); + ret = rename(file, rotated_file); + free(rotated_file); + } + if (ret != 0) + { + Log(LOG_LEVEL_ERR, + "Failed to rotate the '%s' DB file (%s), will be removed instead", + file, GetErrorStr()); + ret = unlink(file); + if (ret != 0) + { + Log(LOG_LEVEL_ERR, "Failed to remove the '%s' DB file: %s", + file, GetErrorStr()); + } + } + if (ret == 0) + { + if (!record_timestamp(fd_tstamp)) + { + Log(LOG_LEVEL_ERR, "Failed to write the timestamp of rotation of the '%s' DB file", + file); + } + } + + cleanup: + if (lock.fd != -1) + { + ExclusiveFileUnlock(&lock, true); /* close=true */ + } + return ret; +} + int repair_lmdb_files(Seq *files, bool force) { assert(files != NULL); @@ -256,6 +320,14 @@ int repair_lmdb_files(Seq *files, bool force) { ret++; } + int usage; + if (lmdb_file_needs_rotation(file, &usage)) + { + if (rotate_lmdb_file(file, -1) != -1) + { + Log(LOG_LEVEL_INFO, "Rotated '%s' DB with %d%% usage", file, usage); + } + } } if (!force) diff --git a/cf-check/repair.h b/cf-check/repair.h index f911af5d5f..9a1e1423bb 100644 --- a/cf-check/repair.h +++ b/cf-check/repair.h @@ -6,5 +6,6 @@ int repair_main(int argc, const char *const *argv); int repair_lmdb_default(bool force); int repair_lmdb_file(const char *file, int fd_tstamp); +int rotate_lmdb_file(const char *file, int fd_tstamp); #endif diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index 39031318b1..fc3ab8a0a3 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -197,6 +197,7 @@ const char *DBPrivGetFileExtension(void) return "lmdb"; } +/* NOTE: Must be in sync with LMDB_MAXSIZE in cf-check/diagnose.c. */ #ifndef LMDB_MAXSIZE #define LMDB_MAXSIZE 104857600 #endif From c59f66072c68a1f2dccc1601240de159b2f76bdd Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 14 Nov 2023 15:30:00 +0100 Subject: [PATCH 096/255] Handle MDB_MAP_FULL If an LMDB database is full, we get a special error from LMDB when trying to use the DB giving us an option to handle the situation. We could try to prune/purge the DB, but there's no general rule for which data to preserve so we just move the file aside with a `.rotated.$timestamp` extension. Continuing (restarting, really) with a new empty LMDB file is better than getting stuck. So it's a last-resort solution, but our LMDB files should never get full. Ticket: ENT-8201 Changelog: Full LMDB files are now handled gracefully by moving them aside and using new empty LMDB files (cherry picked from commit bddc4e009639cc9762997879fc578afa3b87195c) --- libpromises/dbm_lmdb.c | 294 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 275 insertions(+), 19 deletions(-) diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index fc3ab8a0a3..bd3a07aecc 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -79,13 +79,18 @@ static int DB_MAX_READERS = -1; /******************************************************************************/ static void HandleLMDBCorruption(MDB_env *env, const char *msg); +static void HandleFullLMDB(MDB_env *env); -static inline void CheckLMDBCorrupted(int rc, MDB_env *env) +static inline void CheckLMDBUsable(int rc, MDB_env *env) { if (rc == MDB_CORRUPTED) { HandleLMDBCorruption(env, ""); } + else if (rc == MDB_MAP_FULL) + { + HandleFullLMDB(env); + } } static int GetReadTransaction(DBPriv *const db, DBTxn **const txn) @@ -134,7 +139,7 @@ static int GetWriteTransaction(DBPriv *const db, DBTxn **const txn) if (db_txn->txn != NULL && !db_txn->rw_txn) { rc = mdb_txn_commit(db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Unable to close read-only transaction in '%s': %s", @@ -146,7 +151,7 @@ static int GetWriteTransaction(DBPriv *const db, DBTxn **const txn) if (db_txn->txn == NULL) { rc = mdb_txn_begin(db->env, NULL, 0, &db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { db_txn->rw_txn = true; @@ -281,6 +286,43 @@ static bool RepairedAfterOpen(const char *lmdb_file, int fd_tstamp) return false; } +/** + * @warning Expects @fd_stamp to be locked. + */ +static bool RotatedAfterOpen(const char *lmdb_file, int fd_tstamp) +{ + time_t rotated_tstamp = -1; + ssize_t n_read = read(fd_tstamp, &rotated_tstamp, sizeof(time_t)); + lseek(fd_tstamp, 0, SEEK_SET); + + if (n_read < 0) + { + Log(LOG_LEVEL_ERR, "Failed to read %s: %s", lmdb_file, GetErrorStr()); + } + else if (n_read == 0) + { + /* EOF (empty file) => never rotated */ + Log(LOG_LEVEL_VERBOSE, "DB '%s' never rotated before", lmdb_file); + } + else if ((size_t) n_read < sizeof(time_t)) + { + /* error */ + Log(LOG_LEVEL_ERR, "Failed to read the timestamp of rotation of the '%s' DB", + lmdb_file); + } + else + { + /* read the timestamp => Check if the LMDB file was rotated after + * we opened it last time. */ + DBHandle *handle = GetDBHandleFromFilename(lmdb_file); + if (rotated_tstamp > GetDBOpenTimestamp(handle)) + { + return true; + } + } + return false; +} + static void HandleLMDBCorruption(MDB_env *env, const char *msg) { const char *lmdb_file = mdb_env_get_userctx(env); @@ -491,6 +533,220 @@ static void HandleLMDBCorruption(MDB_env *env, const char *msg) #endif /* __MINGW32__ */ } +/** + * A modified clone of HandleLMDBCorruption() for handling full LMDBs. It's not + * easy and nice to share much code between the two functions, unfortunately. + */ +static void HandleFullLMDB(MDB_env *env) +{ + const char *lmdb_file = mdb_env_get_userctx(env); + Log(LOG_LEVEL_CRIT, "'%s' DB full!", lmdb_file); + + /* Freeze the DB ASAP. This also makes the call to exit() safe regarding + * this particular DB because exit handlers will ignore it. */ + DBHandle *handle = GetDBHandleFromFilename(lmdb_file); + FreezeDB(handle); + +#ifdef _WIN32 + /* Not much we can do on Windows because there is no fork() and file locking + * is also not so nice. */ + Log(LOG_LEVEL_WARNING, "Moving the full DB file '%s' aside", + lmdb_file); + time_t now = time(NULL); + char *rotated_file = StringFormat("%s.rotated.%jd", lmdb_file, (intmax_t) now); + if (rename(lmdb_file, rotated_file) != 0) + { + free(rotated_file); + Log(LOG_LEVEL_CRIT, + "Failed to move the full DB file '%s' aside (%s), will be removed instead", + lmdb_file, GetErrorStr()); + if (unlink(lmdb_file) != 0) + { + Log(LOG_LEVEL_CRIT, "Failed to remove the full DB file '%s': %s", + lmdb_file, GetErrorStr()); + } + exit(EC_CORRUPTION_REPAIR_FAILED); + } + free(rotated_file); + exit(EC_CORRUPTION_REPAIRED); +#else + /* To avoid two processes acting on the same corrupted file at once, file + * locks are involved. Looking at OpenDBInstance() and DBPathLock() + * in libpromises/db_api.c might also be useful.*/ + + /* Only allow one thread at a time to handle a full or corrupted DB. File + * locks are *process* specific so threads could step on each others + * toes. */ + ThreadLock(cft_db_corruption_lock); + + char *tstamp_file = StringFormat("%s.rotated", lmdb_file); + char *db_lock_file = StringFormat("%s.lock", lmdb_file); + + int fd_tstamp = safe_open(tstamp_file, O_CREAT|O_RDWR); + if (fd_tstamp == -1) + { + Log(LOG_LEVEL_CRIT, "Failed to open the '%s' DB rotation timestamp file", + lmdb_file); + ThreadUnlock(cft_db_corruption_lock); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + FileLock tstamp_lock = { .fd = fd_tstamp }; + + int fd_db_lock = safe_open(db_lock_file, O_CREAT|O_RDWR); + if (fd_db_lock == -1) + { + Log(LOG_LEVEL_CRIT, "Failed to open the '%s' DB lock file", + lmdb_file); + ThreadUnlock(cft_db_corruption_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + FileLock db_lock = { .fd = fd_db_lock }; + + int ret; + bool handle_rotation = true; + + /* Make sure we are not holding the DB's lock (potentially needed by some + * other process for the repair or rotation) to avoid deadlocks. */ + Log(LOG_LEVEL_DEBUG, "Releasing lock on the '%s' DB", lmdb_file); + ExclusiveFileUnlock(&db_lock, false); /* close=false */ + + ret = SharedFileLock(&tstamp_lock, true); + if (ret == 0) + { + if (RotatedAfterOpen(lmdb_file, fd_tstamp)) + { + /* The corruption has already been handled. This process should just + * die because we have no way to return to the point where it would + * just open the new (repaired or rotated) LMDB file. */ + handle_rotation = false; + } + SharedFileUnlock(&tstamp_lock, false); + } + else + { + /* should never happen (we tried to wait), but if it does, just log an + * error and keep going */ + Log(LOG_LEVEL_ERR, + "Failed to get shared lock for the rotation timestamp of the '%s' DB", + lmdb_file); + } + + if (!handle_rotation) + { + /* Just clean after ourselves and terminate the process. */ + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIRED); + } + + /* HERE is a window for some other process to do the rotation between when we + * checked the timestamp using the shared lock above and the attempt to get + * the exclusive lock right below. However, this is detected by checking the + * contents of the timestamp file again below, while holding the EXCLUSIVE + * lock. */ + + ret = ExclusiveFileLock(&tstamp_lock, true); + if (ret != 0) + { + /* should never happen (we tried to wait), but if it does, just + * terminate because doing the rotation without the lock could be + * disasterous */ + Log(LOG_LEVEL_ERR, + "Failed to get shared lock for the rotation timestamp of the '%s' DB", + lmdb_file); + + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + + /* Cleared to resolve the corruption. */ + + /* 1. Acquire the lock for the DB to prevent more processes trying to use + * it while it is corrupted (wait till the lock is available). */ + while (ExclusiveFileLock(&db_lock, false) == -1) + { + /* busy wait to do the logging */ + Log(LOG_LEVEL_INFO, "Waiting for the lock on the '%s' DB", + lmdb_file); + sleep(1); + } + + /* 2. Check the last rotation timestamp again (see the big "HERE..." comment + * above) */ + if (RotatedAfterOpen(lmdb_file, fd_tstamp)) + { + /* Some other process rotated the DB since we checked last time, + * nothing more to do here. */ + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); /* releases locks */ + close(fd_tstamp); /* releases locks */ + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIRED); + } + + /* 3. Rotate the DB or at least move it out of the way. */ + ret = rotate_lmdb_file(lmdb_file, fd_tstamp); + bool rotation_successful = (ret == 0); + if (rotation_successful) + { + Log(LOG_LEVEL_NOTICE, "DB '%s' successfully rotated", lmdb_file); + } + else + { + Log(LOG_LEVEL_CRIT, "Failed to rotate '%s' DB", lmdb_file); + } + + /* 4. Make the rotated DB available for others. Also release the locks + * in the opposite order in which they were acquired to avoid + * deadlocks. */ + if (ExclusiveFileUnlock(&db_lock, true) != 0) + { + Log(LOG_LEVEL_ERR, "Failed to release the acquired lock for '%s'", + db_lock_file); + } + + /* 5. Signal that the rotation is done (also closes fd_tstamp). */ + if (ExclusiveFileUnlock(&tstamp_lock, true) != 0) + { + Log(LOG_LEVEL_ERR, "Failed to release the acquired lock for '%s'", + tstamp_file); + } + + ThreadUnlock(cft_db_corruption_lock); + free(db_lock_file); + free(tstamp_file); + /* fd_db_lock and fd_tstamp are already closed by the calls to + * ExclusiveFileUnlock above. */ + + if (rotation_successful) + { + exit(EC_CORRUPTION_REPAIRED); + } + else + { + exit(EC_CORRUPTION_REPAIR_FAILED); + } +#endif /* _WIN32 */ +} + DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) { DBPriv *const db = xcalloc(1, sizeof(DBPriv)); @@ -604,7 +860,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) int attempts = N_LMDB_EINVAL_RETRIES; while ((rc != 0) && (attempts-- > 0)) { - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != EINVAL) { Log(LOG_LEVEL_ERR, "Could not open database txn %s: %s", @@ -625,7 +881,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) goto err; } rc = mdb_open(txn, NULL, 0, &db->dbi); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc) { Log(LOG_LEVEL_ERR, "Could not open database dbi %s: %s", @@ -634,7 +890,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) goto err; } rc = mdb_txn_commit(txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc) { Log(LOG_LEVEL_ERR, "Could not commit database dbi %s: %s", @@ -722,7 +978,7 @@ void DBPrivCommit(DBPriv *db) { assert(!db_txn->cursor_open); const int rc = mdb_txn_commit(db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not commit database transaction to '%s': %s", @@ -748,7 +1004,7 @@ bool DBPrivHasKey(DBPriv *db, const void *key, int key_size) mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != 0 && rc != MDB_NOTFOUND) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -777,7 +1033,7 @@ int DBPrivGetValueSize(DBPriv *const db, const void *const key, const int key_si mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc && rc != MDB_NOTFOUND) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -813,7 +1069,7 @@ bool DBPrivRead( mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { if (dest_size > data.mv_size) @@ -855,7 +1111,7 @@ bool DBPrivWrite( data.mv_data = (void *)value; data.mv_size = value_size; rc = mdb_put(txn->txn, db->dbi, &mkey, &data, 0); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write database entry to '%s': %s", @@ -886,7 +1142,7 @@ bool DBPrivOverwrite(DBPriv *db, const char *key, int key_size, const void *valu mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &orig_data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if ((rc != MDB_SUCCESS) && (rc != MDB_NOTFOUND)) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -927,7 +1183,7 @@ bool DBPrivOverwrite(DBPriv *db, const char *key, int key_size, const void *valu new_data.mv_data = (void *)value; new_data.mv_size = value_size; rc = mdb_put(txn->txn, db->dbi, &mkey, &new_data, 0); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write database entry to '%s': %s", @@ -953,7 +1209,7 @@ bool DBPrivDelete(DBPriv *const db, const void *const key, const int key_size) mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_del(txn->txn, db->dbi, &mkey, NULL); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_NOTFOUND) { Log(LOG_LEVEL_DEBUG, "Entry not found in '%s': %s", @@ -982,7 +1238,7 @@ DBCursorPriv *DBPrivOpenCursor(DBPriv *const db) { assert(!txn->cursor_open); rc = mdb_cursor_open(txn->txn, db->dbi, &mc); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { cursor = xcalloc(1, sizeof(DBCursorPriv)); @@ -1022,7 +1278,7 @@ bool DBPrivAdvanceCursor( } int rc = mdb_cursor_get(cursor->mc, &mkey, &data, MDB_NEXT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc == MDB_SUCCESS) { // Align second buffer to 64-bit boundary, to avoid alignment errors on @@ -1061,7 +1317,7 @@ bool DBPrivAdvanceCursor( { mkey.mv_data = *key; rc = mdb_cursor_get(cursor->mc, &mkey, NULL, MDB_SET); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); // TODO: Should the return value be checked? } cursor->pending_delete = false; @@ -1074,7 +1330,7 @@ bool DBPrivDeleteCursorEntry(DBCursorPriv *const cursor) assert(cursor != NULL); int rc = mdb_cursor_get(cursor->mc, &cursor->delkey, NULL, MDB_GET_CURRENT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc == MDB_SUCCESS) { cursor->pending_delete = true; @@ -1102,7 +1358,7 @@ bool DBPrivWriteCursorEntry( curkey.mv_size = sizeof(cursor->curkv); rc = mdb_cursor_put(cursor->mc, &curkey, &data, MDB_CURRENT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write cursor entry to '%s': %s", From ef6cd834afc7de60f9aeb3414a645ce445099029 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 15 Nov 2023 14:07:33 +0100 Subject: [PATCH 097/255] Add --test-write to cf-check repair `cf-check diagnose` supports the `--test-write` option to check if we can write into the given files. `cf-check repair` uses the same code to identify files that need repairing so it should provide the same option. Ticket: CFE-3375 Changelog: `cf-check repair` now supports the `--test-write` option to check if DBs can be written to as part of identifying DBs that need repairing (cherry picked from commit 5ed5585f61ac35a5a2fd4cbb89c06c542e292d70) --- cf-check/repair.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/cf-check/repair.c b/cf-check/repair.c index 77e3f95aeb..bf2c784c16 100644 --- a/cf-check/repair.c +++ b/cf-check/repair.c @@ -38,7 +38,9 @@ static void print_usage(void) { printf("Usage: cf-check repair [-f] [FILE ...]\n"); printf("Example: cf-check repair /var/cfengine/state/cf_lastseen.lmdb\n"); - printf("Options: -f|--force repair LMDB files that look OK "); + printf("Options:\n" + "-f|--force repair LMDB files that look OK\n" + "-w|--test-write test writing when checking files\n"); } int remove_files(Seq *files) @@ -281,7 +283,7 @@ int rotate_lmdb_file(const char *file, int fd_tstamp) return ret; } -int repair_lmdb_files(Seq *files, bool force) +static int repair_lmdb_files(Seq *files, bool force, bool test_write) { assert(files != NULL); assert(SeqLength(files) > 0); @@ -293,7 +295,7 @@ int repair_lmdb_files(Seq *files, bool force) } else { - const int corruptions = diagnose_files(files, &corrupt, false, false, false); + const int corruptions = diagnose_files(files, &corrupt, false, false, test_write); if (corruptions != 0) { assert(corrupt != NULL); @@ -350,15 +352,19 @@ int repair_lmdb_files(Seq *files, bool force) int repair_main(int argc, const char *const *const argv) { - size_t offset = 1; bool force = false; - if (argc > 1 && argv[1] != NULL && argv[1][0] == '-') + bool test_write = false; + int i = 1; + for (; (i < argc) && (argv[i] != NULL) && (argv[i][0] == '-'); i++) { - if (StringMatchesOption(argv[1], "--force", "-f")) + if (StringMatchesOption(argv[i], "--force", "-f")) { - offset++; force = true; } + else if (StringMatchesOption(argv[i], "--test-write", "-w")) + { + test_write = true; + } else { print_usage(); @@ -366,13 +372,18 @@ int repair_main(int argc, const char *const *const argv) return 1; } } + if (force && test_write) + { + Log(LOG_LEVEL_WARNING, "Ignoring --test-write due to --force skipping DB checks"); + } + size_t offset = i; Seq *files = argv_to_lmdb_files(argc, argv, offset); if (files == NULL || SeqLength(files) == 0) { Log(LOG_LEVEL_ERR, "No database files to repair"); return 1; } - const int ret = repair_lmdb_files(files, force); + const int ret = repair_lmdb_files(files, force, test_write); SeqDestroy(files); return ret; } @@ -397,7 +408,7 @@ int repair_lmdb_default(bool force) Log(LOG_LEVEL_INFO, "Skipping local database repair, no lmdb files"); return 0; } - const int ret = repair_lmdb_files(files, force); + const int ret = repair_lmdb_files(files, force, false); SeqDestroy(files); if (ret != 0) From 81953b4440d3d14f7fd75be4317a4e167eb39c05 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 15 Nov 2023 14:19:39 +0100 Subject: [PATCH 098/255] Show DB usage as part of DB status in cf-check diagnose Plus the information if we think the DB needs rotation or not. Almost full LMDBs are problematic and should be moved out of the way. Ticket: none Changelog: `cf-check diagnose` now shows DB usage and a hint if rotation is required (cherry picked from commit 6141736b27e882690dbbde45ad0833ddf60435bf) --- cf-check/diagnose.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/cf-check/diagnose.c b/cf-check/diagnose.c index a7c621b746..c04444adb2 100644 --- a/cf-check/diagnose.c +++ b/cf-check/diagnose.c @@ -614,18 +614,26 @@ size_t diagnose_files( if (symlink_target != NULL) { + int usage; + bool needs_rotation = lmdb_file_needs_rotation(symlink_target, &usage); Log(LOG_LEVEL_INFO, - "Status of '%s' -> '%s': %s\n", + "Status of '%s' -> '%s': %s [%d%% usage%s]\n", symlink, symlink_target, - CF_CHECK_STRING(r)); + CF_CHECK_STRING(r), + usage, + needs_rotation ? ", needs rotation" : ""); } else { + int usage; + bool needs_rotation = lmdb_file_needs_rotation(filename, &usage); Log(LOG_LEVEL_INFO, - "Status of '%s': %s\n", + "Status of '%s': %s [%d%% usage%s]\n", filename, - CF_CHECK_STRING(r)); + CF_CHECK_STRING(r), + usage, + needs_rotation ? ", needs rotation" : ""); } From 05a713c55dbc6a7d573b5531111fb859659e10e7 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Mon, 18 Sep 2023 21:41:28 +0200 Subject: [PATCH 099/255] Fallback to /usr/bin/getent when /bin/getent doesn't exist Ticket: CFE-4256 Changelog: /usr/bin/getent is now attempted to be used if /bin/getent doesn't exist (cherry picked from commit 08ae1d1be363bdda5629de6c719b423b2fdad8b0) --- libpromises/unix.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libpromises/unix.c b/libpromises/unix.c index 9985291854..5b56a98d60 100644 --- a/libpromises/unix.c +++ b/libpromises/unix.c @@ -246,8 +246,19 @@ static bool GetUserGroupInfoFromGetent(const char *type, const char *query, char *name, size_t name_size, uintmax_t *id, LogLevel error_log_level) { + struct stat sb; + char* getent_bin; + if (stat("/bin/getent", &sb) == 0) + { + getent_bin = "/bin/getent"; + } + else + { + getent_bin = "/usr/bin/getent"; + } + char buf[CF_BUFSIZE]; - NDEBUG_UNUSED int print_ret = snprintf(buf, sizeof(buf), "/bin/getent %s %s", type, query); + NDEBUG_UNUSED int print_ret = snprintf(buf, sizeof(buf), "%s %s %s", getent_bin, type, query); assert(print_ret < sizeof(buf)); FILE *out = cf_popen(buf, "r", OUTPUT_SELECT_STDOUT); From 7577715b8b527f4c37476fa74e7d919643887462 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 12 Dec 2023 11:17:34 -0600 Subject: [PATCH 100/255] Adjusted static-check/run.sh to expose errors in create_image() Was trying to run on debian-11 which had dns issues and couldn't see the error easily. Ticket: CFE-4295 Changelog: none (cherry picked from commit c54801546100be7dc160aaf417f4f80206ed2a53) --- tests/static-check/run.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/static-check/run.sh b/tests/static-check/run.sh index 168dc77d06..1a8d92cda8 100755 --- a/tests/static-check/run.sh +++ b/tests/static-check/run.sh @@ -1,6 +1,8 @@ #!/bin/bash +# Note that this container build requires about 700MB minimum RAM for dnf to operate +# use debian-12+ or rhel-8+, debian-11 buildah seems to fail setting up networking/dns for the container so dnf doesn't work (CFE-4295) -set -e +set -eE # include E so that create_image() failures bubble up to the surface trap "echo FAILURE" ERR if [ -z "$STATIC_CHECKS_FEDORA_VERSION" ]; then From d88392d1330e4cc2253d6559198231d3bfd8c012 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Oct 2023 10:28:51 -0500 Subject: [PATCH 101/255] Updated source install instructions for RedHat/CentOS/Debian rhel needs fakeroot for make check debian seems to include fakeroot in existing deps in INSTALL file both need libxml2 development package to pass make check Ticket: none Changelog: none (cherry picked from commit 3c6b07059ef97efc3a42098f214a0c1f3f7fab67) --- INSTALL | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/INSTALL b/INSTALL index 80437b6a20..05f950d6c2 100644 --- a/INSTALL +++ b/INSTALL @@ -112,17 +112,20 @@ Here we have examples of command lines for various systems to install dependenci needed to build. The version and date checked are noted in parenthesis. Please submit PRs with updates to this information. -* RedHat/CentOS (rhel-8/rhel-9/centos-7 2022-11-15) +* RedHat/CentOS (rhel-9 2023-10-09) -Note that first you will need to install epel-release (https://fedoraproject.org/wiki/EPEL) for lmdb-devel to be available. +On CentOS: +$ sudo yum install epel-release && sudo yum update +Or on RHEL, replacing the version number with yours: +$ sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && sudo yum update -$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel +$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel For SELinux support you will need selinux-policy-devel package and specify `--with-selinux-policy` to `autogen.sh` or `configure` -* Debian (Raspbian 10 2021-07-02) +* Debian (Debian 12 2023-10-09) -$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev +$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev * FreeBSD (12.1 2020-04-07) From 1dddd40afc91343d00a5ac3b832565e0c9ee040e Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 22 Dec 2023 08:10:12 -0600 Subject: [PATCH 102/255] Fixed cf-support call to cf-promises to collect all classes and vars Had a --no-lock argument which is not supported so nothing was collected. Ticket: CFE-4300 Changelog: title (cherry picked from commit bc8a0de71e63a26fb689dab4f0011935e9c3def9) --- misc/cf-support | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index e9de4ca054..0da37ec2e3 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -342,7 +342,7 @@ log_cmd "$BINDIR/cf-key -p $WORKDIR/ppkeys/localhost.pub" log_cmd "grep 'version =' $WORKDIR/inputs/promises.cf" log_cmd "$BINDIR/cf-key -s -n" log_cmd "$BINDIR/cf-check diagnose" -$BINDIR/cf-promises --no-lock --show-classes --show-vars > "$tmpdir/classes-and-vars.txt" 2>&1 +$BINDIR/cf-promises --show-classes --show-vars > "$tmpdir/classes-and-vars.txt" 2>&1 $BINDIR/cf-agent --no-lock --file update.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/update-evaluated-classes-and-vars.txt" 2>&1 $BINDIR/cf-agent --no-lock --file promises.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/promises-evaluated-classes-and-vars.txt" 2>&1 From 8de1e7c496e5643955d7aeae1163af3166b37380 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 22 Dec 2023 13:21:33 +0100 Subject: [PATCH 103/255] Added changelog for 3.21.4 Ticket: ENT-11083 Changelog: None Signed-off-by: Lars Erik Wik --- ChangeLog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ChangeLog b/ChangeLog index d725114cd1..821a5c96aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,33 @@ +3.21.4: + - 'cf-check diagnose' now shows DB usage and a hint if rotation is required + - 'cf-check repair' now rotates DB files with high usage (>95%) (CFE-3374) + - 'cf-check repair' now supports the '--test-write' option to check if DBs can + be written to as part of identifying DBs that need repairing (CFE-3375) + - /usr/bin/getent is now attempted to be used if /bin/getent doesn't exist + (CFE-4256) + - CFEngine locks are now purged dynamically based on the local locks DB + usage/size ranging from no purging (<=25% usage) to purging of locks older + than 1 week (>75% usage) (CFE-2136, ENT-5898, ENT-8201) + - Fixed infinite loop on error bug while reading interface exception file + - Fixed inventoried policy release id when masterfiles-stage.sh deploys with + cfbs (ENT-10832) + - Full LMDB files are now handled gracefully by moving them aside and using + new empty LMDB files (ENT-8201) + - Improved locale override in masterfiles stage scripts (ENT-10753) + - Moved ignore_interfaces.rx to $(sys.workdir) Moved expected location of + ignore_interfaces.rx from $(sys.inputdir) to $(sys.workdir). If the file is + found in $(sys.inputdir) but not in $(sys.workdir), we will still process it + for backwards compatibility, but issue a warning prompting the user to move + it to the appropriate location. (ENT-9402) + - Only CFEngine processes are now killed as expired lock owners (CFE-3982) + - SELinux no longer blocks CFEngine deamons in reading security parameters + from /proc/sys/kernel (ENT-9684) + - cf-hub is now allowed to use the TLS kernel module on SELinux-enabled + systems (ENT-9727) + - cf_lock.lmdb is no longer restored from backup on every boot (CFE-3982) + - Fixed cf-support call to cf-promises to collect all classes and vars + (CFE-4300) + 3.21.3: - Fixed and improved postgresql server state handling in package installer scriptlets (ENT-10647) From 25906298439303c1623b0fbc4b92ceaf2e146e83 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 7 Nov 2023 18:04:43 +0100 Subject: [PATCH 104/255] Skip failing tests on Debian 12 We should to investigate this, but first we should to get Debian 12 into the next release. See ticket ENT-9055. Ticket: ENT-10347 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit ab3d4ed32ad6605c4b42bb7756201c307d4a98e9) --- .../16_cf-serverd/serial/simple_copy_from_admit_localhost.cf | 2 +- .../16_cf-serverd/serial/simple_copy_from_deny_localhost.cf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf index 19ab47de62..9dcb42bba0 100644 --- a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf +++ b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf @@ -17,7 +17,7 @@ bundle agent test # 'admit => { "localhost" };' and 'admit_hostnames => { "localhost" };' # are not enough to allow access for this test. # Test fails on SLES / OpenSUSE 15, pending investigation. - "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|sles_15|opensuse_leap_15)", + "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|debian_12|sles_15|opensuse_leap_15)", meta => { "ENT-2480", "ENT-7362", "ENT-9055" }; methods: diff --git a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf index 89f117256a..6adaeadd97 100644 --- a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf +++ b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf @@ -17,7 +17,7 @@ bundle agent test # 'deny => { "localhost" };' and 'deny_hostnames => { "localhost" };' # are not enough to deny access for this test. # Test fails on SLES / OpenSUSE 15, pending investigation. - "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|sles_15|opensuse_leap_15)", + "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|debian_12|sles_15|opensuse_leap_15)", meta => { "ENT-2480", "ENT-7362", "ENT-9055" }; methods: From 4e6f583f29115e599d3f69798290791f6c410f8c Mon Sep 17 00:00:00 2001 From: larsewi Date: Mon, 27 Nov 2023 15:01:52 +0100 Subject: [PATCH 105/255] Fixed changing perms noise in no-noise sequential test Happens on Debian 12: ``` info: Socket "/var/cfengine/state/./cf-execd.sockets/runagent.socket" had permissions 0700, changed it to 0600 info: Directory "/var/cfengine/state/./cf-execd.sockets" had permissions 0750, changed it to 0700 ``` Ticket: ENT-10347 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 09fdbc4a25c031ed818c00224fdcda8d2c4af77b) --- cf-execd/cf-execd.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/cf-execd/cf-execd.c b/cf-execd/cf-execd.c index 1c294ab377..9e8c756b80 100644 --- a/cf-execd/cf-execd.c +++ b/cf-execd/cf-execd.c @@ -621,19 +621,7 @@ static int SetupRunagentSocket(const ExecdConfig *execd_config) if (GetRunagentSocketInfo(&sock_info)) { sock_info.sun_family = AF_LOCAL; - - bool created; - MakeParentDirectory(sock_info.sun_path, true, &created); - - /* Make sure the permissions are correct if the directory was created - * (note: this code doesn't run on Windows). */ - if (created) - { - char *last_slash = strrchr(sock_info.sun_path, '/'); - *last_slash = '\0'; - chmod(sock_info.sun_path, (mode_t) 0750); - *last_slash = '/'; - } + MakeParentDirectoryPerms(sock_info.sun_path, true, NULL, (mode_t) 0700); /* Remove potential left-overs from old processes. */ unlink(sock_info.sun_path); @@ -657,6 +645,7 @@ static int SetupRunagentSocket(const ExecdConfig *execd_config) } else { + safe_chmod(sock_info.sun_path, (mode_t) 0600); ret = listen(runagent_socket, CF_EXECD_RUNAGENT_SOCKET_LISTEN_QUEUE); assert(ret == 0); if (ret == -1) From 6e74a81b246be8369c1ca29f0cbbc61d1e76cee7 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Fri, 5 Jan 2024 13:44:43 +0100 Subject: [PATCH 106/255] Allow httpd to run `ps` and get info about processes Needed for httpd/php to monitor exporting large PDF reports. Ticket: ENT-11154 Changelog: SELinux no longer breaks exporting large reports as PDF (cherry picked from commit 0229b4006c243a6dd0d7c0bdab74a637310a804f) --- ChangeLog | 1 + misc/selinux/cfengine-enterprise.te.all | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 821a5c96aa..4fa59c57ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,7 @@ - cf_lock.lmdb is no longer restored from backup on every boot (CFE-3982) - Fixed cf-support call to cf-promises to collect all classes and vars (CFE-4300) + - SELinux no longer breaks exporting large reports as PDF (ENT-11154) 3.21.3: - Fixed and improved postgresql server state handling in package installer diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index d8d58639c8..123abdcf26 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -658,6 +658,11 @@ allow cfengine_httpd_t system_dbusd_var_run_t:dir search; allow cfengine_httpd_t system_dbusd_var_run_t:sock_file write; allow init_t cfengine_httpd_t:dbus send_msg; +# allow httpd to run 'ps' and thus gather information about all running processes on the system +# this is a macro invocation, the file has to be processed with +# make -f /usr/share/selinux/devel/Makefile +ps_process_pattern(cfengine_httpd_t, domain) + # TODO: these should not be needed allow cfengine_httpd_t passwd_file_t:file { getattr open read }; allow cfengine_httpd_t shell_exec_t:file map; From e71f4521b098dd539eaf0e1fbf7f6a39aa971bf7 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Fri, 5 Jan 2024 14:30:11 +0100 Subject: [PATCH 107/255] More SELinux policy changes for httpd/php to run ps It needs to be able to actually execute `/bin/ps` (and `/bin/bash`, but that's already allowed) and read `/proc`. Ticket: ENT-11154 Changelog: None (cherry picked from commit d34bdf5a52a309354a7d28274637653706ae4823) --- misc/selinux/cfengine-enterprise.te.all | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 123abdcf26..d1d6e48015 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -662,6 +662,9 @@ allow init_t cfengine_httpd_t:dbus send_msg; # this is a macro invocation, the file has to be processed with # make -f /usr/share/selinux/devel/Makefile ps_process_pattern(cfengine_httpd_t, domain) +allow cfengine_httpd_t bin_t:file { map execute execute_no_trans }; +allow cfengine_httpd_t proc_t:dir read; +allow cfengine_httpd_t proc_t:file { open read }; # TODO: these should not be needed allow cfengine_httpd_t passwd_file_t:file { getattr open read }; From 671eb712433ad8090cbb627f04defea65046a5e6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 4 Jan 2024 09:59:15 -0600 Subject: [PATCH 108/255] Removed cifuzz job as we cannot update the external details Vrata made a PR to fix this but was unwilling to sign the Contributor License Agreement. https://github.com/google/oss-fuzz/pull/11357 Craig was willing but got only server errors when trying to sign the CLA. So removing this job. Ticket: CFE-4296 Changelog: none (cherry picked from commit d974aa6053d2dc9fbcb134572dcc6cb59f13b339) --- .github/workflows/ci.yml | 3 --- .github/workflows/cifuzz.yml | 25 ------------------------- 2 files changed, 28 deletions(-) delete mode 100644 .github/workflows/cifuzz.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 138163171d..d2cb1db528 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,9 +20,6 @@ jobs: macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml - cifuzz_tests: - needs: unit_tests - uses: ./.github/workflows/cifuzz.yml valgrind_tests: needs: unit_tests uses: ./.github/workflows/valgrind.yml diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml deleted file mode 100644 index 05d8f63f46..0000000000 --- a/.github/workflows/cifuzz.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: CIFuzz -on: - workflow_call -jobs: - Fuzzing: - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'cfengine' - dry-run: false - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'cfengine' - fuzz-seconds: 600 - dry-run: false - - name: Upload Crash - uses: actions/upload-artifact@v1 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts From e5407f5b945ac1e7cc5cfe7c73d1d55dfe274a40 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 11 Jan 2024 21:12:02 +0100 Subject: [PATCH 109/255] Bumped .CFVERSION number to 3.21.5 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index 4a463074a9..cc6a474e33 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.4 +3.21.5 From b2b96facfec33bfd546e2fbd44fb4319b113e0c5 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 12 Jan 2024 15:56:10 -0600 Subject: [PATCH 110/255] Fixed static-check job by forcing inclusion of config.h Apparently config.h is not included from platform.h because HAVE_CONFIG_H is not defined or not checked as a possibility soon enough by cppcheck. Ticket: CFE-4310 Changelog: none (cherry picked from commit d8f2a75db2ab826c80051b035f569142a663d8b9) --- tests/static-check/run_checks.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index 5cfe1d15d1..e0d5d91842 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -26,9 +26,11 @@ function check_with_cppcheck() { # cppcheck options: # -I -- include paths # -i -- ignored files/folders + # --include= -- force including a file, e.g. config.h # Identified issues are printed to stderr cppcheck --quiet -j${n_procs} --error-exitcode=1 ./ \ --suppressions-list=tests/static-check/cppcheck_suppressions.txt \ + --include=config.h \ -I cf-serverd/ -I libpromises/ -I libcfnet/ -I libntech/libutils/ \ -i 3rdparty -i .lgtm -i libntech/.lgtm -i tests -i libpromises/cf3lex.c \ 2>&1 1>/dev/null From fb52605b586f124bc4564e3bb048386a76348c6e Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 11 Jan 2024 14:59:24 -0600 Subject: [PATCH 111/255] In configure.ac, force with-systemd-socket=no when with-systemd-service=no Previously --with-systemd-socket is defaulted to true always. If a system has libsystemd-dev and configure is called with --with-systemd-service=no the build would fail. Ticket: CFE-4274 Changelog: none (cherry picked from commit a12d12a0089c012a9fa2f17c094f4555b8371be4) --- configure.ac | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index e45254b069..bf9be5f431 100644 --- a/configure.ac +++ b/configure.ac @@ -514,19 +514,6 @@ CF3_WITH_LIBRARY(pcre, [ AC_MSG_ERROR(Cannot find PCRE))]) ]) -dnl systemd-socket activation - -AC_ARG_WITH([systemd-socket], [AS_HELP_STRING([--with-systemd-socket[[=PATH]]], [support systemd socket activation])], [], [with_systemd_socket=check]) - - -if test "x$with_systemd_socket" != xno -then - CF3_WITH_LIBRARY(systemd_socket, [ - AC_CHECK_LIB(systemd, sd_listen_fds, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd library); fi]) - AC_CHECK_LIB(systemd, sd_notify_barrier, [AC_DEFINE([HAVE_SD_NOTIFY_BARRIER],[1],[sd_notify_barrier on recent systemd])]) - AC_CHECK_HEADERS(systemd/sd-daemon.h, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd headers); fi]) - ]) -fi dnl libvirt @@ -1639,6 +1626,22 @@ else fi AC_SUBST([OS_ENVIRONMENT_PATH]) +dnl systemd-socket activation + +AC_ARG_WITH([systemd-socket], [AS_HELP_STRING([--with-systemd-socket[[=PATH]]], [support systemd socket activation])], [], [with_systemd_socket=check]) + +dnl ######################################################################## +dnl systemd socket feature, only available if systemd init scripts requested +dnl ######################################################################## +if test "x$with_systemd_service" != xno && test "x$with_systemd_socket" != xno +then + CF3_WITH_LIBRARY(systemd_socket, [ + AC_CHECK_LIB(systemd, sd_listen_fds, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd library); fi]) + AC_CHECK_LIB(systemd, sd_notify_barrier, [AC_DEFINE([HAVE_SD_NOTIFY_BARRIER],[1],[sd_notify_barrier on recent systemd])]) + AC_CHECK_HEADERS(systemd/sd-daemon.h, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd headers); fi]) + ]) +fi + dnl ##################################################################### dnl SELinux policy build and installation dnl ##################################################################### From b222bc3ef462bd1e6dd080942bcfbebe6c0c5cda Mon Sep 17 00:00:00 2001 From: Alex Miliukov Date: Wed, 5 Apr 2023 12:38:41 +0200 Subject: [PATCH 112/255] ci: run valgrind check on GitHub Actions Changelog: None Ticket: ENT-9922 Signed-off-by: Alex Miliukov (cherry picked from commit 8c947591f2af2a59ff42df8d252c327e263319be) Conflicts: .github/workflows/ci.yml Valgrind also added with ENT-9158 (cfengine@8b8b8aa) deleted: .github/workflows/valgrind.sh deleted: .github/workflows/valgrind.yml --- .github/workflows/ci.yml | 4 +- .github/workflows/job-valgrind-check.yml | 25 +++ .github/workflows/valgrind.sh | 200 ----------------------- .github/workflows/valgrind.yml | 51 ------ 4 files changed, 27 insertions(+), 253 deletions(-) create mode 100644 .github/workflows/job-valgrind-check.yml delete mode 100644 .github/workflows/valgrind.sh delete mode 100644 .github/workflows/valgrind.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2cb1db528..28a88116c7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,6 @@ jobs: macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml - valgrind_tests: + valgrind_check: needs: unit_tests - uses: ./.github/workflows/valgrind.yml + uses: ./.github/workflows/job-valgrind-check.yml diff --git a/.github/workflows/job-valgrind-check.yml b/.github/workflows/job-valgrind-check.yml new file mode 100644 index 0000000000..2604d9f958 --- /dev/null +++ b/.github/workflows/job-valgrind-check.yml @@ -0,0 +1,25 @@ +name: Valgrind Check + +on: + workflow_call + +jobs: + valgrind_check: + runs-on: ubuntu-latest + steps: + - name: Checkout Core + uses: actions/checkout@v3 + with: + submodules: recursive + path: core + + - name: Checkout Masterfiles + uses: actions/checkout@v3 + with: + repository: cfengine/masterfiles + submodules: recursive + path: masterfiles + + - name: Run The Test + working-directory: ./core/tests/valgrind-check + run: sudo bash run.sh diff --git a/.github/workflows/valgrind.sh b/.github/workflows/valgrind.sh deleted file mode 100644 index 73e7a48dd0..0000000000 --- a/.github/workflows/valgrind.sh +++ /dev/null @@ -1,200 +0,0 @@ -#!/usr/bin/env bash -set -e - -function print_ps { - set +e - echo "CFEngine processes:" - ps aux | grep [c]f- - - echo "Valgrind processes:" - ps aux | grep [v]algrind - set -e -} - -function no_errors { - set +e - grep -i "error" $1 - grep -i "error" $1 && exit 1 - set -e -} - -function check_daemon_output { - echo "Examining $1:" - no_errors $1 -} - -function check_output { - set -e - if [ ! -f "$1" ]; then - echo "$1 does not exists!" - exit 1 - fi - echo "Looking for problems in $1:" - grep -i "ERROR SUMMARY: 0 errors" "$1" - cat $1 | sed -e "/ 0 errors/d" -e "/and suppressed error/d" -e "/a memory error detector/d" -e "/This database contains unknown binary data/d" > filtered.txt - no_errors filtered.txt - set +e - grep -i "at 0x" filtered.txt - grep -i "at 0x" filtered.txt && exit 1 - grep -i "by 0x" filtered.txt - grep -i "by 0x" filtered.txt && exit 1 - grep -i "Failed to connect" filtered.txt - grep -i "Failed to connect" filtered.txt && exit 1 - set -e -} - -function check_serverd_valgrind_output { - if [ ! -f "$1" ]; then - echo "$1 does not exists!" - exit 1 - fi - set -e - echo "Serverd has 1 expected valgrind error because of old glibc" - echo "Because of this we use special assertions on output" - echo "Looking for problems in $1:" - grep -i "definitely lost" $1 - grep -i "indirectly lost" $1 - grep -i "ERROR SUMMARY" $1 - grep -i "definitely lost: 0 bytes in 0 blocks" $1 - grep -i "indirectly lost: 0 bytes in 0 blocks" $1 - grep -i "ERROR SUMMARY: 0 errors" "$1" - - cat $1 | sed -e "/ERROR SUMMARY/d" -e "/and suppressed error/d" -e "/a memory error detector/d" > filtered.txt - - no_errors filtered.txt - set +e - grep -i "at 0x" filtered.txt - grep -i "at 0x" filtered.txt && exit 1 - grep -i "by 0x" filtered.txt - grep -i "by 0x" filtered.txt && exit 1 - set -e -} - -function check_masterfiles_and_inputs { - set -e - echo "Comparing promises.cf from inputs and masterfiles:" - diff /var/cfengine/inputs/promises.cf /var/cfengine/masterfiles/promises.cf -} - -VG_OPTS="--leak-check=full --track-origins=yes --error-exitcode=1" -BOOTSTRAP_IP="$(ifconfig | grep -C1 Ethernet | sed 's/.*inet \([0-9.]*\).*/\1/;t;d')" - -valgrind $VG_OPTS /var/cfengine/bin/cf-key 2>&1 | tee cf-key.txt -check_output cf-key.txt -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -B $BOOTSTRAP_IP 2>&1 | tee bootstrap.txt -check_output bootstrap.txt - -# Validate all databases here, because later, we cannot validate -# cf_lastseen.lmdb: -echo "Running cf-check diagnose --validate on all databases:" -valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose --validate 2>&1 | tee cf_check_validate_all.txt -check_output cf_check_validate_all.txt - -check_masterfiles_and_inputs - -print_ps - -echo "Stopping service to relaunch under valgrind" -systemctl stop cfengine3 -sleep 10 -print_ps - -# The IP we bootstrapped to cannot actually be used for communication. -# This ensures that cf-serverd binds to loopback interface, and cf-net -# connects to it: -echo "127.0.0.1" > /var/cfengine/policy_server.dat - -echo "Starting cf-serverd with valgrind in background:" -valgrind $VG_OPTS --log-file=serverd.txt /var/cfengine/bin/cf-serverd --no-fork 2>&1 > serverd_output.txt & -server_pid="$!" -sleep 20 - -echo "Starting cf-execd with valgrind in background:" -valgrind $VG_OPTS --log-file=execd.txt /var/cfengine/bin/cf-execd --no-fork 2>&1 > execd_output.txt & -exec_pid="$!" -sleep 10 - -print_ps - -echo "Running cf-net:" -valgrind $VG_OPTS /var/cfengine/bin/cf-net GET /var/cfengine/masterfiles/promises.cf 2>&1 | tee get.txt -check_output get.txt - -echo "Checking promises.cf diff (from cf-net GET):" -diff ./promises.cf /var/cfengine/masterfiles/promises.cf - -echo "Running update.cf:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f update.cf 2>&1 | tee update.txt -check_output update.txt -check_masterfiles_and_inputs -echo "Running update.cf without local copy:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f update.cf -D mpf_skip_local_copy_optimization 2>&1 | tee update2.txt -check_output update2.txt -check_masterfiles_and_inputs -echo "Running promises.cf:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f promises.cf 2>&1 | tee promises.txt -check_output promises.txt - -# Dump all databases, use grep to filter the JSON lines -# (optional whitespace then double quote or curly brackets). -# Some of the databases have strings containing "error" -# which check_output greps for. -echo "Running cf-check dump:" -valgrind $VG_OPTS /var/cfengine/bin/cf-check dump 2>&1 | grep -E '\s*[{}"]' --invert-match | tee cf_check_dump.txt -check_output cf_check_dump.txt - -echo "Running cf-check diagnose on all databases" -valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose 2>&1 | tee cf_check_diagnose.txt -check_output cf_check_diagnose.txt - -# Because of the hack with bootstrap IP / policy_server.dat above -# lastseen would not pass validation: -echo "Running cf-check diagnose --validate on all databases except cf_lastseen.lmdb:" -find /var/cfengine/state -name '*.lmdb' ! -name 'cf_lastseen.lmdb' -exec \ - valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose --validate {} + 2>&1 \ - | tee cf_check_validate_no_lastseen.txt -check_output cf_check_validate_no_lastseen.txt - -echo "Checking that bootstrap ID doesn't change" -/var/cfengine/bin/cf-agent --show-evaluated-vars | grep bootstrap_id > id_a -/var/cfengine/bin/cf-agent -K --show-evaluated-vars | grep bootstrap_id > id_b -cat id_a -diff id_a id_b - -echo "Checking that bootstrap ID has expected length" -[ `cat id_a | awk '{print $2}' | wc -c` -eq 41 ] - -print_ps - -echo "Checking that serverd and execd PIDs are still correct/alive:" -ps -p $exec_pid -ps -p $server_pid - -echo "Killing valgrind cf-execd" -kill $exec_pid -echo "Killing valgrind cf-serverd" -kill $server_pid -sleep 30 - -echo "Output from cf-execd in valgrind:" -cat execd.txt -check_output execd.txt -check_daemon_output execd_output.txt - -echo "Output from cf-serverd in valgrind:" -cat serverd.txt -check_serverd_valgrind_output serverd.txt -check_daemon_output serverd_output.txt - -echo "Stopping cfengine3 service" -systemctl stop cfengine3 - -echo "Done killing" -sleep 10 -print_ps - -echo "Check that bootstrap was successful" -grep "This host assumes the role of policy server" bootstrap.txt -grep "completed successfully!" bootstrap.txt - -echo "valgrind_health_check successful! (valgrind.sh)" diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml deleted file mode 100644 index 00e8df9060..0000000000 --- a/.github/workflows/valgrind.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: Valgrind Tests - -on: - workflow_call - -jobs: - valgrind_tests: - runs-on: ubuntu-20.04 - defaults: - run: - working-directory: core - steps: - - uses: actions/checkout@v3 - with: - path: core - submodules: recursive - - name: Get Togethers - uses: cfengine/together-javascript-action@v1.7 - id: together - with: - myToken: ${{ secrets.GITHUB_TOKEN }} - - name: Clone masterfiles (master) - uses: actions/checkout@v3 - with: - repository: cfengine/masterfiles - ref: ${{steps.together.outputs.masterfiles}} - path: masterfiles - submodules: recursive - - name: Install dependencies - run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libyaml-dev valgrind - - name: Run autotools / configure - run: ./autogen.sh --enable-debug --with-systemd-service - - name: Compile and link (make) - run: make -j8 CFLAGS="-Werror -Wall" - - name: Install CFEngine - run: sudo make install - - name: Generate masterfiles - run: ./autogen.sh - working-directory: masterfiles - - name: Install masterfiles - run: sudo make install - working-directory: masterfiles - - name: Reload systemd - run: sudo systemctl daemon-reload - - - name: See if cf-agent runs at all - run: /var/cfengine/bin/cf-agent --version - - - name: Run valgrind.sh - run: sudo bash .github/workflows/valgrind.sh - From 7ba1db3b9f2f9ac37bf1bb7d3533090da8a9fcb6 Mon Sep 17 00:00:00 2001 From: Alex Miliukov Date: Wed, 5 Apr 2023 12:36:48 +0200 Subject: [PATCH 113/255] ci: run static check on GitHub Actions Changelog: None Ticket: ENT-9922 Signed-off-by: Alex Miliukov (cherry picked from commit 89f1d04b43372c712a1d72fedb50332e3f891d8a) Conflicts: .github/workflows/ci.yml --- .github/workflows/ci.yml | 3 ++ .github/workflows/job-static-check.yml | 43 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 .github/workflows/job-static-check.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28a88116c7..9e4b3ad451 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,3 +23,6 @@ jobs: valgrind_check: needs: unit_tests uses: ./.github/workflows/job-valgrind-check.yml + static_check: + needs: unit_tests + uses: ./.github/workflows/job-static-check.yml diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml new file mode 100644 index 0000000000..b48f5bbb47 --- /dev/null +++ b/.github/workflows/job-static-check.yml @@ -0,0 +1,43 @@ +name: Static Check + +on: + workflow_call + +jobs: + static_check: + runs-on: ubuntu-latest + steps: + - name: Checkout Core + uses: actions/checkout@v3 + with: + submodules: recursive + path: core + + - name: Checkout Buildscripts + uses: actions/checkout@v3 + with: + repository: cfengine/buildscripts + submodules: recursive + path: buildscripts + + - name: Checkout Masterfiles + uses: actions/checkout@v3 + with: + repository: cfengine/masterfiles + submodules: recursive + path: masterfiles + + - name: Prepare Environment + run: | + sudo apt-get update && \ + sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \ + build-essential libpam0g-dev fakeroot gcc make autoconf buildah \ + liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \ + libssl-dev libpcre3-dev + + - name: Run Autogen + run: NO_CONFIGURE=1 PROJECT=community ./buildscripts/build-scripts/autogen + + - name: Run The Test + working-directory: ./core + run: ./tests/static-check/run.sh From 5d7c3d3c38c7137625188c8d77445e0ddc348566 Mon Sep 17 00:00:00 2001 From: Alex Miliukov Date: Tue, 4 Apr 2023 14:52:08 +0200 Subject: [PATCH 114/255] test(static-check): adjust exclude folders list Changelog: None Ticket: ENT-9922 Signed-off-by: Alex Miliukov (cherry picked from commit b15e86f87d6bdb56bbec910ea7c3e7456c5fd256) --- tests/static-check/run_checks.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index e0d5d91842..bcd059a3eb 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -32,7 +32,7 @@ function check_with_cppcheck() { --suppressions-list=tests/static-check/cppcheck_suppressions.txt \ --include=config.h \ -I cf-serverd/ -I libpromises/ -I libcfnet/ -I libntech/libutils/ \ - -i 3rdparty -i .lgtm -i libntech/.lgtm -i tests -i libpromises/cf3lex.c \ + -i 3rdparty -i .github/codeql -i libntech/.lgtm -i tests -i libpromises/cf3lex.c \ 2>&1 1>/dev/null } From f32a70fc8e2db62f74b39e9b305a9a32a6470421 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 22 Jan 2024 09:57:21 -0600 Subject: [PATCH 115/255] Fixed static-check and valgrind-check jobs to use together refs and base_refs properly (cherry picked from commit 99524c0cae77ad82f89a966e518b86cc998dec0f) --- .github/workflows/job-static-check.yml | 16 ++++++++++++++++ .github/workflows/job-valgrind-check.yml | 15 +++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml index b48f5bbb47..1554ba5bb7 100644 --- a/.github/workflows/job-static-check.yml +++ b/.github/workflows/job-static-check.yml @@ -7,6 +7,20 @@ jobs: static_check: runs-on: ubuntu-latest steps: + - name: Checkout Together Action + uses: actions/checkout@v3 + with: + repository: cfengine/together-javascript-action + ref: main + ssh-key: ${{ secrets.GH_ACTIONS_SSH_DEPLOY_KEY_TOGETHER_REPO }} + ssh-known-hosts: github.com + + - name: Action step + uses: ./ + id: together + with: + myToken: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout Core uses: actions/checkout@v3 with: @@ -19,6 +33,7 @@ jobs: repository: cfengine/buildscripts submodules: recursive path: buildscripts + ref: ${{steps.together.outputs.buildscripts || github.base_ref}} - name: Checkout Masterfiles uses: actions/checkout@v3 @@ -26,6 +41,7 @@ jobs: repository: cfengine/masterfiles submodules: recursive path: masterfiles + ref: ${{steps.together.outputs.masterfiles || github.base_ref}} - name: Prepare Environment run: | diff --git a/.github/workflows/job-valgrind-check.yml b/.github/workflows/job-valgrind-check.yml index 2604d9f958..3fb2c39239 100644 --- a/.github/workflows/job-valgrind-check.yml +++ b/.github/workflows/job-valgrind-check.yml @@ -7,6 +7,20 @@ jobs: valgrind_check: runs-on: ubuntu-latest steps: + - name: Checkout Together Action + uses: actions/checkout@v3 + with: + repository: cfengine/together-javascript-action + ref: main + ssh-key: ${{ secrets.GH_ACTIONS_SSH_DEPLOY_KEY_TOGETHER_REPO }} + ssh-known-hosts: github.com + + - name: Action step + uses: ./ + id: together + with: + myToken: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout Core uses: actions/checkout@v3 with: @@ -19,6 +33,7 @@ jobs: repository: cfengine/masterfiles submodules: recursive path: masterfiles + ref: ${{steps.together.outputs.masterfiles || github.base_ref}} - name: Run The Test working-directory: ./core/tests/valgrind-check From d37cfa08767a712e61c1dbc52f520043315b5f21 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 12 Jan 2024 16:23:00 -0600 Subject: [PATCH 116/255] Fixed a few problems found by cppcheck Ticket: CFE-4310 Changelog: none (cherry picked from commit 846237ca6f3765d3af9d3bac51de3999f21f05be) (cherry picked from commit 7a8483cbd8561d6d9dfc2c54f5e458635e33af93) --- cf-agent/verify_users_pam.c | 12 ++++++++++-- cf-check/diagnose.c | 1 + 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index f44db5ea56..c405c7d1fa 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -600,7 +600,9 @@ static bool ChangePasswordHashUsingLckpwdf(const char *puser, const char *passwo } fclose(edit_fd); + edit_fd = NULL; // mark as NULL so we don't close it later fclose(passwd_fd); + passwd_fd = NULL; // mark as NULL so we don't close it later if (!CopyFilePermissionsDisk(passwd_file, edit_file)) { @@ -620,10 +622,16 @@ static bool ChangePasswordHashUsingLckpwdf(const char *puser, const char *passwo goto unlock_passwd; close_both: - fclose(edit_fd); + if (edit_fd != NULL) + { + fclose(edit_fd); + } unlink(edit_file); close_passwd_fd: - fclose(passwd_fd); + if (passwd_fd != NULL) + { + fclose(passwd_fd); + } unlock_passwd: ulckpwdf(); diff --git a/cf-check/diagnose.c b/cf-check/diagnose.c index c04444adb2..529a177499 100644 --- a/cf-check/diagnose.c +++ b/cf-check/diagnose.c @@ -281,6 +281,7 @@ static int diagnose(const char *path, bool temporary_redirect, bool validate) return errno; } assert(f_result == stdout); + fclose(f_result); ret = lmdump(LMDUMP_VALUES_ASCII, path); } return lmdb_errno_to_cf_check_code(ret); From f9e65b945b8bc048da2d066f67af8a594779d147 Mon Sep 17 00:00:00 2001 From: Alex Miliukov Date: Thu, 16 Mar 2023 16:49:06 +0100 Subject: [PATCH 117/255] ci: enable custom CodeQL queries Changelog: None Ticket: ENT-9909 Signed-off-by: Alex Miliukov (cherry picked from commit 104f3ad8b67890ef78e0e0d5836a4f12a872fd37) (cherry picked from commit e9f27c0b3e8322066878bddb84cd40caf764c87f) --- .github/codeql/codeql-config.yml | 5 ++ .../cpp-queries/bool-type-mismatch-return.c | 0 .../bool-type-mismatch-return.qhelp | 0 .../cpp-queries/bool-type-mismatch-return.ql | 0 .../cpp-queries/missing-argument-null-check.c | 0 .../missing-argument-null-check.qhelp | 0 .../missing-argument-null-check.ql | 0 .github/codeql/cpp-queries/qlpack.yml | 4 ++ .github/workflows/codeql.yml | 53 +++++++++++++++++++ 9 files changed, 62 insertions(+) create mode 100644 .github/codeql/codeql-config.yml rename {.lgtm => .github/codeql}/cpp-queries/bool-type-mismatch-return.c (100%) rename {.lgtm => .github/codeql}/cpp-queries/bool-type-mismatch-return.qhelp (100%) rename {.lgtm => .github/codeql}/cpp-queries/bool-type-mismatch-return.ql (100%) rename {.lgtm => .github/codeql}/cpp-queries/missing-argument-null-check.c (100%) rename {.lgtm => .github/codeql}/cpp-queries/missing-argument-null-check.qhelp (100%) rename {.lgtm => .github/codeql}/cpp-queries/missing-argument-null-check.ql (100%) create mode 100644 .github/codeql/cpp-queries/qlpack.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..f2abe41730 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CFEngine cpp CodeQL config" + +queries: + - uses: cfengine/core/.github/codeql/cpp-queries/bool-type-mismatch-return.ql + - uses: cfengine/core/.github/codeql/cpp-queries/missing-argument-null-check.ql diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.c b/.github/codeql/cpp-queries/bool-type-mismatch-return.c similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.c rename to .github/codeql/cpp-queries/bool-type-mismatch-return.c diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.qhelp b/.github/codeql/cpp-queries/bool-type-mismatch-return.qhelp similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.qhelp rename to .github/codeql/cpp-queries/bool-type-mismatch-return.qhelp diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.ql b/.github/codeql/cpp-queries/bool-type-mismatch-return.ql similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.ql rename to .github/codeql/cpp-queries/bool-type-mismatch-return.ql diff --git a/.lgtm/cpp-queries/missing-argument-null-check.c b/.github/codeql/cpp-queries/missing-argument-null-check.c similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.c rename to .github/codeql/cpp-queries/missing-argument-null-check.c diff --git a/.lgtm/cpp-queries/missing-argument-null-check.qhelp b/.github/codeql/cpp-queries/missing-argument-null-check.qhelp similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.qhelp rename to .github/codeql/cpp-queries/missing-argument-null-check.qhelp diff --git a/.lgtm/cpp-queries/missing-argument-null-check.ql b/.github/codeql/cpp-queries/missing-argument-null-check.ql similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.ql rename to .github/codeql/cpp-queries/missing-argument-null-check.ql diff --git a/.github/codeql/cpp-queries/qlpack.yml b/.github/codeql/cpp-queries/qlpack.yml new file mode 100644 index 0000000000..3be7e4e80c --- /dev/null +++ b/.github/codeql/cpp-queries/qlpack.yml @@ -0,0 +1,4 @@ +name: cfengine/codeql-cpp-queries +version: 1.0.0 +dependencies: + codeql/cpp-all: ~0.5.4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..4777259e8e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "3.15.x", "3.18.x", "3.21.x"] + pull_request: + branches: [ "master", "3.15.x", "3.18.x", "3.21.x"] + schedule: + - cron: "40 18 * * 6" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ python, cpp ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + config-file: .github/codeql/codeql-config.yml + + - name: Autobuild (Python) + if: ${{ matrix.language == 'python' }} + uses: github/codeql-action/autobuild@v2 + + - name: Install dependencies (C) + if: ${{ matrix.language == 'cpp' }} + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl + + - name: Build (C) + if: ${{ matrix.language == 'cpp' }} + run: ./autogen.sh && make + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" From 76513fd62628567ddc2781669882c3a32e437f35 Mon Sep 17 00:00:00 2001 From: Alex Miliukov Date: Fri, 17 Mar 2023 15:05:11 +0100 Subject: [PATCH 118/255] ci: codeql config fix Changelog: None Ticket: None Signed-off-by: Alex Miliukov (cherry picked from commit 0c322576d7083f21e82fe8f1a954701b763ca7b9) (cherry picked from commit 25af903cf25beac5c34a2ecae8ecc57d89f57d7d) --- .github/codeql/codeql-config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index f2abe41730..b082519997 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,5 +1,5 @@ name: "CFEngine cpp CodeQL config" queries: - - uses: cfengine/core/.github/codeql/cpp-queries/bool-type-mismatch-return.ql - - uses: cfengine/core/.github/codeql/cpp-queries/missing-argument-null-check.ql + - uses: cfengine/core/.github/codeql/cpp-queries/bool-type-mismatch-return.ql@master + - uses: cfengine/core/.github/codeql/cpp-queries/missing-argument-null-check.ql@master From 6a86aeb56080ab4b7c88cb4385960595bc7ba29e Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 29 Jan 2024 14:11:15 +0100 Subject: [PATCH 119/255] Add options to skip loading augments and host-specific data to cf-agent Ticket: ENT-10792 Changelog: cf-agent has two new options --no-augments and --no-host-specific-data to skip loading augments (def.json or def_preferred.json) and host-specific data (host_specific.json), respectively (cherry picked from commit 9aa4767eaa311b0558ea0f97a8420f475e877d21) --- cf-agent/cf-agent.c | 12 ++++++++++++ libpromises/generic_agent.c | 16 ++++++++++++---- libpromises/generic_agent.h | 2 ++ 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/cf-agent/cf-agent.c b/cf-agent/cf-agent.c index 145bdd5cbe..5b210668b5 100644 --- a/cf-agent/cf-agent.c +++ b/cf-agent/cf-agent.c @@ -203,6 +203,8 @@ static const struct option OPTIONS[] = /* Only long option for the rest */ {"ignore-preferred-augments", no_argument, 0, 0}, {"log-modules", required_argument, 0, 0}, + {"no-augments", no_argument, 0, 0}, + {"no-host-specific-data", no_argument, 0, 0}, {"show-evaluated-classes", optional_argument, 0, 0 }, {"show-evaluated-vars", optional_argument, 0, 0 }, {"skip-bootstrap-policy-run", no_argument, 0, 0 }, @@ -235,6 +237,8 @@ static const char *const HINTS[] = "Log timestamps on each line of log output", "Ignore def_preferred.json file in favor of def.json", "Enable even more detailed debug logging for specific areas of the implementation. Use together with '-d'. Use --log-modules=help for a list of available modules", + "Do not load augments (def.json)", + "Do not load host-specific data (host_specific.json)", "Show *final* evaluated classes, including those defined in common bundles in policy. Optionally can take a regular expression.", "Show *final* evaluated variables, including those defined without dependency to user-defined classes in policy. Optionally can take a regular expression.", "Do not run policy as the last step of the bootstrap process", @@ -680,6 +684,14 @@ static GenericAgentConfig *CheckOpts(int argc, char **argv) DoCleanupAndExit(EXIT_FAILURE); } } + else if (StringEqual(option_name, "no-augments")) + { + config->agent_specific.common.no_augments = true; + } + else if (StringEqual(option_name, "no-host-specific-data")) + { + config->agent_specific.common.no_host_specific = true; + } else if (StringEqual(option_name, "show-evaluated-classes")) { if (optarg == NULL) diff --git a/libpromises/generic_agent.c b/libpromises/generic_agent.c index 47d4721328..2c3af5608f 100644 --- a/libpromises/generic_agent.c +++ b/libpromises/generic_agent.c @@ -942,6 +942,8 @@ static void AddPolicyEntryVariables (EvalContext *ctx, const GenericAgentConfig void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config, const char *program_name) { + assert(config != NULL); + strcpy(VPREFIX, ""); if (program_name != NULL) { @@ -1080,14 +1082,17 @@ void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config, } /* Load CMDB data *before* augments. */ - if (!LoadCMDBData(ctx)) + if (!config->agent_specific.common.no_host_specific && !LoadCMDBData(ctx)) { Log(LOG_LEVEL_ERR, "Failed to load CMDB data"); } - /* load augments here so that they can make use of the classes added above - * (especially 'am_policy_hub' and 'policy_server') */ - LoadAugments(ctx, config); + if (!config->agent_specific.common.no_augments) + { + /* load augments here so that they can make use of the classes added above + * (especially 'am_policy_hub' and 'policy_server') */ + LoadAugments(ctx, config); + } } static bool IsPolicyPrecheckNeeded(GenericAgentConfig *config, bool force_validation) @@ -2518,6 +2523,9 @@ GenericAgentConfig *GenericAgentConfigNewDefault(AgentType agent_type, bool tty_ /* Log classes */ config->agent_specific.agent.report_class_log = false; + config->agent_specific.common.no_augments = false; + config->agent_specific.common.no_host_specific = false; + switch (agent_type) { case AGENT_TYPE_COMMON: diff --git a/libpromises/generic_agent.h b/libpromises/generic_agent.h index 2e334fe745..6238751720 100644 --- a/libpromises/generic_agent.h +++ b/libpromises/generic_agent.h @@ -80,6 +80,8 @@ typedef struct bool eval_functions; char *show_classes; char *show_variables; + bool no_augments; + bool no_host_specific; } common; struct { From 9ec267da37348b151d49808e8d945a896510e6f0 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 8 Feb 2024 15:49:49 +0100 Subject: [PATCH 120/255] Carefully handle symlinks at the last phase of VerifyFilePromise() If the promiser is a symlink, `lstat()` and `stat()` give different results. We need to use `lstat()` to get info about the promiser (symlink) itself. Also, we need to call `VerifyFileLeaf()` on symlinks as well as on regular files. Ticket: ENT-11235 Changelog: Ownership of symlinks is now handled properly (cherry picked from commit 84b67836aa7dcaa2e949c8a03ea80fadac0568d7) Conflicts: tests/acceptance/28_inform_testing/01_files/perms.cf.expected --- cf-agent/verify_files.c | 4 ++-- .../10_files/10_links/owner-mismatch-link-and-target.cf | 8 +------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index a83fdb97cf..d50e05a186 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -599,9 +599,9 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi // Once more in case a file has been created as a result of editing or copying - exists = (stat(changes_path, &osb) != -1); + exists = (lstat(changes_path, &osb) != -1); - if (exists && (S_ISREG(osb.st_mode)) + if (exists && (S_ISREG(osb.st_mode) || S_ISLNK(osb.st_mode)) && (!a.haveselect || SelectLeaf(ctx, path, &osb, &(a.select)))) { VerifyFileLeaf(ctx, path, &osb, &a, pp, &result); diff --git a/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf b/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf index 5625a4b7c4..1202fab036 100755 --- a/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf +++ b/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf @@ -28,13 +28,7 @@ bundle agent test "description" -> { "CFE-3116" } string => "Test that promising ownership of symlinks is not confused by target"; - "test_soft_fail" - string => "any", - meta => { "CFE-3116" }; - - # this test isn't super comprehensive, once the issue is fixed, it will - # need to be skipped on various platforms, at least windows. - # "test_skip_unsupported" string => "windows"; + "test_skip_unsupported" string => "windows"; files: "/tmp/symlink" From 81a2909f6b671081a495b1429f278cb06d6d9149 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 15 Feb 2024 16:25:34 -0600 Subject: [PATCH 121/255] Adjusted INSTALL instructions for OpenBSD 7.4 (cherry picked from commit 2b5cf97c7300335d620c6d70cf756203658ee5d3) --- INSTALL | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL b/INSTALL index 05f950d6c2..e52e6a69f9 100644 --- a/INSTALL +++ b/INSTALL @@ -127,6 +127,14 @@ For SELinux support you will need selinux-policy-devel package and specify `--wi $ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev +* OpenBSD (7.4 2024-02-15) + +doas pkg_add git automake-1.16.5 autoconf-2.71 bison pcre2 m4 libtool lmdb gmake + +$ MAKE=/usr/local/bin/gmake LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.71 ./autogen.sh --enable-debug +$ gmake -j8 +$ doas gmake install + * FreeBSD (12.1 2020-04-07) See docs/BSD.md From a2e60dbdfd81131caa8277eee2fc3c5941ce40eb Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 15 Feb 2024 16:27:42 -0600 Subject: [PATCH 122/255] Adjusted openssl ifdefs to support building on OpenBSD (cherry picked from commit 3e1ab1dcb629f8c914fa553fac347504dec4d040) --- libpromises/crypto.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libpromises/crypto.c b/libpromises/crypto.c index 5ba5a74a74..55d7786017 100644 --- a/libpromises/crypto.c +++ b/libpromises/crypto.c @@ -869,11 +869,13 @@ static void SetupOpenSSLThreadLocks(void) } #ifndef __MINGW32__ +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_id_callback((unsigned long (*)())ThreadId_callback); #endif - // This is a no-op macro for OpenSSL >= 1.1.0 - // The callback function is not used (or defined) then +#endif +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_locking_callback((void (*)())OpenSSLLock_callback); +#endif } static void CleanupOpenSSLThreadLocks(void) @@ -881,7 +883,9 @@ static void CleanupOpenSSLThreadLocks(void) const int numLocks = CRYPTO_num_locks(); CRYPTO_set_locking_callback(NULL); #ifndef __MINGW32__ +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_id_callback(NULL); +#endif #endif for (int i = 0; i < numLocks; i++) From 4732aa44e4d467d13f5c11203664f485bcbdbd94 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 22 Feb 2024 08:15:00 -0600 Subject: [PATCH 123/255] Fixed incorrect sed command for cf-support filtering syslog output sed -n '/cfe/p;/cf-/p' would cause any line matching both expressions to be printed twice Ticket: CFE-4337 Changelog: none (cherry picked from commit 56140ba74b9025d46cbfd84ae4c96daf83d5e405) --- misc/cf-support | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index 0da37ec2e3..ee195f7cf7 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -374,7 +374,7 @@ if [ "$OS" = "aix" ]; then echo "r !errpt -a g/cfengine/?---?,/---/p" | ed > "$_syslog_filtered" || true else - $syslog_cmd | sed -n '/cfe/p;/cf-/p' | gzip -c > "$_syslog_filtered" || true + $syslog_cmd | sed -n '/[Cc][Ff][Ee-]/p' | gzip -c > "$_syslog_filtered" || true fi echo "Captured output of $syslog_cmd filtered for cf-|CFEngine" From 183d474482fcae20d64cac984983a067de5065dd Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 26 Feb 2024 14:01:37 +0100 Subject: [PATCH 124/255] Added standard OS name & version variables for Amazon Added `sys.os_name_human` and `sys.os_version_major`. Additionally changed value of `sys.flavor` from `AmazonLinux` to `amazon_linux_2`, so that it is similar to other supported Linux distros. This change was necessary, due to the fact that the `sys.os_version_major` variable is derived from it. However, the `AmazonLinux` class previously derived from `sys.flavor` is still defined for backwards compatibility. Ticket: ENT-10817 Changelog: Body Signed-off-by: Lars Erik Wik Co-authored-by: Ole Herman Schumacher Elgesem <4048546+olehermanse@users.noreply.github.com> (cherry picked from commit c3701b6c88bf947d6806d65e6c3a8b98e5b9049c) --- libenv/sysinfo.c | 20 ++++++++++++++++--- .../01_vars/01_basic/os_name_human.cf | 2 ++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index e94073058c..6ed5636c62 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -2659,7 +2659,7 @@ static void Linux_Amazon_Version(EvalContext *ctx) { char buffer[CF_BUFSIZE]; - // Amazon Linux AMI release 2016.09 + // Amazon Linux release 2 (Karoo) if (ReadLine("/etc/system-release", buffer, sizeof(buffer))) { @@ -2670,7 +2670,7 @@ static void Linux_Amazon_Version(EvalContext *ctx) ",derived-from-file=/etc/system-release"); char version[128]; - if (sscanf(buffer, "%*s %*s %*s %*s %127s", version) == 1) + if (sscanf(buffer, "%*s %*s %*s %127s", version) == 1) { char class[CF_MAXVARSIZE]; @@ -2679,8 +2679,16 @@ static void Linux_Amazon_Version(EvalContext *ctx) EvalContextClassPutHard(ctx, class, "inventory,attribute_name=none,source=agent" ",derived-from-file=/etc/system-release"); + SetFlavor(ctx, class); } - SetFlavor(ctx, "AmazonLinux"); + else + { + SetFlavor(ctx, "amazon_linux"); + } + // We set this class for backwards compatibility + EvalContextClassPutHard(ctx, "AmazonLinux", + "inventory,attribute_name=none,source=agent," + "derived-from=sys.flavor"); } } } @@ -3475,6 +3483,12 @@ static void SysOSNameHuman(EvalContext *ctx) "Solaris", CF_DATA_TYPE_STRING, "source=agent,derived-from=solaris"); } + else if (EvalContextClassGet(ctx, NULL, "amazon_linux") != NULL) + { + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, lval, + "Amazon", CF_DATA_TYPE_STRING, + "source=agent,derived-from=amazon_linux"); + } else { EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, lval, diff --git a/tests/acceptance/01_vars/01_basic/os_name_human.cf b/tests/acceptance/01_vars/01_basic/os_name_human.cf index 48fd404b64..f4d98afe93 100755 --- a/tests/acceptance/01_vars/01_basic/os_name_human.cf +++ b/tests/acceptance/01_vars/01_basic/os_name_human.cf @@ -48,6 +48,8 @@ bundle agent test "expected" string => "macOS"; solaris:: "expected" string => "Solaris"; + amazon_linux:: + "expected" string => "Amazon"; } bundle agent check From 797208ccf6520d93cc5575cfafa91f6b5bd09802 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 1 Mar 2024 08:54:00 -0600 Subject: [PATCH 125/255] Added instructions on building for NetBSD and OpenBSD Also removed prefixed '$ ' lines to make it easier to copy/paste the commands in INSTALL (not an .md file) Ticket: CFE-4344 Changelog: none (cherry picked from commit 0b1cb02f206ce65585e8f7618789cab69b734064) Conflicts: INSTALL Needed manual edits due to pcre and not pcre2 in 3.21.x branch. --- INSTALL | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/INSTALL b/INSTALL index e52e6a69f9..2f44779299 100644 --- a/INSTALL +++ b/INSTALL @@ -115,25 +115,32 @@ submit PRs with updates to this information. * RedHat/CentOS (rhel-9 2023-10-09) On CentOS: -$ sudo yum install epel-release && sudo yum update +sudo yum install epel-release && sudo yum update + Or on RHEL, replacing the version number with yours: -$ sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && sudo yum update +sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && sudo yum update -$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel +sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel For SELinux support you will need selinux-policy-devel package and specify `--with-selinux-policy` to `autogen.sh` or `configure` * Debian (Debian 12 2023-10-09) -$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev +sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev -* OpenBSD (7.4 2024-02-15) +* NetBSD (9.3 2024-03-01) -doas pkg_add git automake-1.16.5 autoconf-2.71 bison pcre2 m4 libtool lmdb gmake +doas pkgin install automake autoconf bison pcre m4 libtool lmdb gmake +LDFLAGS=-L/usr/pkg/lib CPPFLAGS=-I/usr/pkg/include ./autogen.sh --enable-debug --without-systemd-service --without-systemd-socket +gmake -j8 +doas /usr/pkg/bin/gmake install + +* OpenBSD (7.4 2024-02-15) -$ MAKE=/usr/local/bin/gmake LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.71 ./autogen.sh --enable-debug -$ gmake -j8 -$ doas gmake install +pkg_add git automake-1.16.5 autoconf-2.71 bison pcre m4 libtool lmdb gmake +MAKE=/usr/local/bin/gmake LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.71 ./autogen.sh --enable-debug +gmake -j8 +doas gmake install * FreeBSD (12.1 2020-04-07) @@ -141,17 +148,17 @@ See docs/BSD.md * SUSE (Tumbleweed 2020-02-02) -$ sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre-devel libopenssl-devel pam-devel +sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre-devel libopenssl-devel pam-devel * AlpineOS (3.11.3 x86_64 2020-04-13) -$ sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb -$ ./autogen.sh --without-pam +sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb +./autogen.sh --without-pam * Termux (2020-04-24) -$ pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml -$ ./autogen.sh --without-pam +pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml +./autogen.sh --without-pam * OSX (2021-10-20) From 37be6db395e051cd301f900bbd75fd5b3cfbabd8 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 19 Jan 2024 11:24:19 -0600 Subject: [PATCH 126/255] Modified package promise default. If platform_default is present use that package module. Previously if a policy that only specified the promiser: packages: "ed"; It will default to package_method generic in our C code. Now it will look for package_module_knowledge.platform_default and if present make the package promise use package module instead. Ticket: CFE-4315 Changelog: title Co-authored-by: Lars Erik Wik <53906608+larsewi@users.noreply.github.com> (cherry picked from commit f23e268255b189465cf67135e9c1e77f36c92f20) --- cf-agent/verify_packages.c | 16 ++++++---------- libpromises/attributes.c | 19 ++++++++++++++++++- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c index 376815e334..50c6cfe329 100644 --- a/cf-agent/verify_packages.c +++ b/cf-agent/verify_packages.c @@ -189,21 +189,17 @@ PromiseResult VerifyPackagesPromise(EvalContext *ctx, const Promise *pp) switch (package_promise_type) { case PACKAGE_PROMISE_TYPE_NEW: - Log(LOG_LEVEL_VERBOSE, "Using new package promise."); + Log(LOG_LEVEL_VERBOSE, "Using v2 package promises (package_module)"); result = HandleNewPackagePromiseType(ctx, pp, &a); break; case PACKAGE_PROMISE_TYPE_OLD: - Log(LOG_LEVEL_VERBOSE, - "Using old package promise. Please note that this old " - "implementation is being phased out. The old " - "implementation will continue to work, but forward development " - "will be directed toward the new implementation."); + Log(LOG_LEVEL_VERBOSE, "Using v1 package promises (package_method)"); result = HandleOldPackagePromiseType(ctx, pp, &a); - /* Update new package promise cache in case we have mixed old and new + /* Update v2 package promise cache in case we have mixed v2 and v1 * package promises in policy. */ if (result == PROMISE_RESULT_CHANGE || result == PROMISE_RESULT_FAIL) { @@ -212,15 +208,15 @@ PromiseResult VerifyPackagesPromise(EvalContext *ctx, const Promise *pp) break; case PACKAGE_PROMISE_TYPE_NEW_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "New package promise failed sanity check."); + "v1 package promise (package_method) failed sanity check."); break; case PACKAGE_PROMISE_TYPE_OLD_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "Old package promise failed sanity check."); + "v1 package promise (package_method) failed sanity check."); break; case PACKAGE_PROMISE_TYPE_MIXED: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "Mixed old and new package promise attributes inside " + "Mixed v1 and v2 package promise attributes inside " "one package promise."); break; default: diff --git a/libpromises/attributes.c b/libpromises/attributes.c index dba903d60f..82ae5d80de 100644 --- a/libpromises/attributes.c +++ b/libpromises/attributes.c @@ -1158,6 +1158,7 @@ Packages GetPackageConstraints(const EvalContext *ctx, const Promise *pp) if (bodies_and_args != NULL && SeqLength(bodies_and_args) > 0) { + Log(LOG_LEVEL_INFO, "Package promise had no package_method attribute so it's being assigned a value of 'generic' as default."); const Body *bp = SeqAt(bodies_and_args, 0); // guaranteed to be non-NULL CopyBodyConstraintsToPromise((EvalContext*)ctx, (Promise*)pp, bp); has_generic_package_method = true; @@ -1251,10 +1252,26 @@ NewPackages GetNewPackageConstraints(const EvalContext *ctx, const Promise *pp) p.package_options = PromiseGetConstraintAsList(ctx, "options", pp); p.is_empty = (memcmp(&p, &empty, sizeof(NewPackages)) == 0); + + bool have_policy = PromiseBundleOrBodyConstraintExists(ctx, "policy", pp); + bool have_package_policy = PromiseBundleOrBodyConstraintExists(ctx, "package_policy", pp); + if (!have_policy && !have_package_policy) + { + Log(LOG_LEVEL_DEBUG, "Package promise has no policy or package_policy attribute. Checking if package_module_knowledge.platform_default is defined to default the policy attribute to 'present' and force use of v2 package promise (package_module)."); + + VarRef *ref = VarRefParseFromScope("package_module_knowledge.platform_default", NULL); + const void *ret = EvalContextVariableGet(ctx, ref, NULL); + if (ret != NULL) + { + Log(LOG_LEVEL_INFO, "Package promise had no policy or package_policy attribute and package_module_knowledge.platform_default is defined so defaulting to v2 package promise (package_module) and setting 'policy' attribute to 'present'."); + PromiseAppendConstraint((Promise*)pp, "policy", (Rval) {xstrdup("present"), RVAL_TYPE_SCALAR }, false); + } + VarRefDestroy(ref); + } p.package_policy = GetNewPackagePolicy(PromiseGetConstraintAsRval(pp, "policy", RVAL_TYPE_SCALAR), new_packages_actions); - /* We can have only policy specified in new package promise definition. */ + /* We can have only policy specified in v2 package promise (package_module) definition. */ if (p.package_policy != NEW_PACKAGE_ACTION_NONE) { p.is_empty = false; From 755ffc85ebf8e73776302329069b9ad43b0270f0 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 29 Feb 2024 16:06:00 -0600 Subject: [PATCH 127/255] Adjusted package module inventory to include quotes around fields when needed On FreeBSD where package versions can have commas such as joe-4.6,1 this was causing errors with the use of packagesmatching() function. ``` error: Line from package inventory 'joe,4.6,1,amd64,pkg' did not yield correct number of elements. ``` Used CsvWriterField to quote the field in case it includes " , \r \n. See CsvWriterField() at https://github.com/NorthernTechHQ/libntech/blob/master/libutils/csv_writer.c#L73 Had to add a workaround to convert CRLF written by csv_writer to expected LF in resulting inventory_list. Ticket: CFE-4341 Changelog: title Co-authored-by: Lars Erik Wik (cherry picked from commit 27fdfb5afd1ccd0cdefd9926a0129f0ca30563ec) --- cf-agent/package_module.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/cf-agent/package_module.c b/cf-agent/package_module.c index 2f7039d7ba..7ec7809e1c 100644 --- a/cf-agent/package_module.c +++ b/cf-agent/package_module.c @@ -39,6 +39,7 @@ #include #include /* RecordPkgOperationInChroot() */ #include /* CHROOT_PKG_OPERATION_* */ +#include /* safely write csv entries */ #define INVENTORY_LIST_BUFFER_SIZE 100 * 80 /* 100 entries with 80 characters * per line */ @@ -658,7 +659,8 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) { CleanDB(db_cached); - Buffer *inventory_data = BufferNewWithCapacity(INVENTORY_LIST_BUFFER_SIZE); + Writer *idw = StringWriter(); + CsvWriter *idcw = CsvWriterOpen(idw); const char *package_data[3] = {NULL, NULL, NULL}; @@ -676,9 +678,10 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) package_data[1], package_data[2], type); - BufferAppendF(inventory_data, "%s,%s,%s\n", - package_data[0], package_data[1], - package_data[2]); + CsvWriterField(idcw, package_data[0]); + CsvWriterField(idcw, package_data[1]); + CsvWriterField(idcw, package_data[2]); + CsvWriterNewRecord(idcw); } else { @@ -726,8 +729,10 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) WritePackageDataToDB(db_cached, package_data[0], package_data[1], package_data[2], type); - BufferAppendF(inventory_data, "%s,%s,%s\n", package_data[0], - package_data[1], package_data[2]); + CsvWriterField(idcw, package_data[0]); + CsvWriterField(idcw, package_data[1]); + CsvWriterField(idcw, package_data[2]); + CsvWriterNewRecord(idcw); } else if (package_data[0] || package_data[1] || package_data[2]) { @@ -739,7 +744,14 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) } char *inventory_key = ""; - char *inventory_list = BufferClose(inventory_data); + CsvWriterClose(idcw); + char *inventory_list = StringWriterClose(idw); + + // Legacy: the lines are expected to be separated by newlines, not CRLF + const size_t buf_size = strlen(inventory_list); + NDEBUG_UNUSED const ssize_t num_repl = + StringReplace(inventory_list, buf_size, "\r\n", "\n"); + assert(num_repl >= 0); /* We can have empty list of installed software or available updates. */ if (inventory_list == NULL) From 74fcc5e0c83b1a482efe102f81a90472687eea07 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 10 Apr 2024 13:15:40 -0500 Subject: [PATCH 128/255] Changed cf-apache systemd unit to reload configuration gracefully apachectl graceful doesn't close currently open connections. Ticket: ENT-11526 Changelog: title (cherry picked from commit d3e0ed02ad30c61707d80d6ba93ece8b96810cfb) --- misc/systemd/cf-apache.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/systemd/cf-apache.service.in b/misc/systemd/cf-apache.service.in index dea7c2356f..e0acc7a75c 100644 --- a/misc/systemd/cf-apache.service.in +++ b/misc/systemd/cf-apache.service.in @@ -10,6 +10,7 @@ PartOf=cfengine3.service Type=forking ExecStart=@workdir@/httpd/bin/apachectl start ExecStop=@workdir@/httpd/bin/apachectl stop +ExecReload=@workdir@/httpd/bin/apachectl graceful PIDFile=@workdir@/httpd/httpd.pid Restart=always RestartSec=10 From 9ceeea7dcae937f883fba67047ef87004a844c15 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Fri, 3 May 2024 15:20:14 +0200 Subject: [PATCH 129/255] Try to acquire file lock when closing DB To prevent multiple processes from opening/closing the DB at the same time. From what we have seen, the *Invalid argument* issues only happen when multiple processes try to work with the DB, multiple threads inside a single process don't seem to hit the trigger. Also, we have seen that the issues happen when LMDB tries to use a robust (shared inter-process) mutex that was already destroyed. Ticket: ENT-11543 Changelog: CFEngine processes no longer suffer from the "Invalid argument" issues when working with LMDB --- libpromises/dbm_api.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index 97bd1869f6..e1b957242e 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -525,8 +525,14 @@ void CloseDB(DBHandle *handle) handle->refcount--; if (handle->refcount == 0) { + FileLock lock = EMPTY_FILE_LOCK; + bool locked = DBPathLock(&lock, handle->filename); DBPrivCloseDB(handle->priv); handle->open_tstamp = -1; + if (locked) + { + DBPathUnLock(&lock); + } } } From f26421ab98a2edc3afd94f94dc9586dd4c5f6d84 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 23 Apr 2024 15:35:08 -0500 Subject: [PATCH 130/255] GH Actions macOS: Fixed installation and PATH for libtool and autoconf (cherry picked from commit a952695ed46d8b1700bb0719922278fa2a591031) --- .github/workflows/macos_unit_tests.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index d42545e022..d18b1c3de9 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -11,9 +11,13 @@ jobs: with: submodules: recursive - name: Install dependencies - run: brew install lmdb automake openssl pcre + run: brew install lmdb automake openssl pcre2 autoconf libtool + - name: Check tools + run: command -v libtool && command -v automake && command -v autoconf + - name: Check tools versions + run: libtool -V && automake --version && autoconf --version - name: Run autotools / configure - run: ./autogen.sh --enable-debug + run: PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" ./autogen.sh --enable-debug - name: Compile and link run: make -j8 CFLAGS="-Werror -Wall" - name: Run unit tests From c384719218fe0500e36cd9e4d6f0c01a17a54601 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 24 Apr 2024 13:10:49 +0200 Subject: [PATCH 131/255] GH Actions macOS: Use brew --prefix to locate LMDB, OpenSSL, and pcre Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 2f663973d0ce7107527bc369eea14cd926a03147) --- .github/workflows/macos_unit_tests.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index d18b1c3de9..c29a1ce2e0 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -17,7 +17,11 @@ jobs: - name: Check tools versions run: libtool -V && automake --version && autoconf --version - name: Run autotools / configure - run: PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" ./autogen.sh --enable-debug + run: > + LDFLAGS="-L`brew --prefix lmdb`/lib -L`brew --prefix openssl`/lib -L`brew --prefix pcre2`/lib" + CPPFLAGS="-I`brew --prefix lmdb`/include -I`brew --prefix openssl`/include -I`brew --prefix pcre2`/include" + PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" + ./autogen.sh --enable-debug - name: Compile and link run: make -j8 CFLAGS="-Werror -Wall" - name: Run unit tests From 1315fe3c8a2b6fd1c8534b32c67a11608db31370 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Mon, 6 May 2024 20:01:38 +0200 Subject: [PATCH 132/255] GH Action macOS: Reverted to pcre Signed-off-by: Ole Herman Schumacher Elgesem --- .github/workflows/macos_unit_tests.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index c29a1ce2e0..913f21b405 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -11,15 +11,15 @@ jobs: with: submodules: recursive - name: Install dependencies - run: brew install lmdb automake openssl pcre2 autoconf libtool + run: brew install lmdb automake openssl pcre autoconf libtool - name: Check tools run: command -v libtool && command -v automake && command -v autoconf - name: Check tools versions run: libtool -V && automake --version && autoconf --version - name: Run autotools / configure run: > - LDFLAGS="-L`brew --prefix lmdb`/lib -L`brew --prefix openssl`/lib -L`brew --prefix pcre2`/lib" - CPPFLAGS="-I`brew --prefix lmdb`/include -I`brew --prefix openssl`/include -I`brew --prefix pcre2`/include" + LDFLAGS="-L`brew --prefix lmdb`/lib -L`brew --prefix openssl`/lib -L`brew --prefix pcre`/lib" + CPPFLAGS="-I`brew --prefix lmdb`/include -I`brew --prefix openssl`/include -I`brew --prefix pcre`/include" PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" ./autogen.sh --enable-debug - name: Compile and link From 3e0edb175de566140ad3196f60116dcd1260e8bf Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 7 May 2024 13:42:56 -0500 Subject: [PATCH 133/255] Improve and re-enable windows acceptance test workflow Ticket: ENT-10699 Changelog: none (cherry picked from commit da214fa9593576926f11b553524958bc6680fee3) Conflicts: .github/workflows/ci.yml .github/workflows/windows_acceptance_tests.yml Added windows acceptance test to 3.21.x and changed cf-remote command from using master to latest 3.21.x nightly. --- .github/workflows/ci.yml | 3 + .../workflows/windows_acceptance_tests.yml | 83 +++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 .github/workflows/windows_acceptance_tests.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e4b3ad451..6554e4fc34 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,9 @@ jobs: acceptance_tests: needs: unit_tests uses: ./.github/workflows/acceptance_tests.yml + windows_acceptance_tests: + needs: unit_tests + uses: ./.github/workflows/windows_acceptance_tests.yml macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml new file mode 100644 index 0000000000..f387042f27 --- /dev/null +++ b/.github/workflows/windows_acceptance_tests.yml @@ -0,0 +1,83 @@ +name: Windows Acceptance Tests + +on: + workflow_call + +defaults: + run: + shell: msys2 {0} + +jobs: + windows_acceptance_tests: + runs-on: windows-latest + steps: + - uses: msys2/setup-msys2@v2 + with: + install: >- + dos2unix + diffutils + util-linux + python-pip + + - name: Checkout Core + uses: actions/checkout@v3 + + - name: install cf-remote + run: pip install cf-remote + + # Note that msiexec can't install packages when running under msys; + # But cf-remote currently can't run under powershell + # (because it requires `pwd` module which is Unix-only). + # Hence, we _download_ msi package using cf-remote under msys, + # and install it by msiexec running under powershell. + + - name: get CFEngine package + run: cf-remote --version 3.21.x download 64 msi + + - name: move CFEngine package to current workdir + run: "mv $HOME/.cfengine/cf-remote/packages/*.msi cfengine.msi" + + - name: install CFEngine + run: | + Get-Location # pwd + New-Item -Path "c:\" -Name "artifacts" -ItemType Directory + Start-Process msiexec.exe -Wait -ArgumentList '/quiet /qn /i cfengine.msi /L*V c:\tmp.log' + Get-Content c:\tmp.log | Set-Content -Encoding utf8 c:\artifacts\CFEngine-Install.log + file c:\artifacts\CFEngine-Install.log + shell: pwsh + + - name: run cf-agent + run: "'/c/Program Files/Cfengine/bin/cf-agent.exe' --version" + + # Note that msiexec install CFEngine onto the C: drive (/c/ partition), + # but testall expects it to be on the same partition as where all tests are located (D: drive), + # hence we just copy it over. + - name: copy CFEngine to workdir partition + run: 'cp -a "/c/Program Files/Cfengine" /d/a/' + + - name: prune platform independent tests to make the job more efficient + run: 'Remove-Item -Recurse -Force 00_basics, 01_vars, 02_classes, 10_files, 14_reports, 15_control, 16_cf-serverd, 21_methods, 22_cf-runagent, 26_cf-net, 27_cf-secret, 28_inform_testing' + working-directory: "tests/acceptance" + shell: pwsh + - name: run the tests + run: './testall --bindir="/d/a/Cfengine/bin" --extraclasses=EXTRA' + working-directory: "tests/acceptance" + env: + # env vars for testall script to properly detect environment + USER: runneradmin + OSTYPE: msys + + - name: print test.log + run: 'cat ./tests/acceptance/test.log || true' + if: ${{ always() }} + - name: save test.log in artifacts + run: 'cp ./tests/acceptance/test.log /c/artifacts/test.log || true' + if: ${{ always() }} + + + - name: save artifacts + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: artifacts + path: c:\artifacts From 9e794ace40827bab15a0b854982b99d8500fc742 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Mon, 6 May 2024 19:26:47 +0200 Subject: [PATCH 134/255] Changed cf-execd's sleep behavior so it attempts to wake up at the beginning of every minute This could fix issues if things are slow and agent runs end up getting skipped if cf-execd wakes up too late. Changelog: Title Ticket: ENT-11765 Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit fa6474c3f8495258ba16eeb701895ff73858a637) --- cf-execd/cf-execd.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/cf-execd/cf-execd.c b/cf-execd/cf-execd.c index 9e8c756b80..29c37835a0 100644 --- a/cf-execd/cf-execd.c +++ b/cf-execd/cf-execd.c @@ -424,6 +424,23 @@ void ThisAgentInit(void) umask(077); } +// Return 2 to 62 seconds depending on how much time is left until the next +// minute starts. Since cf-execd wakes up "every minute" to evaluate its +// schedule, we want to do this at the start of the minute, to avoid +// accidentally skipping any runs if things are slow. +// +// Why +2? Why not 0 to 60? Not a very good reason, but: +// Sleep at least 2 seconds to avoid 2 agent runs very close together +// Target waking up at :02 seconds, to reduce the chances of waking +// up at :59 in the previous minute, and unintentionally having 2 +// agent runs in the same minute +static inline time_t GetPulseTime() +{ + const time_t current_second = (time(NULL) % CFPULSETIME); + const time_t remaining_seconds = CFPULSETIME - current_second; + return remaining_seconds + 2; +} + /*****************************************************************************/ @@ -524,6 +541,7 @@ static bool HandleRequestsOrSleep(time_t seconds, const char *reason, return false; } +// Non-windows version of main loop: static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, ExecdConfig **execd_config, ExecConfig **exec_config, int runagent_socket) @@ -554,7 +572,7 @@ static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfi } } /* 1 Minute resolution is enough */ - terminate = HandleRequestsOrSleep(CFPULSETIME, "pulse time", runagent_socket, + terminate = HandleRequestsOrSleep(GetPulseTime(), "pulse time", runagent_socket, (*execd_config)->local_run_command); if (terminate) { @@ -689,6 +707,7 @@ static inline unsigned int MaybeSleepLog(LogLevel level, const char *msg_format, return sleep(seconds); } +// Windows version of main loop: static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, ExecdConfig **execd_config, ExecConfig **exec_config, ARG_UNUSED int runagent_socket) @@ -714,8 +733,8 @@ static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfi LocalExec(*exec_config); } } - /* 1 Minute resolution is enough */ - MaybeSleepLog(LOG_LEVEL_VERBOSE, "Sleeping for pulse time %u seconds...", CFPULSETIME); + // This is not just a log message, it maybe sleeps and maybe logs something: + MaybeSleepLog(LOG_LEVEL_VERBOSE, "Sleeping for pulse time %u seconds...", GetPulseTime()); } } #endif /* ! __MINGW32__ */ From c5fc46f51b778ef982b480892fa969844607df0b Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem <4048546+olehermanse@users.noreply.github.com> Date: Wed, 28 Feb 2024 13:12:45 +0100 Subject: [PATCH 135/255] Added warning log message when OS is not recognized Changelog: Title Ticket: CFE-4342 (cherry picked from commit e1ff8195074fa6c17a9785cd3ef1880050438f8f) --- libenv/sysinfo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index 6ed5636c62..00b4128c66 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -3494,6 +3494,8 @@ static void SysOSNameHuman(EvalContext *ctx) EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, lval, "Unknown", CF_DATA_TYPE_STRING, "source=agent"); + Log(LOG_LEVEL_WARNING, + "Operating System not properly recognized, setting sys.os_name_human to \"Unkown\", please submit a bug report for us to fix this"); } } From a8d767d8b49e4ca89ca7288aa916d65e29892217 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 29 Feb 2024 18:50:39 -0600 Subject: [PATCH 136/255] Corrected typo in warning message s/Unkown/Unknown/ Ticket: none Changelog: none (cherry picked from commit 5570fb94f6ecb17546f225549f83c7c4770178bc) --- libenv/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index 00b4128c66..6beb59bb07 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -3495,7 +3495,7 @@ static void SysOSNameHuman(EvalContext *ctx) "Unknown", CF_DATA_TYPE_STRING, "source=agent"); Log(LOG_LEVEL_WARNING, - "Operating System not properly recognized, setting sys.os_name_human to \"Unkown\", please submit a bug report for us to fix this"); + "Operating System not properly recognized, setting sys.os_name_human to \"Unknown\", please submit a bug report for us to fix this"); } } From 5d13d0358a871860ae01a266cc7d47cbab34741f Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Fri, 26 Apr 2024 17:30:59 +0200 Subject: [PATCH 137/255] Allow httpd to open tmp files This is needed for successful uploads of custom action scripts. (cherry picked from commit b80cceed6fddbd32d77521e950fb6d91a2ed3050) --- misc/selinux/cfengine-enterprise.te.all | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index d1d6e48015..ba9dbf17d2 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -638,7 +638,7 @@ allow cfengine_httpd_t sssd_var_lib_t:dir search; allow cfengine_httpd_t sssd_var_lib_t:sock_file write; allow cfengine_httpd_t syslogd_var_run_t:dir search; allow cfengine_httpd_t tmp_t:sock_file write; -allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename }; +allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename open }; allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read }; allow cfengine_httpd_t var_t:dir read; From d3ecdc2304df9cab4a8c9324565ec95af2d61a42 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 5 Jun 2024 14:51:44 +0200 Subject: [PATCH 138/255] Added changelog for 3.21.5 --- ChangeLog | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4fa59c57ec..51d892a53a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,27 @@ +3.21.5: + - Added warning log message when OS is not recognized (CFE-4342) + - Adjusted package module inventory to include quotes around fields when needed + (CFE-4341) + - Added `sys.os_name_human` and `sys.os_version_major`. Additionally + changed value of `sys.flavor` from `AmazonLinux` to `amazon_linux_2`, so + that it is similar to other supported Linux distros. This change was + necessary, due to the fact that the `sys.os_version_major` variable is + derived from it. However, the `AmazonLinux` class previously derived + from `sys.flavor` is still defined for backwards compatibility. + (ENT-10817) + - CFEngine processes no longer suffer from the "Invalid argument" issues when + working with LMDB (ENT-11543) + - Changed cf-apache systemd unit to reload configuration gracefully + (ENT-11526) + - Changed cf-execd's sleep behavior so it attempts to wake up at the beginning of every minute + (ENT-11765) + - Modified package promise default. If platform_default is present use that package module. + (CFE-4315) + - Ownership of symlinks is now handled properly (ENT-11235) + - cf-agent has two new options --no-augments and --no-host-specific-data to skip + loading augments (def.json or def_preferred.json) and host-specific data + (host_specific.json), respectively (ENT-10792) + 3.21.4: - 'cf-check diagnose' now shows DB usage and a hint if rotation is required - 'cf-check repair' now rotates DB files with high usage (>95%) (CFE-3374) From c1e32dcfde992025a0b6cee1e5fb4be6a5fa0b60 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 5 Jun 2024 14:55:51 +0200 Subject: [PATCH 139/255] Fixed bug where default:sys.fqhost contained many spaces Fixed bug where `default:sys.fqhost` contained many spaces when domain is set in body common control. Ticket: CFE-4053 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 06e3eff4b15c4ac0965def1ac1aff741c3d77a81) --- libpromises/expand.c | 25 +++++++++----- .../01_vars/01_basic/fqhost_domain.cf | 33 +++++++++++++++++++ 2 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 tests/acceptance/01_vars/01_basic/fqhost_domain.cf diff --git a/libpromises/expand.c b/libpromises/expand.c index b4845306fc..6485ee20b3 100644 --- a/libpromises/expand.c +++ b/libpromises/expand.c @@ -945,19 +945,26 @@ static void ResolveControlBody(EvalContext *ctx, GenericAgentConfig *config, Log(LOG_LEVEL_VERBOSE, "SET domain = %s", VDOMAIN); EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "domain"); - EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost"); - - // We don't expect hostname or domain name longer than 255, - // warnings are printed in sysinfo.c. - // Here we support up to 511 bytes, just in case, because we can: - snprintf(VFQNAME, CF_MAXVARSIZE, "%511s.%511s", VUQNAME, VDOMAIN); - EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost", - VFQNAME, CF_DATA_TYPE_STRING, - "inventory,source=agent,attribute_name=Host name"); EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "domain", VDOMAIN, CF_DATA_TYPE_STRING, "source=agent"); EvalContextClassPutHard(ctx, VDOMAIN, "source=agent"); + + int ret = snprintf(VFQNAME, CF_MAXVARSIZE, "%s.%s", VUQNAME, VDOMAIN); + assert(ret >= 0 && ret < CF_MAXVARSIZE); + if (ret < 0 || ret >= CF_MAXVARSIZE) + { + Log(LOG_LEVEL_ERR, + "Failed to update variable default:sys.fqhost to include domain name: " + "Maximum variable size was exceeded (%d >= %d)", ret, CF_MAXVARSIZE); + } + else + { + EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost"); + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost", + VFQNAME, CF_DATA_TYPE_STRING, + "inventory,source=agent,attribute_name=Host name"); + } } if (strcmp(lval, CFG_CONTROLBODY[COMMON_CONTROL_IGNORE_MISSING_INPUTS].lval) == 0) diff --git a/tests/acceptance/01_vars/01_basic/fqhost_domain.cf b/tests/acceptance/01_vars/01_basic/fqhost_domain.cf new file mode 100644 index 0000000000..7fbc61785d --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/fqhost_domain.cf @@ -0,0 +1,33 @@ +############################################################## +# +# Test default:sys.fqhost with domain CFE-4053 +# +############################################################## + +body common control +{ + domain => "cfengine.com"; + bundlesequence => { "check" }; +} + +bundle agent __main__ +{ + methods: + "check"; +} + +############################################################## + +bundle agent check +{ + reports: + DEBUG:: + "$(sys.fqhost), $(sys.uqhost).cfengine.com"; + + any:: + "$(this.promise_filename) Pass" + if => strcmp( "$(sys.fqhost)", "$(sys.uqhost).cfengine.com" ); + + "$(this.promise_filename) FAIL" + unless => strcmp( "$(sys.fqhost)", "$(sys.uqhost).cfengine.com" ); +} From 8a06b04b340ec228267c8fd4d7c06cee1f71698f Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem <4048546+olehermanse@users.noreply.github.com> Date: Wed, 5 Jun 2024 22:04:19 +0200 Subject: [PATCH 140/255] 3.21.5 changelog: Added bugfix which came in late Co-authored-by: Nick Anderson --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 51d892a53a..b9eeb914b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ - cf-agent has two new options --no-augments and --no-host-specific-data to skip loading augments (def.json or def_preferred.json) and host-specific data (host_specific.json), respectively (ENT-10792) + - Fixed bug where `default:sys.fqhost` contained many spaces when domain is + set in body common control (CFE-4053) 3.21.4: - 'cf-check diagnose' now shows DB usage and a hint if rotation is required From 03dde091d7026ca039cfee47210ead1efa4f7cd2 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Fri, 7 Jun 2024 08:27:26 -0500 Subject: [PATCH 141/255] Fixed doc build Markdown in the changelog (especially single backticks around words) cause the doc build to break with failure to resolve automatic links. Here we simply replaced backticks with single quotes. Ticket: ENT-11854 Changelog: None --- ChangeLog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index b9eeb914b9..fc05e63161 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,12 +2,12 @@ - Added warning log message when OS is not recognized (CFE-4342) - Adjusted package module inventory to include quotes around fields when needed (CFE-4341) - - Added `sys.os_name_human` and `sys.os_version_major`. Additionally - changed value of `sys.flavor` from `AmazonLinux` to `amazon_linux_2`, so + - Added 'sys.os_name_human' and 'sys.os_version_major'. Additionally + changed value of 'sys.flavor' from 'AmazonLinux' to 'amazon_linux_2', so that it is similar to other supported Linux distros. This change was - necessary, due to the fact that the `sys.os_version_major` variable is - derived from it. However, the `AmazonLinux` class previously derived - from `sys.flavor` is still defined for backwards compatibility. + necessary, due to the fact that the 'sys.os_version_major' variable is + derived from it. However, the 'AmazonLinux' class previously derived + from 'sys.flavor' is still defined for backwards compatibility. (ENT-10817) - CFEngine processes no longer suffer from the "Invalid argument" issues when working with LMDB (ENT-11543) @@ -21,7 +21,7 @@ - cf-agent has two new options --no-augments and --no-host-specific-data to skip loading augments (def.json or def_preferred.json) and host-specific data (host_specific.json), respectively (ENT-10792) - - Fixed bug where `default:sys.fqhost` contained many spaces when domain is + - Fixed bug where 'default:sys.fqhost' contained many spaces when domain is set in body common control (CFE-4053) 3.21.4: From d7cca3b851b677237b47e66355dedcbee9ffd638 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Sun, 9 Jun 2024 08:27:46 +0200 Subject: [PATCH 142/255] Allow all processing using the netlink route socket to read/write Otherwise things like this happen: postfix/sendmail[31057]: fatal: inet_addr_local[getifaddrs]: getifaddrs: Permission denied (cherry picked from commit 5fbebdb34fc51bc5d6ce14b005674f7feaf8a403) Conflicts: misc/selinux/cfengine-enterprise.te.all --- misc/selinux/cfengine-enterprise.te.all | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index ba9dbf17d2..35ebdc9587 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -455,7 +455,7 @@ allow cfengine_hub_t self:capability { dac_override chown dac_read_search }; allow cfengine_hub_t self:process { execmem setrlimit }; allow cfengine_hub_t self:tcp_socket { connect create getopt setopt read write }; allow cfengine_hub_t self:udp_socket { connect create getattr ioctl setopt read write }; -allow cfengine_hub_t self:netlink_route_socket { create getopt setopt bind getattr nlmsg_read }; +allow cfengine_hub_t self:netlink_route_socket { create getopt setopt bind getattr nlmsg_read read write }; allow cfengine_hub_t self:unix_dgram_socket { create connect read write }; allow cfengine_hub_t semanage_exec_t:file getattr; allow cfengine_hub_t shadow_t:file getattr; @@ -783,7 +783,7 @@ allow cfengine_reactor_t cert_t:lnk_file read; allow cfengine_reactor_t http_port_t:tcp_socket name_connect; allow cfengine_reactor_t net_conf_t:file { getattr open read }; allow cfengine_reactor_t self:capability { chown fsetid }; -allow cfengine_reactor_t self:netlink_route_socket { bind create getattr nlmsg_read }; +allow cfengine_reactor_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_reactor_t self:tcp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown name_connect }; allow cfengine_reactor_t self:udp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown }; allow cfengine_reactor_t self:unix_stream_socket connectto; @@ -856,7 +856,7 @@ allow cfengine_cfbs_t http_port_t:tcp_socket name_connect; allow cfengine_cfbs_t net_conf_t:file { getattr open read }; allow cfengine_cfbs_t passwd_file_t:file { getattr open read }; allow cfengine_cfbs_t self:capability dac_override; -allow cfengine_cfbs_t self:netlink_route_socket { bind create getattr nlmsg_read }; +allow cfengine_cfbs_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_cfbs_t self:tcp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown name_connect }; allow cfengine_cfbs_t self:udp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown }; allow cfengine_cfbs_t sssd_public_t:dir search; From 173b8a77c4ace8bdbae76f25042d2ae752c1e8fd Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 17 Jun 2024 14:55:47 +0200 Subject: [PATCH 143/255] Allow depth_search on non-directory files So that policy using depth_search with a promiser that is a file simply handles the file itself. A warning is issued, though. Ticket: ENT-8996 Changelog: depth_search acting on a non-directory promiser now handles such file as if the promise didn't use depth_search issuing a warning (cherry picked from commit 139885f3e0bf7416315b61aef2407194afe9467c) --- cf-agent/verify_files.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index d50e05a186..437647dce4 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -446,16 +446,11 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi } else { - if (!S_ISDIR(osb.st_mode)) + if (!S_ISDIR(osb.st_mode) && a.havedepthsearch) { - if (a.havedepthsearch) - { - /* TODO: PROMISE_RESULT_DENIED */ - Log(LOG_LEVEL_DEBUG, - "depth_search (recursion) is promised for a base object '%s' that is not a directory", - path); - goto exit; - } + Log(LOG_LEVEL_WARNING, + "depth_search (recursion) is promised for a base object '%s' that is not a directory", + path); } exists = true; From 4ae158220b5abd7ed317a67597a8541f7f7fe201 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 18 Jun 2024 16:22:40 +0200 Subject: [PATCH 144/255] Add changelog for the depth_search change Introduced in 173b8a77c4ace8bdbae76f25042d2ae752c1e8fd. --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index fc05e63161..3927072557 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,8 @@ (host_specific.json), respectively (ENT-10792) - Fixed bug where 'default:sys.fqhost' contained many spaces when domain is set in body common control (CFE-4053) + - depth_search acting on a non-directory promiser now handles such + file as if the promise didn't use depth_search, issuing a warning (ENT-8996) 3.21.4: - 'cf-check diagnose' now shows DB usage and a hint if rotation is required From 14d70f0349b545703cb7ea7b40ab94aef2657917 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 17 Jun 2024 13:11:09 -0500 Subject: [PATCH 145/255] Adjusted local settings in masterfiles stage common script to handle more cases On Debian-9 and possibly other older or minimal systems en-US.utf-8 may not be a locale which is available. In any case, default to the first utf locale found via `locale -a` which seems to include something general first regardless. Ticket: ENT-11885 Changelog: title (cherry picked from commit b99fa9a7f10b77ce31bf738b9de8883b64ff2dfc) --- contrib/masterfiles-stage/common.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 79e0b2b2f1..3704ea8e68 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -190,7 +190,16 @@ git_cfbs_deploy_refspec() { # (See long comment at end of function def.) # The chipmunk in cfbs output breaks things without this or similar - export LC_ALL=en_US.utf-8 + # The chipmunk in cfbs output breaks things without this or similar + if [ -f "/etc/locale.conf" ]; then + source "/etc/locale.conf" + export LC_ALL="$LANG" # retrieved from locale.conf + else + _LOCALE=$(locale -a | grep -i utf | head -1) + if [ -n "$_LOCALE" ]; then + export LC_ALL="$_LOCALE" + fi + fi # Ensure absolute pathname is given [ "${1:0:1}" = / ] || From f531126f4d55ab47f8703fe0757af4072ff5dc9a Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 21 Jun 2024 00:10:37 +0200 Subject: [PATCH 146/255] Bumped .CFVERSION number to 3.21.6 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index cc6a474e33..ec3cb7590f 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.5 +3.21.6 From d95bd84a38a652cb86bb8451bcf3f699ece3b91b Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 27 Jun 2024 13:48:57 -0500 Subject: [PATCH 147/255] Fixed packagesmatching() function segfaulting on Windows platform The packagesmatching() function searches for lmdb databases with GlobFileList() which is known to segfault on absolute paths on Windows with backslashes. The fix is only needed in 3.21.x because changes in master core+libntech improve the situation in a more thorough way. Ticket: ENT-11900 Changelog: title --- libpromises/dbm_api.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index e1b957242e..7b422ddaec 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -170,7 +170,15 @@ char *DBIdToSubPath(dbid id, const char *subdb_name) Seq *SearchExistingSubDBNames(const dbid id) { + // On Windows, GetStateDir() used in DBIdToSubPath() has backslashes + // GlobFileList() won't work with backslashes in 3.21.x so workaround this issue +#ifdef _WIN32 + char *const broken_pattern = DBIdToSubPath(id, "*"); + char *const glob_pattern = SearchAndReplace(broken_pattern, "\\", "/"); + free(broken_pattern); +#else char *const glob_pattern = DBIdToSubPath(id, "*"); +#endif StringSet *const db_paths = GlobFileList(glob_pattern); free(glob_pattern); From 60bffc71435993b006b3c4b3f1170103d48eb872 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 10 Jun 2024 13:57:14 +0200 Subject: [PATCH 148/255] Fixed bug in double expansion of foreign list variables Test output before fix looks like this: ``` R: /ntech/cfengine/core/tests/acceptance/01_vars/01_basic/double_expansion_list.cf FAIL R: $($(parent_bundle).str) => EXPANDED R: $($(parent_bundle).lst) => $(check.lst) R: $(check.baz) => EXPANDED R: $($(parent_bundle)$lst) => EXPANDED ``` Ticket: ENT-9491 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit ea1c92f832799ffe92376381725d3d1b53856f8d) --- libpromises/iteration.c | 55 +++++++++++++++ .../01_vars/01_basic/double_expansion_list.cf | 68 +++++++++++++++++++ 2 files changed, 123 insertions(+) create mode 100755 tests/acceptance/01_vars/01_basic/double_expansion_list.cf diff --git a/libpromises/iteration.c b/libpromises/iteration.c index d314f6ada5..f65cc85990 100644 --- a/libpromises/iteration.c +++ b/libpromises/iteration.c @@ -799,6 +799,11 @@ static void ExpandAndPutWheelVariablesAfter( EvalContext *evalctx, size_t wheel_idx) { + assert(iterctx != NULL); + assert(iterctx->wheels != NULL); + assert(iterctx->pp != NULL); + assert(iterctx->pp->promiser != NULL); + /* Buffer to store the expanded wheel variable name, for each wheel. */ Buffer *tmpbuf = BufferNew(); @@ -859,6 +864,56 @@ static void ExpandAndPutWheelVariablesAfter( assert(SeqLength(wheel->values) > 0); assert( SeqAt(wheel->values, 0) != NULL); + /* During initialization of the iteration engine, lists from + * foreign bundles are mangled in order to avoid overwriting + * the values in that bundle. However, the iteration engine + * has no way of knowing that some variables like + * $($(parent_bundle).lst) is a list during initialization. + * Hence, while crunching the wheels, this hack makes sure + * foreign variables are mangled when ever they expand into + * a list. + * + * How does it work? It looks for a '.' in both + * #iterctx->pp->promiser and #varname, where the left side + * of #varname is a bundle name and the right side of + * #iterctx->pp->promiser begins with the right side of + * #varname. If all of the constraints are fulfilled it + * swaps the '.' with '#' in both variables. + * + * See ticket ENT-9491 for more info. + */ + if (!IsMangled(varname)) + { + const StringSet *scopes = EvalContextGetBundleNames(evalctx); + + bool done = false; + char *unexp_pos = iterctx->pp->promiser; + while (!done && (unexp_pos = strchr(unexp_pos, '.')) != NULL) + { + char *exp_pos = (char *)varname; + while (!done && (exp_pos = strchr(exp_pos, '.')) != NULL) + { + if (StringStartsWith(unexp_pos + 1, exp_pos + 1)) + { + char tmp = *exp_pos; + *exp_pos = '\0'; + if (StringSetContains(scopes, varname)) + { + *exp_pos = CF_MANGLED_SCOPE; + *unexp_pos = CF_MANGLED_SCOPE; + done = true; + } + else + { + *exp_pos = tmp; + } + } + exp_pos += 1; + } + unexp_pos += 1; + } + } + /* Put the first value of the iterable. */ IterListElementVariablePut(evalctx, varname, value_type, SeqAt(wheel->values, 0)); diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf new file mode 100755 index 0000000000..34890815d6 --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf @@ -0,0 +1,68 @@ +############################################################################## +# +# Test double expansion of list from remote bundle (ENT-9491) +# +############################################################################## + +body common control +{ + bundlesequence => { "check" }; +} + +bundle agent test(parent_bundle) +{ + meta: + "description" -> { "ENT-9491", "CFE-1644" } + string => "Test double expension of list from remote bundle"; + + reports: + "$($(parent_bundle).str)" + comment => "Double expansion of remote string works prior to fix", + bundle_return_value_index => "foo"; + + "$($(parent_bundle).lst)" + comment => "But double expansion of remote list does not work prior to fix", + bundle_return_value_index => "bar"; + + "$(check.lst)" + comment => "Single expansion of remote list works prior to fix", + bundle_return_value_index => "baz"; + + "$($(parent_bundle)#lst)" + comment => "We force mangle the variable, it works, but should this be possible?", + bundle_return_value_index => "qux"; + +} + +bundle agent check +{ + vars: + "str" + string => "EXPANDED"; + "lst" + slist => { "EXPANDED" }; + + methods: + "holder" + usebundle => test("$(this.bundle)"), + useresult => "ret"; + + reports: + "$(this.promise_filename) Pass" + if => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED"), + strcmp("$(ret[qux])", "EXPANDED")); + + "$(this.promise_filename) FAIL" + unless => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[qux])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + DEBUG:: + "$(const.dollar)($(const.dollar)(parent_bundle).str) => $(ret[foo])"; + "$(const.dollar)($(const.dollar)(parent_bundle).lst) => $(ret[bar])"; + "$(const.dollar)(check.lst) => $(ret[baz])"; + "$(const.dollar)($(const.dollar)(parent_bundle)#lst) => $(ret[qux])"; +} From ccb98307fcaaca7cb9ef27ac6e362f870f2a89fc Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 27 Jun 2024 14:53:58 +0200 Subject: [PATCH 149/255] Fixed bug in double expansion of foreign list variables with namespaces Prior to fix, the added acceptance test had the following output: ``` R: /home/larsewi/ntech/cfengine/core/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf FAIL R: $($(parent_namespace):$(parent_bundle).str) => EXPANDED R: $($(parent_namespace):$(parent_bundle).lst) => $(bogus:check.lst) R: $(default:check.lst) => EXPANDED ``` Ticket: ENT-11923 Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 5e8ccbd6831e346b4242816df6ef90a762928975) --- libpromises/iteration.c | 150 ++++++++++++------ .../double_expansion_list_namespace.cf | 65 ++++++++ 2 files changed, 169 insertions(+), 46 deletions(-) create mode 100755 tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf diff --git a/libpromises/iteration.c b/libpromises/iteration.c index f65cc85990..4ad70c39d8 100644 --- a/libpromises/iteration.c +++ b/libpromises/iteration.c @@ -784,6 +784,108 @@ static Seq *IterableToSeq(const void *v, DataType t) } } +/* During initialization of the iteration engine, lists from foreign bundles are + * mangled in order to avoid overwriting the values in that bundle. However, the + * iteration engine has no way of knowing that some variables like + * $($(parent_bundle).lst) is a list during initialization. Hence, while + * crunching the wheels, this hack makes sure foreign variables are mangled when + * ever they expand into a list. + * + * How does it work? It looks for a '.' in both #iterctx->pp->promiser and + * #varname, where the left side of #varname is a bundle name and the right side + * of #iterctx->pp->promiser begins with the right side of #varname. If all of + * the constraints are fulfilled it swaps the '.' with '#' in both variables. + * Furthermore, if the variable also contains a scope, it will mangle ':' with + * '*'. + * + * See ticket ENT-9491 & ENT-11923 for more info. + */ +static void WheelMangleAfterExpandingToList(const PromiseIterator *iterctx, + EvalContext *evalctx, char *varname) +{ + assert(iterctx != NULL); + assert(iterctx->pp != NULL); + assert(iterctx->pp->promiser != NULL); + + const StringSet *scopes = EvalContextGetBundleNames(evalctx); + + // In case there is a namespace + char *unexp_namespace_token = iterctx->pp->promiser; + while ((unexp_namespace_token = strchr(unexp_namespace_token, CF_NS)) != NULL) + { + char *exp_namespace_token = varname; + while ((exp_namespace_token = strchr(exp_namespace_token, CF_NS)) != NULL) + { + char *unexp_scope_token = iterctx->pp->promiser; + while ((unexp_scope_token = strchr(unexp_scope_token, '.')) != NULL) + { + char *exp_scope_token = varname; + while ((exp_scope_token = strchr(exp_scope_token, '.')) != NULL) + { + if (exp_scope_token < exp_namespace_token) + { + // A scope token cannot come before a namespace token + continue; + } + + *exp_scope_token = '\0'; + const char *exp_scope = exp_namespace_token + 1; + const char *unexp_name = unexp_scope_token + 1; + const char *exp_name = exp_scope_token + 1; + + if (StringStartsWith(unexp_name, exp_name) && + StringSetContains(scopes, exp_scope)) + { + *unexp_namespace_token = CF_MANGLED_NS; + *exp_namespace_token = CF_MANGLED_NS; + *unexp_scope_token = CF_MANGLED_SCOPE; + *exp_scope_token = CF_MANGLED_SCOPE; + + // We are done! + return; + } + + // Put things back the way they were + *exp_scope_token = '.'; + exp_scope_token += 1; + } + unexp_scope_token += 1; + } + exp_namespace_token += 1; + } + unexp_namespace_token += 1; + } + + // In case there is no namespace + char *unexp_scope_token = iterctx->pp->promiser; + while ((unexp_scope_token = strchr(unexp_scope_token, '.')) != NULL) + { + char *exp_scope_token = varname; + while ((exp_scope_token = strchr(exp_scope_token, '.')) != NULL) + { + *exp_scope_token = '\0'; + const char *exp_scope = varname; + const char *unexp_name = unexp_scope_token + 1 ; + const char *exp_name = exp_scope_token + 1; + + if (StringStartsWith(unexp_name, exp_name) && + StringSetContains(scopes, exp_scope)) + { + *unexp_scope_token = CF_MANGLED_SCOPE; + *exp_scope_token = CF_MANGLED_SCOPE; + + // We are done! + return; + } + + // Put things back the way they were + *exp_scope_token = '.'; + exp_scope_token += 1; + } + unexp_scope_token += 1; + } +} + /** * For each of the wheels to the right of wheel_idx (including this one) * @@ -864,54 +966,10 @@ static void ExpandAndPutWheelVariablesAfter( assert(SeqLength(wheel->values) > 0); assert( SeqAt(wheel->values, 0) != NULL); - /* During initialization of the iteration engine, lists from - * foreign bundles are mangled in order to avoid overwriting - * the values in that bundle. However, the iteration engine - * has no way of knowing that some variables like - * $($(parent_bundle).lst) is a list during initialization. - * Hence, while crunching the wheels, this hack makes sure - * foreign variables are mangled when ever they expand into - * a list. - * - * How does it work? It looks for a '.' in both - * #iterctx->pp->promiser and #varname, where the left side - * of #varname is a bundle name and the right side of - * #iterctx->pp->promiser begins with the right side of - * #varname. If all of the constraints are fulfilled it - * swaps the '.' with '#' in both variables. - * - * See ticket ENT-9491 for more info. - */ if (!IsMangled(varname)) { - const StringSet *scopes = EvalContextGetBundleNames(evalctx); - - bool done = false; - char *unexp_pos = iterctx->pp->promiser; - while (!done && (unexp_pos = strchr(unexp_pos, '.')) != NULL) - { - char *exp_pos = (char *)varname; - while (!done && (exp_pos = strchr(exp_pos, '.')) != NULL) - { - if (StringStartsWith(unexp_pos + 1, exp_pos + 1)) - { - char tmp = *exp_pos; - *exp_pos = '\0'; - if (StringSetContains(scopes, varname)) - { - *exp_pos = CF_MANGLED_SCOPE; - *unexp_pos = CF_MANGLED_SCOPE; - done = true; - } - else - { - *exp_pos = tmp; - } - } - exp_pos += 1; - } - unexp_pos += 1; - } + WheelMangleAfterExpandingToList(iterctx, evalctx, + (char *) varname); } /* Put the first value of the iterable. */ diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf new file mode 100755 index 0000000000..da14f8554e --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf @@ -0,0 +1,65 @@ +############################################################################## +# +# Test double expansion of list from remote bundle with namespace (ENT-11923) +# +############################################################################## + +body common control +{ + bundlesequence => { "bogus:check" }; +} + +bundle agent test(parent_namespace, parent_bundle) +{ + meta: + "description" -> { "ENT-11923" } + string => "Test double expension of list from remote bundle with namespace"; + + reports: + "$($(parent_namespace):$(parent_bundle).str)" + comment => "Double expansion of remote string works prior to fix", + bundle_return_value_index => "foo"; + + "$($(parent_namespace):$(parent_bundle).lst)" + comment => "But double expansion of remote list does not work prior to fix", + bundle_return_value_index => "bar"; + + "$(bogus:check.lst)" + comment => "Single expansion of remote list works prior to fix", + bundle_return_value_index => "baz"; +} + +body file control +{ + namespace => "bogus"; +} + +bundle agent check +{ + vars: + "str" + string => "EXPANDED"; + "lst" + slist => { "EXPANDED" }; + + methods: + "holder" + usebundle => default:test("$(this.namespace)", "$(this.bundle)"), + useresult => "ret"; + + reports: + "$(this.promise_filename) Pass" + if => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + "$(this.promise_filename) FAIL" + unless => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + default:DEBUG:: + "$(const.dollar)($(const.dollar)(parent_namespace):$(const.dollar)(parent_bundle).str) => $(ret[foo])"; + "$(const.dollar)($(const.dollar)(parent_namespace):$(const.dollar)(parent_bundle).lst) => $(ret[bar])"; + "$(const.dollar)(default:check.lst) => $(ret[baz])"; +} From 92ea116019462a6e496c78097dd5356f27c12320 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 8 Jul 2024 14:33:09 +0200 Subject: [PATCH 150/255] Give cf-serverd time to initialize in valgrind-checks It can be really slow (testing showed up to a minute). Ticket: CFE-4416 Changelog: None (cherry picked from commit e07820e3ad66fd89f7188a254f8eea6114625808) --- tests/valgrind-check/valgrind.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tests/valgrind-check/valgrind.sh b/tests/valgrind-check/valgrind.sh index 534309751f..168276e636 100644 --- a/tests/valgrind-check/valgrind.sh +++ b/tests/valgrind-check/valgrind.sh @@ -102,15 +102,25 @@ print_ps echo "Starting cf-serverd with valgrind in background:" valgrind $VG_OPTS --log-file=serverd.txt /var/cfengine/bin/cf-serverd --no-fork 2>&1 > serverd_output.txt & server_pid="$!" -sleep 20 echo "Starting cf-execd with valgrind in background:" valgrind $VG_OPTS --log-file=execd.txt /var/cfengine/bin/cf-execd --no-fork 2>&1 > execd_output.txt & exec_pid="$!" -sleep 10 print_ps +# cf-serverd running under valgrind can be really slow to start, let's give it +# some time before we move on and potentially hit the wall if it's actually +# malfunctioning +tries=12 # max 2 minutes +while /var/cfengine/bin/cf-net -H $BOOTSTRAP_IP connect | grep Failed; do + tries=$((tries - 1)) + if [ $tries -le 0 ]; then + break; + fi + sleep 10 +done + echo "Running cf-net:" valgrind $VG_OPTS /var/cfengine/bin/cf-net GET /var/cfengine/masterfiles/promises.cf 2>&1 | tee get.txt check_valgrind_output get.txt From 7892ce9c7d42cda7fa359c67cf25cee6980dd7fb Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 8 Jul 2024 14:36:51 +0200 Subject: [PATCH 151/255] Build core and libntech in parallel in valgrind-checks To speed builds up. Ticket: CFE-4416 Changelog: None (cherry picked from commit 733e12e5144cd917440f1feb12c547f05038b2b9) --- tests/valgrind-check/valgrind.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/valgrind-check/valgrind.sh b/tests/valgrind-check/valgrind.sh index 168276e636..25d2d76520 100644 --- a/tests/valgrind-check/valgrind.sh +++ b/tests/valgrind-check/valgrind.sh @@ -64,7 +64,7 @@ if [ -f ./configure ] ; then else ./autogen.sh -C --enable-debug fi -make +make -j -l $(getconf _NPROCESSORS_ONLN) make install cd ../masterfiles From bb71d7597e8b214b5a0caae0f2b6b38e086b9ff8 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 8 Jul 2024 16:13:58 +0200 Subject: [PATCH 152/255] Add a built-in timeout mechanism to valgrind-checks If things go wrong and a run of valgrind-checks gets stuck, it's hard to terminate and clean after it properly because it runs as root. In a container, but that doesn't make a difference. To avoid such issues, let's make sure the `bash` process running the valgrind checks kills itself after a period of time unless it finishes properly (succeeding or failing). Ticket: CFE-4416 Changelog: None (cherry picked from commit 079c633d2ed5b04b158a9cc4a125f13f3f0af2c1) --- tests/valgrind-check/valgrind.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/valgrind-check/valgrind.sh b/tests/valgrind-check/valgrind.sh index 25d2d76520..dfd334196b 100644 --- a/tests/valgrind-check/valgrind.sh +++ b/tests/valgrind-check/valgrind.sh @@ -58,6 +58,14 @@ function check_masterfiles_and_inputs { set -e set -x +# In case things go wrong and this hangs, let's make sure things get properly +# cleaned up from here rather than relying on the outer environment doing the +# cleanup. In case this runs in a container, it could be a big +# difference. Especially in a case of an SPC. +{ sleep 30m && kill -9 $$; } & +auto_destruct_pid=$! +trap "kill $auto_destruct_pid" EXIT + # Assume we are in core directory if [ -f ./configure ] ; then ./configure -C --enable-debug From 326fe19983ebba9beff2925e401f041c3d1d072a Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 8 Jul 2024 15:21:06 +0200 Subject: [PATCH 153/255] Fixed some typos related fixes for ENT-9491 & ENT-11923 (cherry picked from commit 7016c253863269c163f397c75ac309994da004cd) --- libpromises/iteration.c | 4 ++-- tests/acceptance/01_vars/01_basic/double_expansion_list.cf | 2 +- .../01_vars/01_basic/double_expansion_list_namespace.cf | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libpromises/iteration.c b/libpromises/iteration.c index 4ad70c39d8..8bcb77f8c8 100644 --- a/libpromises/iteration.c +++ b/libpromises/iteration.c @@ -795,8 +795,8 @@ static Seq *IterableToSeq(const void *v, DataType t) * #varname, where the left side of #varname is a bundle name and the right side * of #iterctx->pp->promiser begins with the right side of #varname. If all of * the constraints are fulfilled it swaps the '.' with '#' in both variables. - * Furthermore, if the variable also contains a scope, it will mangle ':' with - * '*'. + * Furthermore, if the variable also contains a namespace, it will mangle ':' + * with '*'. * * See ticket ENT-9491 & ENT-11923 for more info. */ diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf index 34890815d6..34fd0a5d36 100755 --- a/tests/acceptance/01_vars/01_basic/double_expansion_list.cf +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf @@ -13,7 +13,7 @@ bundle agent test(parent_bundle) { meta: "description" -> { "ENT-9491", "CFE-1644" } - string => "Test double expension of list from remote bundle"; + string => "Test double expansion of list from remote bundle"; reports: "$($(parent_bundle).str)" diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf index da14f8554e..3553442985 100755 --- a/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf @@ -13,7 +13,7 @@ bundle agent test(parent_namespace, parent_bundle) { meta: "description" -> { "ENT-11923" } - string => "Test double expension of list from remote bundle with namespace"; + string => "Test double expansion of list from remote bundle with namespace"; reports: "$($(parent_namespace):$(parent_bundle).str)" From f460eb62fa4c8f4f101f030956527dd6f6bcc54a Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 24 Jun 2024 13:24:09 -0500 Subject: [PATCH 154/255] CFE-4408: Fixed package promises with only promisers and no other attributes CFE-4315 introduced a behavior change so that in the case of a simple package promise with only a promiser: packages: "ed"; Things would just work in the case where there was no default package manager defined with package_module_knowledge.platform_default. In the case where package_module_knowledge.platform_default was defined this simple case would cause errors. This change fixes this second case as well as improves logging around the choosing of v1 and v2 package promise implementations. Some of these changes fix CFE-4398 which noted that too many INFO level messages were produced. These messages are moved to DEBUG and VERBOSE level as appropriate. Also added "packages" promises to list of exceptions so that a bare promiser-only package promise does not cause warnings. Ticket: CFE-4408 Changelog: title (cherry picked from commit 8961a77d292b7fd02f3675fd890c5e87d3a41382) Conflicts: libpromises/cf3parse_logic.h 3.21.x did not have ParserCheckPromiseLine() --- cf-agent/verify_packages.c | 2 +- libpromises/attributes.c | 23 +++++-- .../07_packages/default_package_module.cf | 48 +++++++++++++ .../default_package_module.cf.expected | 6 ++ .../default_package_module.cf.module | 69 +++++++++++++++++++ 5 files changed, 140 insertions(+), 8 deletions(-) create mode 100644 tests/acceptance/07_packages/default_package_module.cf create mode 100644 tests/acceptance/07_packages/default_package_module.cf.expected create mode 100644 tests/acceptance/07_packages/default_package_module.cf.module diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c index 50c6cfe329..27d0727f7e 100644 --- a/cf-agent/verify_packages.c +++ b/cf-agent/verify_packages.c @@ -208,7 +208,7 @@ PromiseResult VerifyPackagesPromise(EvalContext *ctx, const Promise *pp) break; case PACKAGE_PROMISE_TYPE_NEW_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "v1 package promise (package_method) failed sanity check."); + "v2 package promise (package_method) failed sanity check."); break; case PACKAGE_PROMISE_TYPE_OLD_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, diff --git a/libpromises/attributes.c b/libpromises/attributes.c index 82ae5d80de..af61c16be2 100644 --- a/libpromises/attributes.c +++ b/libpromises/attributes.c @@ -1158,11 +1158,15 @@ Packages GetPackageConstraints(const EvalContext *ctx, const Promise *pp) if (bodies_and_args != NULL && SeqLength(bodies_and_args) > 0) { - Log(LOG_LEVEL_INFO, "Package promise had no package_method attribute so it's being assigned a value of 'generic' as default."); + Log(LOG_LEVEL_VERBOSE, "Package promise had no package_method attribute so it's being assigned a value of 'generic' as default."); const Body *bp = SeqAt(bodies_and_args, 0); // guaranteed to be non-NULL CopyBodyConstraintsToPromise((EvalContext*)ctx, (Promise*)pp, bp); has_generic_package_method = true; } + else + { + Log(LOG_LEVEL_VERBOSE, "Package promise had no package_method attibute and policy had no 'generic' package_method body so will use v2 package modules."); + } SeqDestroy(bodies_and_args); } @@ -1257,16 +1261,21 @@ NewPackages GetNewPackageConstraints(const EvalContext *ctx, const Promise *pp) bool have_package_policy = PromiseBundleOrBodyConstraintExists(ctx, "package_policy", pp); if (!have_policy && !have_package_policy) { - Log(LOG_LEVEL_DEBUG, "Package promise has no policy or package_policy attribute. Checking if package_module_knowledge.platform_default is defined to default the policy attribute to 'present' and force use of v2 package promise (package_module)."); + Log(LOG_LEVEL_DEBUG, "Package promise has no policy or package_policy attribute. Checking if default:control_common.package_module is defined to default the policy attribute to 'present' and force use of v2 package promise (package_module)."); + + const void *ret = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_PACKAGE_MODULE); + PackageModuleBody *package_module = GetPackageModuleFromContext(ctx, ret); - VarRef *ref = VarRefParseFromScope("package_module_knowledge.platform_default", NULL); - const void *ret = EvalContextVariableGet(ctx, ref, NULL); - if (ret != NULL) + if (package_module != NULL) { - Log(LOG_LEVEL_INFO, "Package promise had no policy or package_policy attribute and package_module_knowledge.platform_default is defined so defaulting to v2 package promise (package_module) and setting 'policy' attribute to 'present'."); + Log(LOG_LEVEL_DEBUG, "Package promise had no policy or package_policy attribute and default:control_common.package_module is defined so defaulting to v2 package promise (package_module) and setting 'policy' attribute to 'present' and 'package_module' to %s.", package_module->name); PromiseAppendConstraint((Promise*)pp, "policy", (Rval) {xstrdup("present"), RVAL_TYPE_SCALAR }, false); + PromiseAppendConstraint((Promise*)pp, "package_module_name", (Rval) {xstrdup(package_module->name), RVAL_TYPE_SCALAR }, false); + } + else + { + Log(LOG_LEVEL_VERBOSE, "Package promise had no policy or package_policy attribute and default:control_common.package_module is undefined so will use v1 package promise (package_method)."); } - VarRefDestroy(ref); } p.package_policy = GetNewPackagePolicy(PromiseGetConstraintAsRval(pp, "policy", RVAL_TYPE_SCALAR), new_packages_actions); diff --git a/tests/acceptance/07_packages/default_package_module.cf b/tests/acceptance/07_packages/default_package_module.cf new file mode 100644 index 0000000000..d06e1382ce --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf @@ -0,0 +1,48 @@ +# Based on 07_package/package_module_path.cf + +body common control +{ + inputs => { "../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + package_module => test_module; # important! part of this specific test +} + +bundle agent init +{ + files: + "$(sys.workdir)/modules/packages/." + create => "true"; + "$(sys.workdir)/modules/packages/test_module_script.sh" + copy_from => local_cp("$(this.promise_filename).module"), + perms => m("ugo+x"); +} + +body package_module test_module +{ + query_installed_ifelapsed => "60"; + query_updates_ifelapsed => "14400"; + default_options => { "$(G.testfile)" }; + module_path => "$(sys.workdir)/modules/packages/test_module_script.sh"; +} + +bundle agent test +{ + meta: + "description" + string => "Test that a package with no attributes uses a configured common control package_module", + meta => { "CFE-4408" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + + packages: + "first_pkg"; + "second_pkg"; +} + +bundle agent check +{ + methods: + "any" usebundle => dcs_check_diff($(G.testfile), + "$(this.promise_filename).expected", + $(this.promise_filename)); +} diff --git a/tests/acceptance/07_packages/default_package_module.cf.expected b/tests/acceptance/07_packages/default_package_module.cf.expected new file mode 100644 index 0000000000..835519d05b --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf.expected @@ -0,0 +1,6 @@ +Name=first_pkg +Version=1.0 +Architecture=generic +Name=second_pkg +Version=1.0 +Architecture=generic diff --git a/tests/acceptance/07_packages/default_package_module.cf.module b/tests/acceptance/07_packages/default_package_module.cf.module new file mode 100644 index 0000000000..4d185fe7f6 --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf.module @@ -0,0 +1,69 @@ +#!/bin/sh + +set -e + +remove_prefix() +{ + echo "$1" | sed "s/$2//" +} + +case "$1" in + supports-api-version) + echo 1 + ;; + get-package-data) + while read line; do + case "$line" in + File=*) + echo PackageType=repo + echo Name=`remove_prefix "${line}" "File="` + ;; + *) + true + ;; + esac + done + ;; + list-installed) + while read line; do + case "$line" in + options=*) + OUTPUT=`remove_prefix "${line}" "options="` + ;; + *) + exit 1 + ;; + esac + done + if [ -f "$OUTPUT" ]; then + cat "$OUTPUT" + fi + ;; + list-*) + # Drain input. + cat > /dev/null + ;; + repo-install) + while read line; do + case "$line" in + options=*) + OUTPUT=`remove_prefix "${line}" "options="` + ;; + Name=*) + NAME=`remove_prefix "${line}" "Name="` + ;; + *) + exit 1 + ;; + esac + done + echo "Name=$NAME" >> "$OUTPUT" + echo "Version=1.0" >> "$OUTPUT" + echo "Architecture=generic" >> "$OUTPUT" + ;; + *) + exit 1 + ;; +esac + +exit 0 From 8fbcf2a29ffe3385276769a43d310ce522ef1f80 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 8 Jul 2024 16:41:11 +0200 Subject: [PATCH 155/255] Allow cfbs to execute commands in a shell It executes `git` (and maybe other commands) in a shell. Ticket: ENT-11910 Changelog: None (cherry picked from commit 818708a54ae886d5446cac9405bb65dc50eb5cea) --- misc/selinux/cfengine-enterprise.te.all | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 35ebdc9587..625056443b 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -849,6 +849,10 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write }; allow cfengine_cfbs_t bin_t:file { map execute }; +# cfbs runs some commands in a shell +allow cfengine_cfbs_t shell_exec_t:file map; +allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans }; + allow cfengine_cfbs_t cert_t:dir search; allow cfengine_cfbs_t cert_t:file { getattr open read }; allow cfengine_cfbs_t cert_t:lnk_file read; From 7d3aa6087c461f3870614b38a828785859a4bcd1 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem <4048546+olehermanse@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:37:17 +0200 Subject: [PATCH 156/255] masterfiles-stage: Added alternate global directory for cfbs build (cherry picked from commit b6339e0a44bcac1cda240c17bae0a3dcd5e856fe) --- contrib/masterfiles-stage/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 3704ea8e68..27e9306f2c 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -227,7 +227,7 @@ git_cfbs_deploy_refspec() { _start_wrkdir=$(pwd) # Switch to the staging directory and build with cfbs cd "${temp_stage}" - cfbs build || error_exit "cfbs build failed" + CFBS_GLOBAL_DIR="/opt/cfengine/build/cfbs_global" cfbs build || error_exit "cfbs build failed" # Switch back to the original working dir cd "${_start_wrkdir}" # Grab HEAD so it can be used to populate cf_promises_release_id From 48788fa34662eede6ef3d19db72bd968e32f4e65 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Fri, 9 Aug 2024 13:49:58 +0200 Subject: [PATCH 157/255] Log errors for commands promises with exit codes not matching any _returncodes They are marked as failed with the following message: Command related to promiser '...' returned code '1' not defined as promise kept, not kept or repaired; setting to failed Failed promises should log errors not just info messages. Otherwise running without `--info` or more detailed logging fails silently. Ticket: CFE-4429 Ticket: ENT-12103 Changelog: commands promises with exit codes not matching any _returncodes attributes from classes body now log and error message not just an info message (cherry picked from commit 41214f7b5de59729d8c723a4976c67d1dde5d48c) --- cf-agent/retcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cf-agent/retcode.c b/cf-agent/retcode.c index 190b4c2a28..33b2e74d11 100644 --- a/cf-agent/retcode.c +++ b/cf-agent/retcode.c @@ -86,7 +86,7 @@ bool VerifyCommandRetcode(EvalContext *ctx, int retcode, const Attributes *a, co if (!matched) { - cfPS(ctx, info_or_verbose, PROMISE_RESULT_FAIL, pp, a, + cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Command related to promiser '%s' returned code '%d' not defined as promise kept, not kept or repaired; setting to failed", pp->promiser, retcode); *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); From 8d224c46d3fcded16ee955f0474c43f333db7f3d Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 27 Jun 2024 16:13:07 +0200 Subject: [PATCH 158/255] Enable test for trailing newline on insert_tree promisers libxml2-2.13.1 seems to be fixing this. Ticket: CFE-3806 Changelog: Trailing newline on insert_tree promisers no longer removes ending tag for select_xpath (cherry picked from commit cea0100fbac7a193c586c8b44b3b26df2d8187d1) --- tests/acceptance/10_files/11_xml_edits/CFE-3806.cf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf b/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf index 4e5946f94a..0c1ea77478 100644 --- a/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf +++ b/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf @@ -29,10 +29,6 @@ bundle agent test "description" -> { "CFE-3806" } string => "Test that trailing newline on insert_tree promisers do not remove ending tag for select_xpath"; - "test_soft_fail" - string => "any", - meta => { "CFE-3860" }; - files: "$(G.testfile)-1.xml" From dfdfe5d99f1f74a2602c7641ccb49aca6868bcb4 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 22 Aug 2024 09:54:47 -0500 Subject: [PATCH 159/255] Added logging CFEngine component related SELinux denials in cf-support Ticket: ENT-12137 Changelog: title (cherry picked from commit ea77c55bbf419b7862d68b361ef54da83779d480) --- misc/cf-support | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/misc/cf-support b/misc/cf-support index ee195f7cf7..d1e3afd16c 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -378,6 +378,11 @@ else fi echo "Captured output of $syslog_cmd filtered for cf-|CFEngine" +# cf- component related SELinux denials +if command -v ausearch >/dev/null; then + ausearch -m avc -su cfengine > "$tmpdir"/ausearch-cfengine-avcs.log +fi + gzip_add $WORKDIR/outputs/previous file_add $WORKDIR/policy_server.dat From 23bb68acaa063516ca301e4cebeffc1921a26d37 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 8 Oct 2024 18:29:01 +0200 Subject: [PATCH 160/255] Atomic copy_from in files promise Changes to `files` promise in `copy_from` attribute: - The new file (i.e., `.cfnew`) is now created with correct permission during remote copy. Previously it would be created with default permissions. - The destination file (i.e., ``) is no longer deleted on backup during file copy. Previously it would be renamed to `.cfsaved`, causing the original file to dissappear. Now an actual copy of the original file with the same permissions is created instead. As a result, there will no longer be a brief moment where the original file is inaccessible. Ticket: ENT-11988 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 224ccc33652c2c97923ab97a29317f6c930671e1) --- cf-agent/verify_files_utils.c | 4 ++-- libcfnet/client_code.c | 4 ++-- libcfnet/client_code.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 79ec481e33..84115f997f 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -1552,7 +1552,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } if (!CopyRegularFileNet(source, ToChangesPath(new), - sstat->st_size, attr->copy.encrypt, conn)) + sstat->st_size, attr->copy.encrypt, conn, sstat->st_mode)) { RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'", source, conn->remoteip); @@ -1712,7 +1712,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } } - if (rename(dest, changes_backup) == 0) + if (CopyRegularFileDisk(dest, changes_backup)) { RecordChange(ctx, pp, attr, "Backed up '%s' as '%s'", dest, backup); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c index d168d37b31..032eebcf83 100644 --- a/libcfnet/client_code.c +++ b/libcfnet/client_code.c @@ -751,7 +751,7 @@ static void FlushFileStream(int sd, int toget) /* TODO finalise socket or TLS session in all cases that this function fails * and the transaction protocol is out of sync. */ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn) + bool encrypt, AgentConnection *conn, mode_t mode) { char *buf, workbuf[CF_BUFSIZE], cfchangedstr[265]; const int buf_size = 2048; @@ -775,7 +775,7 @@ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, unlink(dest); /* To avoid link attacks */ - int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, CF_PERMS_DEFAULT); + int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, mode); if (dd == -1) { Log(LOG_LEVEL_ERR, diff --git a/libcfnet/client_code.h b/libcfnet/client_code.h index f0d560088f..ba32d4acdb 100644 --- a/libcfnet/client_code.h +++ b/libcfnet/client_code.h @@ -48,7 +48,7 @@ void DisconnectServer(AgentConnection *conn); bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn); bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn); + bool encrypt, AgentConnection *conn, mode_t mode); Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn); int TLSConnectCallCollect(ConnectionInfo *conn_info, const char *username); From 9d0fd65f035da121260fac09a876b2b30eadb058 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 12 Sep 2024 16:42:00 +0200 Subject: [PATCH 161/255] Workaround cppcheck ignoring `-i libpromises/cf3lex.c` When running cppcheck in static checks, we use `-i libpromises/cf3lex.c` in order to make cppcheck ignore the generated cf3lex.c file. However, the new version of cppcheck ignores this option and fails on issues found in the file. However, we don't want this file or any other generated files except for bootstrap.inc which contains the bootstrap policy. So we can run `make clean` and `make -C libpromise/ boostrap.inc` before running cppcheck to get a cleaner environment. (cherry picked from commit e9cfa4105cf5718a4bbfcb06adc737437d9bd3fa) Signed-off-by: Lars Erik Wik --- tests/static-check/run_checks.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index bcd059a3eb..4583968ff0 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -21,6 +21,8 @@ function check_with_clang() { function check_with_cppcheck() { rm -f config.cache + make clean + make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c ./configure -C --enable-debug # cppcheck options: From 2805fb1ec529fe5573a20da150911d845a95fb93 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 6 Aug 2024 17:54:26 +0200 Subject: [PATCH 162/255] Fixed failure to install cf-remote ``` error: externally-managed-environment ``` Since this is a container, it should be OK to potentially break system packages. Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 0195e21b735ccf0da8d889ecf34919689641d6db) --- .github/workflows/windows_acceptance_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml index f387042f27..b6bb6c74ca 100644 --- a/.github/workflows/windows_acceptance_tests.yml +++ b/.github/workflows/windows_acceptance_tests.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v3 - name: install cf-remote - run: pip install cf-remote + run: pip install cf-remote --break-system-packages # Note that msiexec can't install packages when running under msys; # But cf-remote currently can't run under powershell From 526d710d5e1ae6d03c631957837c4a6b3f88970b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 13:47:08 +0200 Subject: [PATCH 163/255] Fixed error in static checks libncurses5 was not available in the noble repository, but maybe libncurses6 will work. ``` E: Unable to locate package libncurses5 ``` Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 4d1944adc423ac19a99cb37d83f1a461909d4c53) --- .github/workflows/job-static-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml index 1554ba5bb7..5609b28edd 100644 --- a/.github/workflows/job-static-check.yml +++ b/.github/workflows/job-static-check.yml @@ -46,7 +46,7 @@ jobs: - name: Prepare Environment run: | sudo apt-get update && \ - sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \ + sudo apt-get install -y dpkg-dev debhelper g++ libncurses6 pkg-config \ build-essential libpam0g-dev fakeroot gcc make autoconf buildah \ liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \ libssl-dev libpcre3-dev From 18c187348719ea58ca0e90b567dc4ce446f3f4c9 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 15:39:23 +0200 Subject: [PATCH 164/255] Fixed missing PCRE in CodeQL test ``` checking for pcre_exec in -lpcre... no configure: error: Cannot find PCRE ``` Ticket: None Changelog: None Signed-off-by: Lars Erik Wik --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4777259e8e..dfe8dd437e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: - name: Install dependencies (C) if: ${{ matrix.language == 'cpp' }} - run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libpcre3-dev - name: Build (C) if: ${{ matrix.language == 'cpp' }} From ed86f7561c4f6298349af7962f5dd9feb25c1a67 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 9 Oct 2024 12:53:38 +0200 Subject: [PATCH 165/255] Also ignore IPv6 interface info Agent now also ignores interfaces listed in ignore_interfaces.rx when looking for IPv6 interface info. Variables such as `default:sys.hardware_mac[]` will no longer be defined for ignored interfaces. Ticket: ENT-11840 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 5ab06a14d406f0b673ce29e78e136bbed4e9095b) --- libenv/unix_iface.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index a8c7043ed1..67af0cd936 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -721,6 +721,11 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h } } + if (IgnoreInterface(current_interface)) + { + // Ignore interfaces listed in ignore_interfaces.rx + continue; + } const char *const stripped_ifconfig_line = TrimWhitespace(ifconfig_line); From 051dbce753654523e07e30c98203a20c49b2f9e1 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 13 Nov 2024 09:57:08 -0600 Subject: [PATCH 166/255] Adjusted peer related examples in regards to hostname -f versus sys.fqhost This was breaking on some systems in a way that doesn't benefit the test. Instead of assuming that `hostname -f` is equal to `sys.fqhost` just use `sys.fqhost` in the first place. Ticket: ENT-12437 Changelog: none (cherry picked from commit 9c05580bfaca16fb7f31a75994da9de44b3740ad) --- examples/peerleader.cf | 3 ++- examples/peerleaders.cf | 3 ++- examples/peers.cf | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/examples/peerleader.cf b/examples/peerleader.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peerleader.cf +++ b/examples/peerleader.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist diff --git a/examples/peerleaders.cf b/examples/peerleaders.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peerleaders.cf +++ b/examples/peerleaders.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist diff --git a/examples/peers.cf b/examples/peers.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peers.cf +++ b/examples/peers.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist From 9fe8a57aa909d8688c2f3a42ff8873107a0cb3c7 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 11 Nov 2024 16:02:49 -0600 Subject: [PATCH 167/255] Added changelog for 3.21.6 Co-authored-by: Nick Anderson Co-authored-by: Lars Erik Wik <53906608+larsewi@users.noreply.github.com> --- ChangeLog | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3927072557..64510f6a6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,34 @@ +3.21.6: + - Added logging CFEngine component related SELinux denials in cf-support + (ENT-12137) + - Agent now also ignores interfaces listed in ignore_interfaces.rx when + looking for IPv6 interface info. Variables such as + 'default:sys.hardware_mac[]' will no longer be defined for + ignored interfaces. (ENT-11840) + - Atomic copy_from in files promise + Changes to 'files' promise in 'copy_from' attribute: + - The new file (i.e., '.cfnew') is now created with correct + permission during remote copy. Previously it would be created with + default permissions. + - The destination file (i.e., '') is no longer deleted on + backup during file copy. Previously it would be renamed to + '.cfsaved', causing the original file to dissappear. Now an + actual copy of the original file with the same permissions is created + instead. + As a result, there will no longer be a brief moment where the original + file is inaccessible. (ENT-11988) + - Fixed bug in double expansion of foreign list variables with namespaces + (ENT-11923) + - Fixed package promises with only promisers and no other attributes + (CFE-4315, CFE-4398, CFE-4408) + - Fixed packagesmatching() function segfaulting on Windows platform + (ENT-11900) + - Trailing newline on insert_tree promisers no longer removes ending tag for select_xpath + (CFE-3806) + - commands promises with exit codes not matching any + _returncodes attributes from classes body now log an + error message not just an info message (CFE-4429, ENT-12103) + 3.21.5: - Added warning log message when OS is not recognized (CFE-4342) - Adjusted package module inventory to include quotes around fields when needed From d617f6ea845f1acc014d0f39e234da048c6871d4 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 25 Nov 2024 16:40:46 -0600 Subject: [PATCH 168/255] Adjusted CFEngine SELinux policy to allow cf-execd to run ps command with policy version 33 Apparently, ps command running with SELinux kernel policy version 33 requires self:cap_userns sys_ptrace. Ticket: ENT-12446 Changelog: title (cherry picked from commit 45ea0fe542f73e8c4358d7c0e23049dee34056d3) --- misc/selinux/cfengine-enterprise.te.all | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 625056443b..f128a761d7 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -229,6 +229,7 @@ allow cfengine_execd_t cfengine_reactor_exec_t:file getattr; allow cfengine_execd_t cfengine_var_lib_t:sock_file { create unlink getattr setattr }; allow cfengine_execd_t self:capability sys_ptrace; +allow cfengine_execd_t self:cap_userns sys_ptrace; allow cfengine_execd_t crontab_exec_t:file getattr; allow cfengine_execd_t dmidecode_exec_t:file getattr; From 63452869c3fdf1f68b3453d3c65c682a6b1d649f Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 27 Nov 2024 15:58:47 -0600 Subject: [PATCH 169/255] Disabled windows_acceptance_tests in github CI due to 6 hour time limit Ticket: ENT-12497 Changelog: none (cherry picked from commit 17f68d0e6b2ab39cfb7c7b9bc0999351b2d67685) --- .github/workflows/ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6554e4fc34..61c981f5ed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,10 @@ jobs: acceptance_tests: needs: unit_tests uses: ./.github/workflows/acceptance_tests.yml - windows_acceptance_tests: - needs: unit_tests - uses: ./.github/workflows/windows_acceptance_tests.yml +# Disable windows_acceptance_tests as of Nov 27 2024, taking 6 hours so exceeding github job limit and gets cancelled. +# windows_acceptance_tests: +# needs: unit_tests +# uses: ./.github/workflows/windows_acceptance_tests.yml macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml From 8b5488e6ded4f6fe79d113a7b5167c58f0e1d28a Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 27 Nov 2024 15:26:41 -0600 Subject: [PATCH 170/255] Added filesystem and files unconfined access to cf-monitord in cfengine-enterprise SELinux policy It was found in some situations that cf-monitord was attempting access to files and dirs with the user_home_dir_t type and being blocked. cf-monitord needs full access to all filesystems and files. Ticket: ENT-12446 Changelog: title (cherry picked from commit f4bf792530ea65f1c8ef1b00cdf806daa59c8f62) --- misc/selinux/cfengine-enterprise.te.all | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index f128a761d7..70ac38acc6 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -278,6 +278,9 @@ allow cfengine_monitord_t cfengine_hub_exec_t:file getattr; allow cfengine_monitord_t cfengine_reactor_exec_t:file getattr; allow cfengine_monitord_t var_log_t:file { open read }; +# cf-monitord collects arbitrary system data so needs complete access to filesystems and files +fs_unconfined(cfengine_monitord_t) +files_unconfined(cfengine_monitord_t) allow cfengine_monitord_t self:capability { dac_override dac_read_search sys_ptrace }; allow cfengine_monitord_t self:cap_userns sys_ptrace; From 018fe212eee5858c06a699911080acf3aa813259 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 2 Dec 2024 13:28:16 -0600 Subject: [PATCH 171/255] Adjusted SELinux policy to allow components which run cf-promises to getattr everywhere and read symlinks Seen on rhel-8 and rhel-9 with kernels 4.18.0 and 5.14.0 and policy version 33. Applies to cf-monitord, cf-execd and cf-serverd. Ticket: ENT-12466 Changelog: title (cherry picked from commit f6f6af5cb6d2e9e3680235a75e18aeee0a6a497c) --- misc/selinux/cfengine-enterprise.te.all | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 70ac38acc6..f0fb559fe3 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -212,6 +212,10 @@ allow cfengine_execd_t cfengine_var_lib_t:file execute; # allow cf-execd to execute cf-promises allow cfengine_execd_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-execd to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_execd_t) +files_getattr_all_files(cfengine_execd_t) +files_read_all_symlinks(cfengine_execd_t) # TODO: this should not be needed allow cfengine_execd_t ssh_port_t:tcp_socket name_connect; @@ -270,6 +274,10 @@ allow cfengine_monitord_t cfengine_var_lib_t:file execute; # allow cf-monitord to execute cf-promises allow cfengine_monitord_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-monitord to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_monitord_t) +files_getattr_all_files(cfengine_monitord_t) +files_read_all_symlinks(cfengine_monitord_t) allow cfengine_monitord_t cfengine_execd_exec_t:file getattr; allow cfengine_monitord_t cfengine_serverd_exec_t:file getattr; @@ -322,6 +330,10 @@ allow cfengine_serverd_t cfengine_var_lib_t:file execute; # allow cf-serverd to execute cf-promises allow cfengine_serverd_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-serverd to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_serverd_t) +files_getattr_all_files(cfengine_serverd_t) +files_read_all_symlinks(cfengine_serverd_t) # allow cf-serverd to connect to the CFEngine port and to write into a local socket (in case of # call-collect on hosts and the hub itself, respectively) From 0799b15eb04a9a225d72f6853a397c1f465e9cf6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 2 Dec 2024 16:17:47 -0600 Subject: [PATCH 172/255] Added sys_ptrace access for apachectl to run ps in CFEngine SELinux enterprise policy Ticket: ENT-12466 Changelog: title (cherry picked from commit b2e7a859663eb35ebd0c8733e2cd000f1f238155) --- misc/selinux/cfengine-enterprise.te.all | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index f0fb559fe3..07836b11ab 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -733,6 +733,8 @@ allow cfengine_apachectl_t proc_t:file { open read }; # this is a macro invocation, the file has to be processed with # make -f /usr/share/selinux/devel/Makefile ps_process_pattern(cfengine_apachectl_t, domain) +# ps_process_pattern() above doesn't include needed sys_ptrace capability for apachectl to run 'ps' +allow cfengine_apachectl_t self:cap_userns sys_ptrace; #============= cfengine_reactor_t ============== type cfengine_reactor_t; From 1a149c590af7e63848070ebd412518fb6f3496e9 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 2 Dec 2024 16:20:42 -0600 Subject: [PATCH 173/255] Added getattr access for cf-serverd to socket file in CFEngine SELinux policy Ticket: ENT-12466 Changelog: title (cherry picked from commit a2a04043d4071b4352702bdc15ec5482c547ef82) --- misc/selinux/cfengine-enterprise.te.all | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 07836b11ab..b031f533f9 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -338,7 +338,7 @@ files_read_all_symlinks(cfengine_serverd_t) # allow cf-serverd to connect to the CFEngine port and to write into a local socket (in case of # call-collect on hosts and the hub itself, respectively) allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect; -allow cfengine_serverd_t cfengine_var_lib_t:sock_file write; +allow cfengine_serverd_t cfengine_var_lib_t:sock_file { getattr write }; allow cfengine_serverd_t cfengine_hub_t:unix_stream_socket connectto; # TODO: this should not be needed From 46be40add3b40063769500cccf8938c3abb7e0b2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 27 Nov 2024 16:11:59 -0600 Subject: [PATCH 174/255] Added getattr capability for cert_t:dir as needed to CFEngine components in cfengine-enterprise SELinux policy Found to be needed in kernel policy version 33 on rhel-9 hub. Ticket: ENT-12466 Changelog: title (cherry picked from commit 3e6417db52baaf8e8b66eea0831a54edfafb9f8b) --- misc/selinux/cfengine-enterprise.te.all | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index b031f533f9..ac5dc58549 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -443,7 +443,7 @@ allow cfengine_hub_t sendmail_exec_t:file { execute execute_no_trans open read } allow cfengine_hub_t bin_t:file map; allow cfengine_hub_t bin_t:file { execute execute_no_trans }; -allow cfengine_hub_t cert_t:dir search; +allow cfengine_hub_t cert_t:dir { search getattr }; allow cfengine_hub_t cert_t:file { getattr open read }; allow cfengine_hub_t crontab_exec_t:file getattr; allow cfengine_hub_t devlog_t:lnk_file read; @@ -535,7 +535,7 @@ allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind; -allow cfengine_postgres_t cert_t:dir search; +allow cfengine_postgres_t cert_t:dir { search getattr }; allow cfengine_postgres_t cert_t:file { getattr open read }; allow cfengine_postgres_t hugetlbfs_t:file map; allow cfengine_postgres_t hugetlbfs_t:file { read write }; @@ -597,7 +597,7 @@ allow init_t cfengine_httpd_t:process siginh; allow cfengine_httpd_t cfengine_httpd_exec_t:file entrypoint; allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open }; -allow cfengine_httpd_t cert_t:dir search; +allow cfengine_httpd_t cert_t:dir { search getattr }; allow cfengine_httpd_t cert_t:file { getattr open read }; allow cfengine_httpd_t cert_t:lnk_file read; allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans; @@ -794,7 +794,7 @@ allow cfengine_reactor_t fs_t:filesystem getattr; allow cfengine_reactor_t shell_exec_t:file map; allow cfengine_reactor_t shell_exec_t:file { execute execute_no_trans }; -allow cfengine_reactor_t cert_t:dir search; +allow cfengine_reactor_t cert_t:dir { search getattr }; allow cfengine_reactor_t cert_t:file { getattr open read }; allow cfengine_reactor_t cert_t:lnk_file read; @@ -871,7 +871,7 @@ allow cfengine_cfbs_t bin_t:file { map execute }; allow cfengine_cfbs_t shell_exec_t:file map; allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans }; -allow cfengine_cfbs_t cert_t:dir search; +allow cfengine_cfbs_t cert_t:dir { search getattr }; allow cfengine_cfbs_t cert_t:file { getattr open read }; allow cfengine_cfbs_t cert_t:lnk_file read; allow cfengine_cfbs_t http_port_t:tcp_socket name_connect; From 3df0fccf41e528c8905bcb9a7f474b23fecc1cf9 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 27 Nov 2024 16:14:38 -0600 Subject: [PATCH 175/255] Added create capability on cfengine_var_lib_t:dir to cf-hub Found to be needed for kernel policy version 33 on rhel-9 hub. Ticket: ENT-12466 Changelog: title (cherry picked from commit e285fb6aac9193ad0dec063a57a6e9cdabdf14a8) Conflicts: misc/selinux/cfengine-enterprise.te.all cf-reactor does not yet process scheduled reports in 3.21.x so conflict here is due to removal in master/3.24.x: https://github.com/cfengine/core/pull/5525 --- misc/selinux/cfengine-enterprise.te.all | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index ac5dc58549..873cf2e05c 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -419,7 +419,7 @@ allow cfengine_hub_t cfengine_postgres_t:unix_stream_socket connectto; allow cfengine_hub_t unreserved_port_t:tcp_socket name_connect; allow cfengine_hub_t cfengine_log_t:dir getattr; -allow cfengine_hub_t cfengine_var_lib_t:dir { add_name getattr open read search write remove_name }; +allow cfengine_hub_t cfengine_var_lib_t:dir { add_name create getattr open read search write remove_name }; allow cfengine_hub_t cfengine_var_lib_t:file { create ioctl lock write unlink append setattr }; allow cfengine_hub_t cfengine_var_lib_t:lnk_file { getattr read }; allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink }; From 78d448349c3aaa5d329b948f9ccb16fa8ceab6eb Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 3 Dec 2024 11:00:36 -0600 Subject: [PATCH 176/255] Granted more access to certificates directory for CFEngine components in SELinux policy Were found to be needed in 3.21.6a and 3.24.1a testing on rhel-9 hubs. Policy works on rhel-8 as well. Ticket: ENT-12466 Changelog: title (cherry picked from commit 3741e3d6486b32b6b8fd86de3f12a367e0dbbbdf) --- misc/selinux/cfengine-enterprise.te.all | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 873cf2e05c..04ce380c9b 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -443,7 +443,7 @@ allow cfengine_hub_t sendmail_exec_t:file { execute execute_no_trans open read } allow cfengine_hub_t bin_t:file map; allow cfengine_hub_t bin_t:file { execute execute_no_trans }; -allow cfengine_hub_t cert_t:dir { search getattr }; +allow cfengine_hub_t cert_t:dir { getattr open read search }; allow cfengine_hub_t cert_t:file { getattr open read }; allow cfengine_hub_t crontab_exec_t:file getattr; allow cfengine_hub_t devlog_t:lnk_file read; @@ -535,7 +535,7 @@ allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind; -allow cfengine_postgres_t cert_t:dir { search getattr }; +allow cfengine_postgres_t cert_t:dir { getattr open read search }; allow cfengine_postgres_t cert_t:file { getattr open read }; allow cfengine_postgres_t hugetlbfs_t:file map; allow cfengine_postgres_t hugetlbfs_t:file { read write }; @@ -597,7 +597,7 @@ allow init_t cfengine_httpd_t:process siginh; allow cfengine_httpd_t cfengine_httpd_exec_t:file entrypoint; allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open }; -allow cfengine_httpd_t cert_t:dir { search getattr }; +allow cfengine_httpd_t cert_t:dir { getattr open read search }; allow cfengine_httpd_t cert_t:file { getattr open read }; allow cfengine_httpd_t cert_t:lnk_file read; allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans; @@ -794,7 +794,7 @@ allow cfengine_reactor_t fs_t:filesystem getattr; allow cfengine_reactor_t shell_exec_t:file map; allow cfengine_reactor_t shell_exec_t:file { execute execute_no_trans }; -allow cfengine_reactor_t cert_t:dir { search getattr }; +allow cfengine_reactor_t cert_t:dir { getattr open read search }; allow cfengine_reactor_t cert_t:file { getattr open read }; allow cfengine_reactor_t cert_t:lnk_file read; @@ -871,7 +871,7 @@ allow cfengine_cfbs_t bin_t:file { map execute }; allow cfengine_cfbs_t shell_exec_t:file map; allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans }; -allow cfengine_cfbs_t cert_t:dir { search getattr }; +allow cfengine_cfbs_t cert_t:dir { getattr open read search }; allow cfengine_cfbs_t cert_t:file { getattr open read }; allow cfengine_cfbs_t cert_t:lnk_file read; allow cfengine_cfbs_t http_port_t:tcp_socket name_connect; From d264e247cc0f19e5ba3ff87b4708d232eee8efab Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 4 Dec 2024 08:26:01 -0600 Subject: [PATCH 177/255] Added late changelog entry for SELinux fixes (3.21) Ticket: none Changelog: none --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 64510f6a6b..b4fa7e34fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,7 @@ 3.21.6: + - Fixed multiple issues in cfengine-enterprise SELinux policy which could + cause AVC denials / warnings for various CFEngine components. + (ENT-12466, ENT-12446) - Added logging CFEngine component related SELinux denials in cf-support (ENT-12137) - Agent now also ignores interfaces listed in ignore_interfaces.rx when From 9c33300757caa986f12d140b623ea8db543670db Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 4 Dec 2024 15:13:59 -0600 Subject: [PATCH 178/255] Bumped .CFVERSION number to 3.21.7 Signed-off-by: Craig Comstock --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index ec3cb7590f..c5e20a5060 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.6 +3.21.7 From d9396299f3644be6d98b40e1db31d5913f5553be Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 6 Dec 2024 11:04:07 -0600 Subject: [PATCH 179/255] SELinux: Allow cf-serverd to set its own limits In order to honor some settings like def.control_server_maxconnections we must allow self:capability sys_resource. Ticket: ENT-12446 Changelog: title (cherry picked from commit c05f25b1e776af00205ef3d21f03926bd63b36f6) --- misc/selinux/cfengine-enterprise.te.all | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 04ce380c9b..8b31fa5afc 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -341,6 +341,9 @@ allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect; allow cfengine_serverd_t cfengine_var_lib_t:sock_file { getattr write }; allow cfengine_serverd_t cfengine_hub_t:unix_stream_socket connectto; +# allow cf-serverd to set its own limits, e.g. def.control_server_maxconnections +allow cfengine_serverd_t self:capability sys_resource; + # TODO: this should not be needed allow cfengine_serverd_t ssh_port_t:tcp_socket name_connect; allow cfengine_serverd_t proc_xen_t:dir search; From 54f66f896b338d2a275a2cc88730e352025c6ea3 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Fri, 21 Apr 2023 13:07:45 -0500 Subject: [PATCH 180/255] Made cf-support use coredumpctl for core analysis only when configured in kerenl.core_pattern It's possible for coredumpctl to be present yet the system not correctly configured to use systemd-coredump which results in coredumpctl not being able to find core files. This change restricts the use of coredumpctl for when systemd-coredump is present in sysctl kernel.core_pattern. Ticket: ENT-9985 Changelog: Title (cherry picked from commit 9f538452fa3f361095356deabfa3911f59211e0a) --- misc/cf-support | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index d1e3afd16c..3de79ab70f 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -150,7 +150,9 @@ mkdir -p "$tmpdir" echo "Analyzing CFEngine core dumps" _core_log="$tmpdir"/core-dump.log -if command -v coredumpctl >/dev/null; then +_sysctl_kernel_core_pattern="$(sysctl -n kernel.core_pattern)" +if expr "$_sysctl_kernel_core_pattern" : ".*/systemd-coredump.*" > /dev/null 2>&1; then + echo "Found systemd-coredump used in sysctl kernel.core_pattern \"$_sysctl_kernel_core_pattern\"" echo "Using coredumpctl to analyze CFEngine core dumps" coredumpctl info /var/cfengine/bin/cf-* 2>/dev/null >> "$_core_log" || true elif command -v apport-unpack >/dev/null; then From fb1a8cd9b25fb1344ceb40eeaabaf0377e392b94 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 5 Dec 2024 16:04:58 -0600 Subject: [PATCH 181/255] Adjusted cf-support for exotic UNIX platforms head -c 8 doesn't work on hpux 11.23 that we test on currently dd count=1 bs=8 should work on all UNIX systems tr on solaris needs LC_CTYPE=C as it can't handle binary data. Silence not found sysctl command where it is not present. Ticket: ENT-9786 Changelog: title (cherry picked from commit be724b29021af0b551e50b5042e928ca25e46551) --- misc/cf-support | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/misc/cf-support b/misc/cf-support index 3de79ab70f..ca9cc75b99 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -120,7 +120,7 @@ make_temp_dir() else # shellcheck disable=SC2021 # ^^ legacy/POSIX requires square brackets - _tmp="/tmp/`tr -dc "[A-Z][a-z][0-9]" /dev/null`" mkdir "$_tmp" echo "$_tmp" fi @@ -150,7 +150,11 @@ mkdir -p "$tmpdir" echo "Analyzing CFEngine core dumps" _core_log="$tmpdir"/core-dump.log -_sysctl_kernel_core_pattern="$(sysctl -n kernel.core_pattern)" +if command -v sysctl >/dev/null; then + _sysctl_kernel_core_pattern="$(sysctl -n kernel.core_pattern)" +else + _sysctl_kernel_core_pattern="" +fi if expr "$_sysctl_kernel_core_pattern" : ".*/systemd-coredump.*" > /dev/null 2>&1; then echo "Found systemd-coredump used in sysctl kernel.core_pattern \"$_sysctl_kernel_core_pattern\"" echo "Using coredumpctl to analyze CFEngine core dumps" From 0f9f192ccef3c3e2534187a1ed8225e4097d6a99 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Dec 2024 16:12:00 -0600 Subject: [PATCH 182/255] Adjusted cf-support to not fail if core dumps are available and gdb is missing Previously cf-support would fail if core dumps were present and gdb was missing. We only want a warning and a log of which files are available for anlysis in this case. Ticket: ENT-9786 Changelog: title (cherry picked from commit 8194ff54cb0874cf46f9f2bb97e8a9837f448662) --- misc/cf-support | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/misc/cf-support b/misc/cf-support index ca9cc75b99..ce59602680 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -194,17 +194,20 @@ else if [ "$OS" != "solaris" ]; then if ! command -v gdb >/dev/null; then echo "Please install gdb. This is required in order to analyze core dumps." - exit 1 + echo "Core dumps needing to be analyzed will be listed below:" fi fi for core_file in $cf_core_files; do file "$core_file" >> "$_core_log" if [ "$OS" = "solaris" ]; then pstack "$core_file" >> "$_core_log" 2>&1 - else + elif command -v gdb >/dev/null; then execfn=`file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g"` exe="`realpath "$execfn"`" gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 + else + # shellcheck disable=SC2012 + ls -l "$core_file" | tee "$_core_log" fi done fi From 9df186fc84953ba1163cfde3466edd8e85e0e92d Mon Sep 17 00:00:00 2001 From: Bastian Triller Date: Tue, 19 Nov 2024 23:36:22 +0100 Subject: [PATCH 183/255] libpromises/evalfunction: Do not crash w/o arguments Do not crash cf-promises if no argument is given for following functions: * readfile * iprange * isipinsubnet (cherry picked from commit e040d7f0526230b3a9f8d4b2780c27167184545e) Signed-off-by: Lars Erik Wik --- libpromises/evalfunction.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index c78224546a..0a9297856b 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -5697,6 +5697,14 @@ static FnCallResult FnCallFormat(EvalContext *ctx, ARG_UNUSED const Policy *poli static FnCallResult FnCallIPRange(EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(fp != NULL); + + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function '%s' requires at least one argument", fp->name); + return FnFailure(); + } + const char *range = RlistScalarValue(finalargs); const Rlist *ifaces = finalargs->next; @@ -5761,6 +5769,14 @@ static FnCallResult FnCallIsIpInSubnet(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(fp != NULL); + + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function '%s' requires at least one argument", fp->name); + return FnFailure(); + } + const char *range = RlistScalarValue(finalargs); const Rlist *ips = finalargs->next; @@ -6878,6 +6894,12 @@ static FnCallResult FnCallEval(EvalContext *ctx, ARG_UNUSED const Policy *policy static FnCallResult FnCallReadFile(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, ARG_UNUSED const FnCall *fp, const Rlist *finalargs) { + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function 'readfile' requires at least one argument"); + return FnFailure(); + } + char *filename = RlistScalarValue(finalargs); const Rlist *next = finalargs->next; // max_size argument, default to inf: long maxsize = next ? IntFromString(RlistScalarValue(next)) : IntFromString("inf"); From c71bf1573f3426d7632d4af5eb25acce1d4f0e9e Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Oct 2024 11:12:48 +0200 Subject: [PATCH 184/255] Fixed bug causing LMDB database corruption Fixed bug where `DBPrivWriteCursorEntry()` in `dbm_lmdb.c` always assigns `sizeof(size_t)` to the key size. Fixed it by adding another attribute for keeping track of its size in the respective `DBCursorPriv_` struct. Ticket: None Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit cc935194c3b7b2181f2f62652cfa26096b5e258e) --- libpromises/dbm_lmdb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index bd3a07aecc..ae613fca2d 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -69,6 +69,7 @@ struct DBCursorPriv_ MDB_cursor *mc; MDB_val delkey; void *curkv; + size_t curks; bool pending_delete; }; @@ -1290,6 +1291,7 @@ bool DBPrivAdvanceCursor( } cursor->curkv = xmalloc(keybuf_size + data.mv_size); memcpy(cursor->curkv, mkey.mv_data, mkey.mv_size); + cursor->curks = mkey.mv_size; *key = cursor->curkv; *key_size = mkey.mv_size; *value_size = data.mv_size; @@ -1355,7 +1357,7 @@ bool DBPrivWriteCursorEntry( { MDB_val curkey; curkey.mv_data = cursor->curkv; - curkey.mv_size = sizeof(cursor->curkv); + curkey.mv_size = cursor->curks; rc = mdb_cursor_put(cursor->mc, &curkey, &data, MDB_CURRENT); CheckLMDBUsable(rc, cursor->db->env); From 0321fd8f4b34e6d0785cf2919aba6d876afeb4c1 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 23 Oct 2024 09:33:52 +0200 Subject: [PATCH 185/255] Re-enabled DB migration support for LMDB For some reason DB migration for LMDB was removed in 2014 (in commit 8611970bfa33be7b3cf0724eb684833e08582850). Unfortunately there is no mention as to why this was done. I will try to re-enable it. Ticket: None Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 9703d8e7deaeb8ca33347a5a002c229f8c119788) --- libpromises/dbm_migration.c | 2 +- libpromises/dbm_migration_lastseen.c | 145 +++------------------------ 2 files changed, 14 insertions(+), 133 deletions(-) diff --git a/libpromises/dbm_migration.c b/libpromises/dbm_migration.c index b494636e83..1f5e9209ed 100644 --- a/libpromises/dbm_migration.c +++ b/libpromises/dbm_migration.c @@ -30,7 +30,7 @@ extern const DBMigrationFunction dbm_migration_plan_lastseen[]; -#ifdef LMDB +#ifndef LMDB bool DBMigrate(ARG_UNUSED DBHandle *db, ARG_UNUSED dbid id) { return true; diff --git a/libpromises/dbm_migration_lastseen.c b/libpromises/dbm_migration_lastseen.c index df867be410..ef2bcd861f 100644 --- a/libpromises/dbm_migration_lastseen.c +++ b/libpromises/dbm_migration_lastseen.c @@ -48,138 +48,19 @@ typedef struct static bool LastseenMigrationVersion0(DBHandle *db) { - bool errors = false; - DBCursor *cursor; - - if (!NewDBCursor(db, &cursor)) - { - return false; - } - - char *key; - void *value; - int ksize, vsize; - - while (NextDB(cursor, &key, &ksize, &value, &vsize)) - { - if (ksize == 0) - { - Log(LOG_LEVEL_INFO, "LastseenMigrationVersion0: Database structure error -- zero-length key."); - continue; - } - - /* Only look for old [+-]kH -> IP entries */ - if ((key[0] != '+') && (key[0] != '-')) - { - /* Warn about completely unexpected keys */ - - if ((key[0] != 'q') && (key[0] != 'k') && (key[0] != 'a')) - { - Log(LOG_LEVEL_INFO, "LastseenMigrationVersion0: Malformed key found '%s'", key); - } - - continue; - } - - bool incoming = key[0] == '-'; - const char *hostkey = key + 1; - - /* Only migrate sane data */ - if (vsize != QPOINT0_OFFSET + sizeof(QPoint0)) - { - Log(LOG_LEVEL_INFO, - "LastseenMigrationVersion0: invalid value size for key '%s', entry is deleted", - key); - DBCursorDeleteEntry(cursor); - continue; - } - - /* Properly align the data */ - const char *old_data_address = (const char *) value; - QPoint0 old_data_q; - memcpy(&old_data_q, (const char *) value + QPOINT0_OFFSET, - sizeof(QPoint0)); - - char hostkey_key[CF_BUFSIZE]; - snprintf(hostkey_key, CF_BUFSIZE, "k%s", hostkey); - - if (!WriteDB(db, hostkey_key, old_data_address, strlen(old_data_address) + 1)) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 lastseen entry for '%s'", key); - errors = true; - continue; - } - - char address_key[CF_BUFSIZE]; - snprintf(address_key, CF_BUFSIZE, "a%s", old_data_address); - - if (!WriteDB(db, address_key, hostkey, strlen(hostkey) + 1)) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 reverse lastseen entry for '%s'", key); - errors = true; - continue; - } - - char quality_key[CF_BUFSIZE]; - snprintf(quality_key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', hostkey); - - /* - Ignore malformed connection quality data - */ - - if ((!isfinite(old_data_q.q)) - || (old_data_q.q < 0) - || (!isfinite(old_data_q.expect)) - || (!isfinite(old_data_q.var))) - { - Log(LOG_LEVEL_INFO, "Ignoring malformed connection quality data for '%s'", key); - DBCursorDeleteEntry(cursor); - continue; - } - - KeyHostSeen data = { - .lastseen = (time_t)old_data_q.q, - .Q = { - /* - Previously .q wasn't stored in database, but was calculated - every time as a difference between previous timestamp and a - new timestamp. Given we don't have this information during - the database upgrade, just assume that last reading is an - average one. - */ - .q = old_data_q.expect, - .dq = 0, - .expect = old_data_q.expect, - .var = old_data_q.var, - } - }; - - if (!WriteDB(db, quality_key, &data, sizeof(data))) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 connection quality key for '%s'", key); - errors = true; - continue; - } - - if (!DBCursorDeleteEntry(cursor)) - { - Log(LOG_LEVEL_INFO, "Unable to delete version 0 lastseen entry for '%s'", key); - errors = true; - } - } - - if (DeleteDBCursor(cursor) == false) - { - Log(LOG_LEVEL_ERR, "LastseenMigrationVersion0: Unable to close cursor"); - errors = true; - } - - if ((!errors) && (!WriteDB(db, "version", "1", sizeof("1")))) - { - errors = true; - } - - return !errors; + /* For some reason DB migration for LMDB was disabled in 2014 (in commit + * 8611970bfa33be7b3cf0724eb684833e08582850). Unfortunately there is no + * mention as to why this was done. Maybe it was not working? + * + * However, we're re-enabling it now (10 years later). Since this + * migration function has not been active for the last 10 years, the + * safest thing is to remove the migration logic, and only update the + * version number. + * + * If you have not upgraded CFEngine in the last 10 years, this will be + * the least of your problems. + */ + return WriteDB(db, "version", "1", sizeof("1")); } const DBMigrationFunction dbm_migration_plan_lastseen[] = From 67b8093c9f3ee73ad0bc568ebfbb1008dc9f788d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 10 Oct 2024 22:04:35 +0200 Subject: [PATCH 186/255] Added acknowledged field to lastseen DB This field can be used to acknowledge an update to an incoming or outgoing host entry in the lastseen DB. The field is set to `false` when a key-value pair is updated. `cf-hub` may at any time acknowledge that the update has been observed by setting the field to `true`. Ticket: ENT-11838 Changelog: Title Signed-off-by: Lars Erik Wik Co-authored-by: Craig Comstock (cherry picked from commit 4a9c281c70485c12c13c743b2b5705f7149e4816) --- cf-check/db_structs.h | 1 + cf-check/dump.c | 2 + libpromises/dbm_migration_lastseen.c | 79 ++++++++++++++++++++++++++++ libpromises/lastseen.c | 5 +- libpromises/lastseen.h | 1 + tests/unit/lastseen_test.c | 2 + 6 files changed, 89 insertions(+), 1 deletion(-) diff --git a/cf-check/db_structs.h b/cf-check/db_structs.h index 0ca3d23a08..17ba14e73b 100644 --- a/cf-check/db_structs.h +++ b/cf-check/db_structs.h @@ -17,6 +17,7 @@ // Struct used for quality entries in /var/cfengine/state/cf_lastseen.lmdb: typedef struct { + bool acknowledged; time_t lastseen; QPoint Q; } KeyHostSeen; // Keep in sync with lastseen.h diff --git a/cf-check/dump.c b/cf-check/dump.c index 6ddc89cad6..b00bf5a29a 100644 --- a/cf-check/dump.c +++ b/cf-check/dump.c @@ -107,6 +107,7 @@ static void print_struct_lastseen_quality( memcpy(&quality, value.mv_data, sizeof(quality)); const time_t lastseen = quality.lastseen; const QPoint Q = quality.Q; + bool acknowledged = quality.acknowledged; JsonElement *q_json = JsonObjectCreate(4); JsonObjectAppendReal(q_json, "q", Q.q); @@ -115,6 +116,7 @@ static void print_struct_lastseen_quality( JsonObjectAppendReal(q_json, "dq", Q.dq); JsonElement *top_json = JsonObjectCreate(2); + JsonObjectAppendBool(top_json, "acknowledged", acknowledged); JsonObjectAppendInteger(top_json, "lastseen", lastseen); JsonObjectAppendObject(top_json, "Q", q_json); diff --git a/libpromises/dbm_migration_lastseen.c b/libpromises/dbm_migration_lastseen.c index ef2bcd861f..68dcee28f8 100644 --- a/libpromises/dbm_migration_lastseen.c +++ b/libpromises/dbm_migration_lastseen.c @@ -26,6 +26,7 @@ #include #include +#include typedef struct { @@ -34,6 +35,12 @@ typedef struct double var; } QPoint0; +typedef struct +{ + time_t lastseen; + QPoint Q; // Average time between connections (rolling weighted average) +} KeyHostSeen1; + #define QPOINT0_OFFSET 128 /* @@ -63,8 +70,80 @@ static bool LastseenMigrationVersion0(DBHandle *db) return WriteDB(db, "version", "1", sizeof("1")); } +static bool LastseenMigrationVersion1(DBHandle *db) +{ + DBCursor *cursor; + if (!NewDBCursor(db, &cursor)) + { + Log(LOG_LEVEL_ERR, + "Unable to create database cursor during lastseen migration"); + return false; + } + + char *key; + void *value; + int key_size, value_size; + + // Iterate through all key-value pairs + while (NextDB(cursor, &key, &key_size, &value, &value_size)) + { + if (key_size == 0) + { + Log(LOG_LEVEL_WARNING, + "Found zero-length key during lastseen migration"); + continue; + } + + // Only look for old KeyHostSeen entries + if (key[0] != 'q') + { + // Warn about completely unexpected keys + if ((key[0] != 'k') && (key[0] != 'a') && !StringEqualN(key, "version", key_size)) + { + Log(LOG_LEVEL_WARNING, + "Found unexpected key '%s' during lastseen migration. " + "Only expecting 'version' or 'k', 'a' and 'q[i|o]' prefixed keys.", + key); + } + continue; + } + + KeyHostSeen1 *old_value = value; + KeyHostSeen new_value = { + .acknowledged = true, // We don't know, assume yes + .lastseen = old_value->lastseen, + .Q = old_value->Q, + }; + + // This will overwrite the entry + if (!DBCursorWriteEntry(cursor, &new_value, sizeof(new_value))) + { + Log(LOG_LEVEL_ERR, + "Unable to write version 2 of entry for key '%s' during lastseen migration.", + key); + return false; + } + } + + if (!DeleteDBCursor(cursor)) + { + Log(LOG_LEVEL_ERR, "Unable to close cursor during lastseen migration"); + return false; + } + + if (!WriteDB(db, "version", "2", sizeof("2"))) + { + Log(LOG_LEVEL_ERR, "Failed to update version number during lastseen migration"); + return false; + } + + Log(LOG_LEVEL_INFO, "Migrated lastseen database from version 1 to 2"); + return true; +} + const DBMigrationFunction dbm_migration_plan_lastseen[] = { LastseenMigrationVersion0, + LastseenMigrationVersion1, NULL }; diff --git a/libpromises/lastseen.c b/libpromises/lastseen.c index 495fa418cb..895cb828ed 100644 --- a/libpromises/lastseen.c +++ b/libpromises/lastseen.c @@ -121,7 +121,10 @@ void UpdateLastSawHost(const char *hostkey, const char *address, char quality_key[CF_BUFSIZE]; snprintf(quality_key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', hostkey); - KeyHostSeen newq = { .lastseen = timestamp }; + KeyHostSeen newq = { + .acknowledged = false, + .lastseen = timestamp, + }; KeyHostSeen q; if (ReadDB(db, quality_key, &q, sizeof(q))) diff --git a/libpromises/lastseen.h b/libpromises/lastseen.h index 8c0a7caf9e..c53ed20598 100644 --- a/libpromises/lastseen.h +++ b/libpromises/lastseen.h @@ -29,6 +29,7 @@ typedef struct { + bool acknowledged; // True when acknowledged by cf-hub, false when updated time_t lastseen; QPoint Q; // Average time between connections (rolling weighted average) } KeyHostSeen; diff --git a/tests/unit/lastseen_test.c b/tests/unit/lastseen_test.c index 0344a2e59b..0cd28a31c7 100644 --- a/tests/unit/lastseen_test.c +++ b/tests/unit/lastseen_test.c @@ -70,6 +70,7 @@ static void test_newentry(void) KeyHostSeen q; assert_int_equal(ReadDB(db, "qiSHA-12345", &q, sizeof(q)), true); + assert_false(q.acknowledged); assert_int_equal(q.lastseen, 666); assert_double_close(q.Q.q, 0.0); assert_double_close(q.Q.dq, 0.0); @@ -102,6 +103,7 @@ static void test_update(void) KeyHostSeen q; assert_int_equal(ReadDB(db, "qiSHA-12345", &q, sizeof(q)), true); + assert_false(q.acknowledged); assert_int_equal(q.lastseen, 1110); assert_double_close(q.Q.q, 555.0); assert_double_close(q.Q.dq, 555.0); From b7dc4b533cdae2231374885912229f45e01fc9a8 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 13:04:01 +0200 Subject: [PATCH 187/255] Added acknowledge function for lastseen entries Added function to acknowledge the observation of a lastseen entry in DB. Ticket: ENT-11838 Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 5debe988ef2c4b09619ca06e490e42cb9a89f315) --- libpromises/lastseen.c | 51 ++++++++++++++++++++++++++++++++++++++++++ libpromises/lastseen.h | 8 +++++++ 2 files changed, 59 insertions(+) diff --git a/libpromises/lastseen.c b/libpromises/lastseen.c index 895cb828ed..2f333cce48 100644 --- a/libpromises/lastseen.c +++ b/libpromises/lastseen.c @@ -766,3 +766,54 @@ int RemoveKeysFromLastSeen(const char *input, bool must_be_coherent, return 0; } + +static bool OnlyRewriteIfChanged(KeyHostSeen *entry, ARG_UNUSED size_t size, KeyHostSeen *new) +{ + assert(entry != NULL); + assert(new != NULL); + + if (entry->acknowledged) + { + return false; + } + + new->acknowledged = true; + new->lastseen = entry->lastseen; + new->Q = entry->Q; + + return true; +} + +bool LastSeenHostAcknowledge(const char *host_key, bool incoming) +{ + DBHandle *db = NULL; + if (!OpenDB(&db, dbid_lastseen)) + { + Log(LOG_LEVEL_ERR, "Unable to open lastseen DB"); + return false; + } + + // Update quality-of-connection entry + char key[CF_BUFSIZE]; + NDEBUG_UNUSED int ret = snprintf(key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', host_key); + assert(ret > 0 && ret < CF_BUFSIZE); + + KeyHostSeen value; + value.lastseen = 0; /* To distinguish between entry not found and error */ + if (OverwriteDB(db, key, &value, sizeof(value), (OverwriteCondition)OnlyRewriteIfChanged, &value)) + { + Log(LOG_LEVEL_DEBUG, "Acknowledged observation of key '%s' to lastseen DB", key); + } + else if (value.lastseen != 0 /* was found */ && + !value.acknowledged /* should update */) + { + /* In this case, the entry was found and should have been updated. + * However, false was returned. Hence, this must be due to error. */ + Log(LOG_LEVEL_ERR, "Unable to overwrite key '%s' to lastseen DB", key); + CloseDB(db); + return false; + } + + CloseDB(db); + return true; +} diff --git a/libpromises/lastseen.h b/libpromises/lastseen.h index c53ed20598..b8b4f28bd9 100644 --- a/libpromises/lastseen.h +++ b/libpromises/lastseen.h @@ -63,4 +63,12 @@ bool IsLastSeenCoherent(void); int RemoveKeysFromLastSeen(const char *input, bool must_be_coherent, char *equivalent, size_t equivalent_size); +/** + * @brief Acknowledge that lastseen host entry is observed. + * @param host_key The host key of the lastseen entry. + * @param incoming Whether it is an incoming or outgoing entry. + * @return true if host entry was successfully acknowledged, otherwise false. + */ +bool LastSeenHostAcknowledge(const char *host_key, bool incoming); + #endif From da28210e175d72b88f835347673c187a82895012 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 22 Oct 2024 16:59:51 +0200 Subject: [PATCH 188/255] Handle LMDB migration failures In case of LMDB migration failures, the respective database file is moved to the side, and a fresh database is created. Ticket: None Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit ee82601f946c9be3bd601f28c957e2996eb7dcfc) --- libpromises/dbm_api.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index 7b422ddaec..4ecd61416a 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -433,17 +433,23 @@ bool OpenDBInstance(DBHandle **dbp, dbid id, DBHandle *handle) } } - DBPathUnLock(&lock); - } - - if (handle->priv) - { - if (!DBMigrate(handle, id)) + if (handle->priv != NULL) { - DBPrivCloseDB(handle->priv); - handle->priv = NULL; - handle->open_tstamp = -1; + if (!DBMigrate(handle, id)) + { + /* Migration failed. The best we can do is to move the + * broken DB to the side and start fresh. */ + DBPrivCloseDB(handle->priv); + DBPathMoveBroken(handle->filename); + handle->priv = DBPrivOpenDB(handle->filename, id); + if (handle->priv == DB_PRIV_DATABASE_BROKEN) + { + handle->priv = NULL; + } + } } + + DBPathUnLock(&lock); } } From 3069eab3b3cea7cdca42f479fbd43bd8b7b56690 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Oct 2024 12:56:03 +0200 Subject: [PATCH 189/255] Now creates backup before LMDB migration Ticket: None Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 11e87169ef1841b69b327458589a0c99b8d7d828) --- libpromises/dbm_migration.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libpromises/dbm_migration.c b/libpromises/dbm_migration.c index 1f5e9209ed..b146765eac 100644 --- a/libpromises/dbm_migration.c +++ b/libpromises/dbm_migration.c @@ -26,6 +26,7 @@ #include #include +#include extern const DBMigrationFunction dbm_migration_plan_lastseen[]; @@ -64,6 +65,11 @@ bool DBMigrate(DBHandle *db, dbid id) { if (step_version == DBVersion(db)) { + Seq *seq = SeqNew(1, free); + SeqAppend(seq, DBIdToPath(id)); + backup_files_copy(seq); + SeqDestroy(seq); + if (!(*step)(db)) { return false; From 523d4602bc2f6f3ea2a11e40ea495d23557e5caf Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Oct 2024 13:46:00 +0200 Subject: [PATCH 190/255] Fixed possible segfault when backing up LMDB databases The logic to generate the path of the LMDB backup directories used timestamps in order to create a "unique" backup directory. If two backups where created with the same timestamp, `mkdir()` would fail and the program would later segfault. I fixed this by modifying the logic to use `mkdtemp()` instead, guaranteeing a unique directory. Furthermore, the code now handles the returned `NULL` pointer caused by `EEXISTS`. I decided to keep the timestamp as well, because it's nice for filtering out the latest backup. Ticket: None Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit 526f354af5a9d7f134b85a104be73fe8ecddf874) --- cf-check/backup.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/cf-check/backup.c b/cf-check/backup.c index f37936a57b..221ae9259a 100644 --- a/cf-check/backup.c +++ b/cf-check/backup.c @@ -70,8 +70,9 @@ const char *create_backup_dir() return NULL; } - const int n = - snprintf(backup_dir, PATH_MAX, "%s%jd/", backup_root, (intmax_t)ts); + int n = + snprintf(backup_dir, PATH_MAX - 1, // trailing slash for later + "%s%jd-XXXXXX", backup_root, (intmax_t)ts); if (n >= PATH_MAX) { Log(LOG_LEVEL_ERR, @@ -81,7 +82,7 @@ const char *create_backup_dir() return NULL; } - if (mkdir(backup_dir, 0700) != 0) + if (mkdtemp(backup_dir) == NULL) { Log(LOG_LEVEL_ERR, "Could not create directory '%s' (%s)", @@ -90,6 +91,10 @@ const char *create_backup_dir() return NULL; } + // Add trailing forward slash + backup_dir[n++] = FILE_SEPARATOR; + backup_dir[n] = '\0'; + return backup_dir; } @@ -102,6 +107,11 @@ int backup_files_copy(Seq *filenames) assert_or_return(length > 0, 1); const char *backup_dir = create_backup_dir(); + if (backup_dir == NULL) + { + // Error already logged + return -1; + } Log(LOG_LEVEL_INFO, "Backing up to '%s'", backup_dir); From 8aa46dad2e34c3211f6f9877a0b42d14111f28f9 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 3 Mar 2025 14:54:40 -0600 Subject: [PATCH 191/255] Minimized resources for static-check (package dependencies) and added cppcheck version printout Added notes about how --config-cache (-C) helps make libntech configuration faster by re-using core's results. Ticket: none Changelog: none (cherry picked from commit 0fead4fe459ff6022a1a0b32aab94232eb6aa88f) --- .github/workflows/job-static-check.yml | 8 +------- tests/static-check/run_checks.sh | 24 ++++++++++++++++++++---- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml index 5609b28edd..295aaf1d33 100644 --- a/.github/workflows/job-static-check.yml +++ b/.github/workflows/job-static-check.yml @@ -46,13 +46,7 @@ jobs: - name: Prepare Environment run: | sudo apt-get update && \ - sudo apt-get install -y dpkg-dev debhelper g++ libncurses6 pkg-config \ - build-essential libpam0g-dev fakeroot gcc make autoconf buildah \ - liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \ - libssl-dev libpcre3-dev - - - name: Run Autogen - run: NO_CONFIGURE=1 PROJECT=community ./buildscripts/build-scripts/autogen + sudo apt-get install -y buildah - name: Run The Test working-directory: ./core diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index 4583968ff0..57bb12b5d1 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -5,25 +5,34 @@ set -x n_procs="$(getconf _NPROCESSORS_ONLN)" function check_with_gcc() { + # previous runs may have cached configuration based on a different CC rm -f config.cache make clean - ./configure -C --enable-debug CC=gcc - local gcc_exceptions="-Wno-sign-compare" + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug CC=gcc + local gcc_exceptions="-Wno-sign-compare -Wno-enum-int-mismatch" make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra $gcc_exceptions" } function check_with_clang() { + # previous runs may have cached configuration based on a different CC rm -f config.cache make clean - ./configure -C --enable-debug CC=clang + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug CC=clang make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra -Wno-sign-compare" } function check_with_cppcheck() { + # previous runs may have cached configuration based on a different CC rm -f config.cache make clean + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c - ./configure -C --enable-debug + + # print out cppcheck version for comparisons over time in case of regressions due to newer versions + cppcheck --version # cppcheck options: # -I -- include paths @@ -42,6 +51,13 @@ cd "$(dirname $0)"/../../ failure=0 failures="" + +# in jenkins the workdir is already autogen'd +# in github it is not, so do that work here +if [ ! -f configure ]; then + ./autogen.sh --enable-debug +fi + check_with_gcc || { failures="${failures}FAIL: GCC check failed\n"; failure=1; } check_with_clang || { failures="${failures}FAIL: Clang check failed\n"; failure=1; } check_with_cppcheck || { failures="${failures}FAIL: cppcheck failed\n"; failure=1; } From 716523350da0d68d3e9dfb9dcc34001a424707da Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 3 Mar 2025 10:53:50 -0600 Subject: [PATCH 192/255] address static-check complaints (cherry picked from commit 83ab8272380fa68e4584ba7f6fcdb0df79919c84) --- cf-check/dump.c | 2 +- libpromises/locks.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cf-check/dump.c b/cf-check/dump.c index b00bf5a29a..6ded3c8bbd 100644 --- a/cf-check/dump.c +++ b/cf-check/dump.c @@ -224,7 +224,7 @@ static void print_struct_persistent_class( /* Make a copy to ensure proper alignment. We cannot just copy data to a * local PersistentClassInfo variable because it contains a * variable-length string at the end (see the struct definition). */ - PersistentClassInfo *class_info = malloc(value.mv_size); + PersistentClassInfo *class_info = xmalloc(value.mv_size); memcpy(class_info, value.mv_data, value.mv_size); const unsigned int expires = class_info->expires; const PersistentClassPolicy policy = class_info->policy; diff --git a/libpromises/locks.c b/libpromises/locks.c index 0c788f42eb..1460add4ff 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -85,7 +85,7 @@ static CfLockStack *LOCK_STACK = NULL; static void PushLock(char *lock, char *last) { - CfLockStack *new_lock = malloc(sizeof(CfLockStack)); + CfLockStack *new_lock = xmalloc(sizeof(CfLockStack)); strlcpy(new_lock->lock, lock, CF_BUFSIZE); strlcpy(new_lock->last, last, CF_BUFSIZE); From 970fc4f8f76c65e938628ab05572f4073aff0d9e Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 11 Mar 2025 09:18:08 -0500 Subject: [PATCH 193/255] Fixed static-check to not configure when running autogen. Ticket: none Changelog: none (cherry picked from commit 05a36b5884fa0a97bf8aa4d6c7787c41ba8ef614) --- tests/static-check/run_checks.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index 57bb12b5d1..adf7538423 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -55,7 +55,7 @@ failures="" # in jenkins the workdir is already autogen'd # in github it is not, so do that work here if [ ! -f configure ]; then - ./autogen.sh --enable-debug + NO_CONFIGURE=1 ./autogen.sh --enable-debug fi check_with_gcc || { failures="${failures}FAIL: GCC check failed\n"; failure=1; } From c2b3a20adc0eb1e8d02c849eea3ff152bec016ab Mon Sep 17 00:00:00 2001 From: Ihor Aleksandrychiev Date: Mon, 31 Mar 2025 16:55:14 +0300 Subject: [PATCH 194/255] Fixed incorrect exit code handling in cf-runagent ChangeLog: Title Ticket: ENT-12712 Signed-off-by: Ihor Aleksandrychiev (cherry picked from commit 79a2165877dbda5ae1ce5b8a6d050fb10edb44af) --- cf-runagent/cf-runagent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cf-runagent/cf-runagent.c b/cf-runagent/cf-runagent.c index af7f1ec417..715bb0fbae 100644 --- a/cf-runagent/cf-runagent.c +++ b/cf-runagent/cf-runagent.c @@ -256,7 +256,7 @@ int main(int argc, char *argv[]) if (fork() == 0) /* child process */ { int remote_exit_code = HailServer(ctx, config, RlistScalarValue(rp)); - DoCleanupAndExit(remote_exit_code > 0 ? remote_exit_code : CF_RA_EXIT_CODE_OTHER_ERR); + DoCleanupAndExit(remote_exit_code >= 0 ? remote_exit_code : CF_RA_EXIT_CODE_OTHER_ERR); } else /* parent process */ { From 03846921ef6ae1029727185ecb41166157bf5172 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 10 Apr 2025 10:10:48 -0500 Subject: [PATCH 195/255] Adjusted static-checks test to use half the number of available processors to avoid cppcheckerror segfaults Just a wild guess at how to fix a flakey issue we see fairly often. Ticket: ENT-11515 Changelog: none (cherry picked from commit cd4dce1adb36cd23ee775af25e7919e49f8afc13) --- tests/static-check/run_checks.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index adf7538423..3803ccda07 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -3,6 +3,7 @@ set -x n_procs="$(getconf _NPROCESSORS_ONLN)" +use_procs=$((n_procs/2)) function check_with_gcc() { # previous runs may have cached configuration based on a different CC @@ -11,7 +12,7 @@ function check_with_gcc() { # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core ./configure --config-cache --enable-debug CC=gcc local gcc_exceptions="-Wno-sign-compare -Wno-enum-int-mismatch" - make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra $gcc_exceptions" + make -j -l${use_procs} --keep-going CFLAGS="-Werror -Wall -Wextra $gcc_exceptions" } function check_with_clang() { @@ -20,7 +21,7 @@ function check_with_clang() { make clean # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core ./configure --config-cache --enable-debug CC=clang - make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra -Wno-sign-compare" + make -j -l${use_procs} --keep-going CFLAGS="-Werror -Wall -Wextra -Wno-sign-compare" } function check_with_cppcheck() { @@ -39,7 +40,7 @@ function check_with_cppcheck() { # -i -- ignored files/folders # --include= -- force including a file, e.g. config.h # Identified issues are printed to stderr - cppcheck --quiet -j${n_procs} --error-exitcode=1 ./ \ + cppcheck --quiet -j${use_procs} --error-exitcode=1 ./ \ --suppressions-list=tests/static-check/cppcheck_suppressions.txt \ --include=config.h \ -I cf-serverd/ -I libpromises/ -I libcfnet/ -I libntech/libutils/ \ From 7f02f69bf44382b10747700a776c0ae4ec91e126 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Tue, 15 Apr 2025 22:24:24 +0200 Subject: [PATCH 196/255] GH Actions: Removed unused Windows acceptance tests workflow Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 882efffffd0abaaf24aa3617301b96e806852de0) --- .github/workflows/ci.yml | 4 - .../workflows/windows_acceptance_tests.yml | 83 ------------------- 2 files changed, 87 deletions(-) delete mode 100644 .github/workflows/windows_acceptance_tests.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61c981f5ed..9e4b3ad451 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,10 +17,6 @@ jobs: acceptance_tests: needs: unit_tests uses: ./.github/workflows/acceptance_tests.yml -# Disable windows_acceptance_tests as of Nov 27 2024, taking 6 hours so exceeding github job limit and gets cancelled. -# windows_acceptance_tests: -# needs: unit_tests -# uses: ./.github/workflows/windows_acceptance_tests.yml macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml deleted file mode 100644 index b6bb6c74ca..0000000000 --- a/.github/workflows/windows_acceptance_tests.yml +++ /dev/null @@ -1,83 +0,0 @@ -name: Windows Acceptance Tests - -on: - workflow_call - -defaults: - run: - shell: msys2 {0} - -jobs: - windows_acceptance_tests: - runs-on: windows-latest - steps: - - uses: msys2/setup-msys2@v2 - with: - install: >- - dos2unix - diffutils - util-linux - python-pip - - - name: Checkout Core - uses: actions/checkout@v3 - - - name: install cf-remote - run: pip install cf-remote --break-system-packages - - # Note that msiexec can't install packages when running under msys; - # But cf-remote currently can't run under powershell - # (because it requires `pwd` module which is Unix-only). - # Hence, we _download_ msi package using cf-remote under msys, - # and install it by msiexec running under powershell. - - - name: get CFEngine package - run: cf-remote --version 3.21.x download 64 msi - - - name: move CFEngine package to current workdir - run: "mv $HOME/.cfengine/cf-remote/packages/*.msi cfengine.msi" - - - name: install CFEngine - run: | - Get-Location # pwd - New-Item -Path "c:\" -Name "artifacts" -ItemType Directory - Start-Process msiexec.exe -Wait -ArgumentList '/quiet /qn /i cfengine.msi /L*V c:\tmp.log' - Get-Content c:\tmp.log | Set-Content -Encoding utf8 c:\artifacts\CFEngine-Install.log - file c:\artifacts\CFEngine-Install.log - shell: pwsh - - - name: run cf-agent - run: "'/c/Program Files/Cfengine/bin/cf-agent.exe' --version" - - # Note that msiexec install CFEngine onto the C: drive (/c/ partition), - # but testall expects it to be on the same partition as where all tests are located (D: drive), - # hence we just copy it over. - - name: copy CFEngine to workdir partition - run: 'cp -a "/c/Program Files/Cfengine" /d/a/' - - - name: prune platform independent tests to make the job more efficient - run: 'Remove-Item -Recurse -Force 00_basics, 01_vars, 02_classes, 10_files, 14_reports, 15_control, 16_cf-serverd, 21_methods, 22_cf-runagent, 26_cf-net, 27_cf-secret, 28_inform_testing' - working-directory: "tests/acceptance" - shell: pwsh - - name: run the tests - run: './testall --bindir="/d/a/Cfengine/bin" --extraclasses=EXTRA' - working-directory: "tests/acceptance" - env: - # env vars for testall script to properly detect environment - USER: runneradmin - OSTYPE: msys - - - name: print test.log - run: 'cat ./tests/acceptance/test.log || true' - if: ${{ always() }} - - name: save test.log in artifacts - run: 'cp ./tests/acceptance/test.log /c/artifacts/test.log || true' - if: ${{ always() }} - - - - name: save artifacts - if: success() || failure() - uses: actions/upload-artifact@v3 - with: - name: artifacts - path: c:\artifacts From 6aacec49a7a0975462033bd03cd2aabdd8c67feb Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Apr 2025 13:45:17 +0200 Subject: [PATCH 197/255] acceptance-tests.yml: Upgrade workflow from unsupported platform Ubuntu 20.04 LTS reached its EOL in April 2025. Upgraded platform to Ubuntu 22.04 LTS. Signed-off-by: Lars Erik Wik --- .github/workflows/acceptance_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/acceptance_tests.yml b/.github/workflows/acceptance_tests.yml index 9eac099968..b3a7c9aa24 100644 --- a/.github/workflows/acceptance_tests.yml +++ b/.github/workflows/acceptance_tests.yml @@ -5,7 +5,7 @@ on: jobs: acceptance_tests: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: From 24024dd8fa412d7c7be2d7bc45ffe00076032d3b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Apr 2025 13:59:05 +0200 Subject: [PATCH 198/255] asan_unit_tests.yml: Upgrade workflow from unsupported platform Ubuntu 20.04 LTS reached its EOL in April 2025. Upgraded platform to Ubuntu 22.04 LTS. Signed-off-by: Lars Erik Wik --- .github/workflows/asan_unit_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/asan_unit_tests.yml b/.github/workflows/asan_unit_tests.yml index 9f7ba2076e..91afa796c7 100644 --- a/.github/workflows/asan_unit_tests.yml +++ b/.github/workflows/asan_unit_tests.yml @@ -5,7 +5,7 @@ on: jobs: asan_unit_tests: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: From b706dbc782567793b1c7392683523dc0aa5400c8 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Apr 2025 13:59:50 +0200 Subject: [PATCH 199/255] shellcheck.yml: Upgrade workflow from unsupported platform Ubuntu 20.04 LTS reached its EOL in April 2025. Upgraded platform to Ubuntu 22.04 LTS. Signed-off-by: Lars Erik Wik --- .github/workflows/shellcheck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index fd1e2e2523..8f84f184f4 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -4,7 +4,7 @@ on: jobs: unit_tests: name: Run shellcheck on shell scripts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: From 80b8f6cf74ccd8a174480b6ede0bb0b40e0c2781 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 24 Apr 2025 14:00:37 +0200 Subject: [PATCH 200/255] unit_tests.yml: Upgrade workflow from unsupported platform Ubuntu 20.04 LTS reached its EOL in April 2025. Upgraded platform to Ubuntu 22.04 LTS. Signed-off-by: Lars Erik Wik --- .github/workflows/unit_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 99c2f0525e..9aa0412391 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -4,7 +4,7 @@ on: jobs: unit_tests: name: Run Unit Tests - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: From c78a610c333765a48bf072d552137ed632f6ca6d Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 7 Dec 2023 15:42:44 +0100 Subject: [PATCH 201/255] Do OSSL_PROVIDER_unload() on the providers that we load To avoid memory leaks. (cherry picked from commit 504c938670d62e0a1ce9e092e182d35173c8f96b) --- libpromises/crypto.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/libpromises/crypto.c b/libpromises/crypto.c index 55d7786017..c9416286e9 100644 --- a/libpromises/crypto.c +++ b/libpromises/crypto.c @@ -63,6 +63,11 @@ static void CleanupOpenSSLThreadLocks(void); static bool crypto_initialized = false; /* GLOBAL_X */ +#if OPENSSL_VERSION_NUMBER > 0x30000000 +static OSSL_PROVIDER *legacy_provider = NULL; +static OSSL_PROVIDER *default_provider = NULL; +#endif + const char *CryptoLastErrorString() { const char *errmsg = ERR_reason_error_string(ERR_get_error()); @@ -114,6 +119,20 @@ void CryptoDeInitialize() EVP_cleanup(); CleanupOpenSSLThreadLocks(); ERR_free_strings(); + +#if OPENSSL_VERSION_NUMBER > 0x30000000 + if (legacy_provider != NULL) + { + OSSL_PROVIDER_unload(legacy_provider); + legacy_provider = NULL; + } + if (default_provider != NULL) + { + OSSL_PROVIDER_unload(default_provider); + default_provider = NULL; + } +#endif + crypto_initialized = false; } } From 2a98adf7edaf72b434bd5c3ba0b064f875fc8617 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 25 Apr 2025 09:28:47 +0200 Subject: [PATCH 202/255] asan_unit_test.yml: Suppressed ODR violation warnings After upgrading GitHub CI platforms to Ubuntu 22 the ASAN Unit Tests workflow started complaining about duplicate definitions of global variables. I added ASAN_OPTIONS=detect_odr_violation=0 to the workflow in order to suppress these errors. There is no point in fixing them for 3.21.x becuase it's about to reach End-of-Life. Furthermore, the warnings are triggered in the unit test code itself and not the production code. Signed-off-by: Lars Erik Wik --- .github/workflows/asan_unit_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/asan_unit_tests.yml b/.github/workflows/asan_unit_tests.yml index 91afa796c7..4f1d041e0d 100644 --- a/.github/workflows/asan_unit_tests.yml +++ b/.github/workflows/asan_unit_tests.yml @@ -17,4 +17,4 @@ jobs: - name: Compile and link (make) run: make -j8 CFLAGS="-Werror -Wall -fsanitize=address" LDFLAGS="-fsanitize=address" - name: Run unit tests - run: make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check + run: ASAN_OPTIONS=detect_odr_violation=0 make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check From 7ddcbe37245ff23fc77603091fed8b8667f8ebdf Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 25 Apr 2025 11:50:40 +0200 Subject: [PATCH 203/255] Just testing to see if this works! Maybe we can suppress this warning since 3.21.x is almost EoL Signed-off-by: Lars Erik Wik --- .github/workflows/asan_unit_tests.yml | 2 +- .github/workflows/suppr.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/suppr.txt diff --git a/.github/workflows/asan_unit_tests.yml b/.github/workflows/asan_unit_tests.yml index 4f1d041e0d..e6e2b9572e 100644 --- a/.github/workflows/asan_unit_tests.yml +++ b/.github/workflows/asan_unit_tests.yml @@ -17,4 +17,4 @@ jobs: - name: Compile and link (make) run: make -j8 CFLAGS="-Werror -Wall -fsanitize=address" LDFLAGS="-fsanitize=address" - name: Run unit tests - run: ASAN_OPTIONS=detect_odr_violation=0 make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check + run: ASAN_OPTIONS=detect_odr_violation=0 LSAN_OPTIONS="suppressions=../../.github/workflows/suppr.txt" make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check diff --git a/.github/workflows/suppr.txt b/.github/workflows/suppr.txt new file mode 100644 index 0000000000..24b14962d3 --- /dev/null +++ b/.github/workflows/suppr.txt @@ -0,0 +1 @@ +leak:crypto From f1221bcc8da6f77b4dd3108eb48e46968e650a35 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 17 Apr 2025 15:43:52 -0500 Subject: [PATCH 204/255] Fixed whitespace typo in message about Cannot open software_packages.csv Ticket: ENT-12732 Changelog: none (cherry picked from commit 2763daf2bc8bcc08c6e8359a98751d40eb104a74) --- libpromises/evalfunction.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 0a9297856b..49aceeed68 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -1807,7 +1807,7 @@ static bool GetLegacyPackagesMatching(pcre *matcher, JsonElement *json, const bo "Cannot open the %s packages inventory '%s' - " "This is not necessarily an error. " "Either the inventory policy has not been included, " - "or it has not had time to have an effect yet or you are using" + "or it has not had time to have an effect yet or you are using " "new package promise and check for legacy promise is made." "A future call may still succeed. (fopen: %s)", installed_mode ? "installed" : "available", From 2341cf30d792d6a3b19ab55acf94ca0f1cad6f94 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 23 Apr 2025 15:00:51 -0500 Subject: [PATCH 205/255] Added changelog for 3.21.7 Co-authored-by: Lars Erik Wik <53906608+larsewi@users.noreply.github.com> --- ChangeLog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index b4fa7e34fc..697ce1383d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +3.21.7: + - Added "acknowledged" field to lastseen DB (ENT-11838) + - Adjusted cf-support for exotic UNIX platforms (ENT-9786) + - Adjusted cf-support to not fail if core dumps are available and gdb is missing + (ENT-9786) + - Fixed bug causing LMDB database corruption + - Fixed incorrect exit code handling in cf-runagent (ENT-12712) + - Fixed possible segfault when backing up LMDB databases + - In case of LMDB migration failures, the respective database file is + moved to the side, and a fresh database is created. + - Made cf-support use coredumpctl for core analysis only when configured in kerenl.core_pattern + (ENT-9985) + - cf-agent now creates backup before LMDB migration + - Re-enabled DB migration support for LMDB + - SELinux: Allow cf-serverd to set its own limits (ENT-12446) + 3.21.6: - Fixed multiple issues in cfengine-enterprise SELinux policy which could cause AVC denials / warnings for various CFEngine components. From 8b1ab3c6c0c36387688225735138c904c4667e9b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 29 Apr 2025 14:14:18 +0200 Subject: [PATCH 206/255] Fixed bug in parsing process_select for Windows The USER field from process_select on Windows may contain spaces. Now, the parser continues until it finds something that looks like a PID. This approach is not bullet proof, because the USER field could contain something that looks like a PID. However, a proper fix would require rewriting the entire parser. Hence, this will do for now. Ticket: ENT-12751 Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit c8593110b77e44a3e16c27e4ff7d1b1da5caf403) --- libpromises/processes_select.c | 47 ++++++++++++++++++++++++++++++ tests/unit/Makefile.am | 5 ++++ tests/unit/processes_select_test.c | 45 ++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+) create mode 100644 tests/unit/processes_select_test.c diff --git a/libpromises/processes_select.c b/libpromises/processes_select.c index f41843c052..1fd80aa4cc 100644 --- a/libpromises/processes_select.c +++ b/libpromises/processes_select.c @@ -718,6 +718,17 @@ static bool SplitProcLine(const char *line, Take these two examples: +Windows: + User field can contain spaces. E.g.: + + USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND + NETWORK SERVICE 540 0.0 0.3 5092 11180 ? ? Apr28 00:00 C:\\Windows\\system32\\svchost.exe -k RPCSS -p + etc. + + There is really no good way to do this with the current parsing logic. We + know that the next field will be a PID, so we can parse until we find a + number. + AIX: USER PID PPID PGID %CPU %MEM VSZ NI S STIME TIME COMMAND root 1 0 0 0.0 0.0 784 20 A Nov 28 00:00:00 /etc/init @@ -831,6 +842,7 @@ Solaris 9: bool cmd = (strcmp(names[field], "CMD") == 0 || strcmp(names[field], "COMMAND") == 0); bool stime = !cmd && (strcmp(names[field], "STIME") == 0); + bool is_user_field = StringEqual(names[field], "USER"); // Equal boolean results, either both must be true, or both must be // false. IOW we must either both be at the last field, and it must be @@ -921,6 +933,41 @@ Solaris 9: last++; } } + else if (is_user_field) + { + bool done = false; + while (!done) + { + while (line[last] != '\0' && !isspace(line[last])) + { + last++; + } + + /* On windows the USER field can contain spaces. We know that + * the next field will be PID. Hence, we seek past the spaces + * to see if the next thing is a number. If this is not the + * case, we assume it is still the USER field. This is not + * bulletproof. However, this parser never was. */ + int seek_past = last; + while (line[seek_past] != '\0' && isspace(line[seek_past])) + { + seek_past++; + } + + if (line[seek_past] == '\0') + { + done = true; + } + else if (isdigit(line[seek_past])) + { + done = true; + } + else + { + last = seek_past; + } + } + } else { // Generic fields diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am index 6a72dce240..90f65ec67c 100644 --- a/tests/unit/Makefile.am +++ b/tests/unit/Makefile.am @@ -106,6 +106,7 @@ libdb_la_LIBADD = libstr.la ../../libntech/libutils/libutils.la libdb_la_CFLAGS = $(AM_CFLAGS) check_PROGRAMS = \ + processes_select_test \ arg_split_test \ assoc_test \ item_test \ @@ -201,6 +202,10 @@ if HPUX XFAIL_TESTS = mon_load_test # Redmine #3569 endif + +processes_select_test_SOURCES = processes_select_test.c +processes_select_test_LDADD = libtest.la ../../libpromises/libpromises.la + # # OS X uses real system calls instead of our stubs unless this option is used # diff --git a/tests/unit/processes_select_test.c b/tests/unit/processes_select_test.c new file mode 100644 index 0000000000..f9cfbb805e --- /dev/null +++ b/tests/unit/processes_select_test.c @@ -0,0 +1,45 @@ +#include + +#include +#include +#include + +static void test_SplitProcLine_windows(void) +{ + + char buf[CF_BUFSIZE]; + snprintf(buf, sizeof(buf), "%-20s %5s %s %s %8s %8s %-3s %s %s %5s %s", + "USER", "PID", "%CPU", "%MEM", "VSZ", "RSS", "TTY", "STAT", "START", "TIME", "COMMAND"); + + char *names[CF_PROCCOLS] = {0}; + int start[CF_PROCCOLS]; + int end[CF_PROCCOLS]; + + GetProcessColumnNames(buf, names, start, end); + + const char *const proc_line = "NETWORK SERVICE 540 0.0 0.3 5092 11180 ? ? Apr28 00:00 C:\\Windows\\system32\\svchost.exe -k RPCSS -p"; + time_t pstime = time(NULL); + + char *column[CF_PROCCOLS] = {0}; + + bool ret = SplitProcLine(proc_line, pstime, names, start, end, PCA_AllColumnsPresent, column); + assert_true(ret); + assert_string_equal(column[0], "NETWORK SERVICE"); + + for (int i = 0; i < CF_PROCCOLS; i++) + { + free(names[i]); + free(column[i]); + } +} + +int main() +{ + PRINT_TEST_BANNER(); + const UnitTest tests[] = + { + unit_test(test_SplitProcLine_windows), + }; + + return run_tests(tests); +} From 7a3bc34400bf1913d0e28f0ee838a34388a2b2be Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 2 May 2025 16:01:18 -0500 Subject: [PATCH 207/255] Amended changelog for 3.21.7 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 697ce1383d..56fae14e16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ 3.21.7: + - Fixed bug in parsing process_select for Windows (ENT-12751) - Added "acknowledged" field to lastseen DB (ENT-11838) - Adjusted cf-support for exotic UNIX platforms (ENT-9786) - Adjusted cf-support to not fail if core dumps are available and gdb is missing From 91139a94d7ce0f07299b3d460489d4d05a610562 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 5 May 2025 15:59:02 -0500 Subject: [PATCH 208/255] Added http_port and getattr selinux permissions as needed for selinux policy on rhel-8 and rhel-9 http_port is needed in el9, selinux-policy version 38.1.45, for inventory policy common bundles. getattr for fsadm_exec_t is needed in el9 and getattr for lvm_exec_t is needed in both el8 and el9. Ticket: ENT-12954 Changelog: title (cherry picked from commit 23dbb8c27c812f5f29f7caf194bda7677b997bc2) --- misc/selinux/cfengine-enterprise.te.all | 6 ++++++ misc/selinux/cfengine-enterprise.te.el9 | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 8b31fa5afc..1d23c987db 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -91,6 +91,8 @@ require { type ssh_exec_t; type ssh_home_t; type rpm_script_t; + type fsadm_exec_t; + type lvm_exec_t; class lockdown { confidentiality integrity }; class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind }; class mctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; @@ -403,6 +405,10 @@ allow init_t cfengine_hub_t:process siginh; allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint; allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open }; +# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths standard library bundles agent instead of common. +allow cfengine_hub_t fsadm_exec_t:file getattr; +allow cfengine_hub_t lvm_exec_t:file getattr; + # allow cf-hub to use/execute libpromises.so allow cfengine_hub_t cfengine_var_lib_t:file map; allow cfengine_hub_t cfengine_var_lib_t:file execute; diff --git a/misc/selinux/cfengine-enterprise.te.el9 b/misc/selinux/cfengine-enterprise.te.el9 index 25b31a0c95..813a7f26b2 100644 --- a/misc/selinux/cfengine-enterprise.te.el9 +++ b/misc/selinux/cfengine-enterprise.te.el9 @@ -1,8 +1,14 @@ require { type systemd_userdbd_runtime_t; + type http_port_t; } # PAM module for dynamic users allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; + +# selinux-policy 38.1.45 requires the following http_port permissions whereas 3.14.3 does not. +# these permissions are not be needed if changes from ENT-12954 to masterfiles policy move inventory from common to an agent bundle are in place. +allow cfengine_serverd_t http_port_t:tcp_socket name_connect; +allow cfengine_execd_t http_port_t:tcp_socket name_connect; From 02b882e608c45eed6671d6eece1abb16db34b8c0 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 8 May 2025 11:15:05 -0500 Subject: [PATCH 209/255] 3.21.7 changelog ammendment 3 --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 56fae14e16..ce1e599562 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ 3.21.7: + - Fixed issue where rhel >8 packages would not have correct openssl + dependency version (ENT-12587) + - Added http_port and getattr selinux permissions as needed for selinux + policy on rhel-8 and rhel-9 (ENT-12954) - Fixed bug in parsing process_select for Windows (ENT-12751) - Added "acknowledged" field to lastseen DB (ENT-11838) - Adjusted cf-support for exotic UNIX platforms (ENT-9786) From fc836856e1456f58ab678a1b9fc3af29e57f0553 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 15 May 2025 18:34:14 -0300 Subject: [PATCH 210/255] Bumped .CFVERSION number to 3.21.8 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index c5e20a5060..8ba17c9ac4 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.7 +3.21.8 From 63d8596a7754bcc04ea1baca1ad7c0ed4434ad0c Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 30 May 2025 10:22:50 +0200 Subject: [PATCH 211/255] sysinfo.c: Removed trailing whitespace Signed-off-by: Lars Erik Wik --- libenv/sysinfo.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index 6beb59bb07..5a6e6374e2 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -1180,7 +1180,7 @@ static void OSReleaseParse(EvalContext *ctx, const char *file_path) { alias = "redhat"; } - else if (StringEqual(os_release_id, "opensuse") || + else if (StringEqual(os_release_id, "opensuse") || StringEqual(os_release_id, "sles")) { alias = "suse"; @@ -3503,13 +3503,13 @@ static void SysOSNameHuman(EvalContext *ctx) /** * Find next integer from string in place. Leading zero's are included. - * + * * @param [in] str string to extract next integer from * @param [out] num pointer to start of next integer or %NULL if no integer * number was found - * + * * @return pointer to the remaining string in `str` or %NULL if no remainder - * + * * @note `str` will be mutated */ static char *FindNextInteger(char *str, char **num) @@ -3577,8 +3577,8 @@ static void SysOsVersionMajor(EvalContext *ctx) } else { - EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, - "os_version_major", major, + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, + "os_version_major", major, CF_DATA_TYPE_STRING, "source=agent,derived-from=flavor"); } From c5d8d150ab38a13e5e3fdafb2f464e0e0c2ca375 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Fri, 18 Apr 2025 11:52:50 +0200 Subject: [PATCH 212/255] Define suse class on SLED systems (cherry picked from commit aadc43cf81d585b53385bd4b50ea5a81124d8159) Signed-off-by: Lars Erik Wik --- libenv/sysinfo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index 5a6e6374e2..d8fbcda45d 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -1181,7 +1181,8 @@ static void OSReleaseParse(EvalContext *ctx, const char *file_path) alias = "redhat"; } else if (StringEqual(os_release_id, "opensuse") || - StringEqual(os_release_id, "sles")) + StringEqual(os_release_id, "sles") || + StringEqual(os_release_id, "sled")) { alias = "suse"; } From 0cdf038c6188b314109f9215d4273202c825f586 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 10 Jun 2025 14:04:17 -0500 Subject: [PATCH 213/255] Adjusted configure.ac for finding workdir, logdir and piddir on windows platform Ticket: ENT-12594 Changelog: none (cherry picked from commit f027c17136d268363d4a916d467045c26b4cdaa1) Conflicts: configure.ac 3.21.x doesn't have MODULEDIR and KEYDIR changes from 44ded36442bb5a1accb67baa1b717da31fe2aa71 and e974758c8e4f9d97127509f8c0a5fa222861ffd6 --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index bf9be5f431..932e22f18b 100644 --- a/configure.ac +++ b/configure.ac @@ -207,12 +207,12 @@ AS_IF([test x"$enable_fhs" = xyes], [ prefix=/var/cfengine case "$target_os" in mingw*) - WORKDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') + WORKDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') MASTERDIR=default INPUTDIR=default DATADIR=default - LOGDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') - PIDDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') + LOGDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') + PIDDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') STATEDIR=default ;; *) From e5d8a95335ad72e8f9fb31a1f999aeeff63e3684 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 27 May 2025 14:16:41 +0200 Subject: [PATCH 214/255] verify_files.c: Added missing include for cf3.defs.h This file requires the definition of the enum `PromiseResult`. Signed-off-by: Lars Erik Wik (cherry picked from commit eb5e2b2f127ff053ad6235d0e8287da789059ef0) --- cf-agent/verify_files.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index 437647dce4..8d5ece1a3d 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -59,6 +59,7 @@ #include #include #include /* PrepareChangesChroot(), RecordFileChangedInChroot() */ +#include static PromiseResult FindFilePromiserObjects(EvalContext *ctx, const Promise *pp); static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promise *pp); From 113fb764845c29ed2c030482ed20fd3f4f7269d0 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 28 May 2025 11:39:06 +0200 Subject: [PATCH 215/255] files_edit.c: Added missing include for cf3.defs.h This file requires the definition of the enum `PromiseResult`. Signed-off-by: Lars Erik Wik (cherry picked from commit 441c4e7edfffae6285891ad6086c379513cc8d1e) --- cf-agent/files_edit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cf-agent/files_edit.c b/cf-agent/files_edit.c index 64b43f3bb1..216e6c0dd6 100644 --- a/cf-agent/files_edit.c +++ b/cf-agent/files_edit.c @@ -33,6 +33,7 @@ #include #include #include +#include /*****************************************************************************/ From bcbb7affdda16b4f40c367025baae4e5396cbaa1 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 27 May 2025 14:18:14 +0200 Subject: [PATCH 216/255] verify_files.c: Removed trailing white space Signed-off-by: Lars Erik Wik (cherry picked from commit 7fee0309ec74b54790ce44aeb2970d22f1d8cafb) --- cf-agent/verify_files.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index 8d5ece1a3d..b62a14ab5f 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -748,7 +748,7 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, { if (!file_exists && !CfCreateFile(ctx, edcontext->changes_filename, pp, attr, &result)) - { + { RecordFailure(ctx, pp, attr, "Failed to create file '%s' for rendering cfengine template '%s'", edcontext->filename, attr->edit_template); @@ -860,7 +860,7 @@ static PromiseResult RenderTemplateMustache(EvalContext *ctx, if (!file_exists && !CfCreateFile(ctx, edcontext->changes_filename, pp, attr, &result)) - { + { RecordFailure(ctx, pp, attr, "Failed to create file '%s' for rendering mustache template '%s'", edcontext->filename, message); From cde33fbb17179c0c5d4dc272daefc41d1ba0b88f Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 28 May 2025 17:12:15 +0200 Subject: [PATCH 217/255] Properly handle promise locking with edit line Fixed bug causing rendered files can result in erroneously empty files as a result of promise locking. Ticket: ENT-9980 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit c947544884dd0eff4d9d1d1be4d316459bdbdbf6) --- cf-agent/files_edit.c | 4 ++-- cf-agent/files_edit.h | 2 +- cf-agent/verify_files.c | 11 +++++++---- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/cf-agent/files_edit.c b/cf-agent/files_edit.c index 216e6c0dd6..cd0e1997b3 100644 --- a/cf-agent/files_edit.c +++ b/cf-agent/files_edit.c @@ -103,9 +103,9 @@ EditContext *NewEditContext(char *filename, const Attributes *a) /*****************************************************************************/ void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, const Promise *pp, - PromiseResult *result) + PromiseResult *result, bool save_file) { - if ((*result != PROMISE_RESULT_NOOP) && (*result != PROMISE_RESULT_CHANGE)) + if (!save_file || ((*result != PROMISE_RESULT_NOOP) && (*result != PROMISE_RESULT_CHANGE))) { // Failure or skipped. Don't update the file. goto end; diff --git a/cf-agent/files_edit.h b/cf-agent/files_edit.h index e4c8341356..425d21b215 100644 --- a/cf-agent/files_edit.h +++ b/cf-agent/files_edit.h @@ -57,7 +57,7 @@ typedef struct EditContext *NewEditContext(char *filename, const Attributes *a); void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, const Promise *pp, - PromiseResult *result); + PromiseResult *result, bool save_file); #ifdef HAVE_LIBXML2 bool LoadFileAsXmlDoc(xmlDocPtr *doc, const char *file, EditDefaults ed, bool only_checks); diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index b62a14ab5f..f1b903f2fe 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -735,7 +735,8 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, const Rlist *bundle_args, const Attributes *attr, EditContext *edcontext, - bool file_exists) + bool file_exists, + bool *save_file) { assert(edcontext != NULL); assert(attr != NULL); @@ -760,7 +761,7 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, EvalContextStackPushBundleFrame(ctx, bp, bundle_args, a.edits.inherit); BundleResolve(ctx, bp); - ScheduleEditLineOperations(ctx, bp, &a, pp, edcontext); + *save_file = ScheduleEditLineOperations(ctx, bp, &a, pp, edcontext); EvalContextStackPopFrame(ctx); @@ -971,6 +972,7 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, Rlist *args = NULL; char edit_bundle_name[CF_BUFSIZE], lockname[CF_BUFSIZE]; CfLock thislock; + bool save_file = true; snprintf(lockname, CF_BUFSIZE - 1, "fileedit-%s", filename); thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a->transaction.ifelapsed, a->transaction.expireafter, pp, false); @@ -1073,7 +1075,8 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, PromiseResult render_result = RenderTemplateCFEngine(ctx, pp, args, a, edcontext, - file_exists); + file_exists, + &save_file); result = PromiseResultUpdate(result, render_result); } } @@ -1105,7 +1108,7 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, } exit: - FinishEditContext(ctx, edcontext, a, pp, &result); + FinishEditContext(ctx, edcontext, a, pp, &result, save_file); YieldCurrentLock(thislock); if (result == PROMISE_RESULT_CHANGE) { From 07dc831f0e364815ac3cb00b9c9301b11fa20dcc Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 18 Jul 2025 13:39:36 +0200 Subject: [PATCH 218/255] valgrind-check: Fixed missing curl Error message from PR pipeline: ``` notice: Q: ".../cf-execd"": error: Proposed executable file '/usr/bin/curl' doesn't exist Q: ".../cf-execd"": error: execresult '/usr/bin/curl -s -X PUT "" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"' is assumed to be executable but isn't ``` Ticket: ENT-13124 Signed-off-by: Lars Erik Wik (cherry picked from commit b8bd87aeb6d9682516cf1a2d85581a214ab38d11) --- tests/valgrind-check/Containerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/valgrind-check/Containerfile b/tests/valgrind-check/Containerfile index 287d2dee4c..891785185e 100644 --- a/tests/valgrind-check/Containerfile +++ b/tests/valgrind-check/Containerfile @@ -1,7 +1,7 @@ FROM ubuntu:20.04 AS build RUN DEBIAN_FRONTEND=noninteractive apt-get update -y RUN DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python git flex bison byacc automake make autoconf libtool valgrind +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python git flex bison byacc automake make autoconf libtool valgrind curl COPY masterfiles masterfiles COPY core core WORKDIR core From 90215225c2748b38838864023f33173592c86d2d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 22 Jul 2025 10:21:59 +0200 Subject: [PATCH 219/255] valgrind-check: fix missing archives Unable to fetch some archives: ``` STEP 4/8: RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python3 git flex bison byacc automake make autoconf libtool valgrind curl ---snip--- Err:104 noble-updates/main amd64 git-man all 1:2.43.0-1ubuntu7.2 404 Not Found [IP: 91.189.91.81 80] Err:105 noble-updates/main amd64 git amd64 1:2.43.0-1ubuntu7.2 404 Not Found [IP: 91.189.91.81 80] ---snip--- Err:115 noble-updates/main amd64 libc6-dbg amd64 2.39-0ubuntu8.4 404 Not Found [IP: 91.189.91.81 80] ---snip--- E: Failed to fetch 404 Not Found [IP: 91.189.91.81 80] E: Failed to fetch 404 Not Found [IP: 91.189.91.81 80] E: Failed to fetch 404 Not Found [IP: 91.189.91.81 80] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? Error: building at STEP "RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python3 git flex bison byacc automake make autoconf libtool valgrind curl": while running runtime: exit status 100 ---snip--- ``` The URL does in fact return 404: ``` $ curl http://security.ubuntu.com/ubuntu/pool/main/g/git/git-man_2.43.0-1ubuntu7.2_all.deb 404 Not Found

Not Found

The requested URL was not found on this server.

Apache/2.4.52 (Ubuntu) Server at security.ubuntu.com Port 80
``` Will try to add `--fix-missing` to the `apt-get update` as the error message suggests. Ticket: ENT-13126 Signed-off-by: Lars Erik Wik (cherry picked from commit 0a08731d1ac8e999984c716ae25f7ec99d038766) --- tests/valgrind-check/Containerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/valgrind-check/Containerfile b/tests/valgrind-check/Containerfile index 891785185e..3babc0adbd 100644 --- a/tests/valgrind-check/Containerfile +++ b/tests/valgrind-check/Containerfile @@ -1,5 +1,5 @@ FROM ubuntu:20.04 AS build -RUN DEBIAN_FRONTEND=noninteractive apt-get update -y +RUN DEBIAN_FRONTEND=noninteractive apt-get update -y --fix-missing RUN DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python git flex bison byacc automake make autoconf libtool valgrind curl COPY masterfiles masterfiles From 95a922e7e04139312e7e04f176c052f15a790e05 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Thu, 5 Dec 2024 12:13:23 -0600 Subject: [PATCH 220/255] Aligned testing with implementation of bundle edit_line set_variable_values_ini This change simply aligns the implementation of this bundle with what we use for testing. Ticket: CFE-4460 Changelog: None (cherry picked from commit 737c3d05d2aa7d0763d5f71b90c867d040554a04) --- tests/acceptance/plucked.cf.sub | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/acceptance/plucked.cf.sub b/tests/acceptance/plucked.cf.sub index 297b6715a3..042642e5fe 100644 --- a/tests/acceptance/plucked.cf.sub +++ b/tests/acceptance/plucked.cf.sub @@ -667,16 +667,16 @@ bundle edit_line set_variable_values_ini(tab, sectionName) # If the line is there, but commented out, first uncomment it "#+\s*$(index)\s*=.*" - select_region => INI_section("$(sectionName)"), - edit_field => col("=","1","$(index)","set"), - ifvarclass => "edit_$(cindex[$(index)])"; + select_region => INI_section(escape("$(sectionName)")), + edit_field => col("\s*=\s*","1","$(index)","set"), + if => "edit_$(cindex[$(index)])"; # match a line starting like the key something - "$(index)\s*=.*" - edit_field => col("=","2","$($(tab)[$(sectionName)][$(index)])","set"), - select_region => INI_section("$(sectionName)"), + "\s*$(index)\s*=.*" + edit_field => col("\s*=\s*","2","$($(tab)[$(sectionName)][$(index)])","set"), + select_region => INI_section(escape("$(sectionName)")), classes => results("bundle", "set_variable_values_ini_not_$(cindex[$(index)])"), - ifvarclass => "edit_$(cindex[$(index)])"; + if => "edit_$(cindex[$(index)])"; insert_lines: "[$(sectionName)]" @@ -684,8 +684,8 @@ bundle edit_line set_variable_values_ini(tab, sectionName) comment => "Insert lines"; "$(index)=$($(tab)[$(sectionName)][$(index)])" - select_region => INI_section("$(sectionName)"), - ifvarclass => "!(set_variable_values_ini_not_$(cindex[$(index)])_kept|set_variable_values_ini_not_$(cindex[$(index)])_repaired).edit_$(cindex[$(index)])"; + select_region => INI_section(escape("$(sectionName)")), + if => "!(set_variable_values_ini_not_$(cindex[$(index)])_kept|set_variable_values_ini_not_$(cindex[$(index)])_repaired).edit_$(cindex[$(index)])"; } From d241d2f153753c61c32d49cf0787cb01dfe2c810 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 15 Jul 2025 13:51:02 +0200 Subject: [PATCH 221/255] Fixed bug where remote file copy always preserves source perms Remote file copy with the 'copy_from' attribute now only preserves source file permissions if the 'preserve' attribute in 'body copy_from' is true. Otherwise it will use the permissions of the destination file if it already exists and default permissions if it does not. Ticket: ENT-11988 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit e2021b555f62197e6a112ee09e5af23ee4a68b6f) --- cf-agent/verify_files_utils.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 84115f997f..440f7cd97c 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -22,6 +22,7 @@ included file COSL.txt. */ +#include #include #include @@ -1551,8 +1552,25 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con return false; } + /* Use perms from source file if preserve is true, otherwise use perms + * of destination file if it exists, otherwise use default perms. */ + mode_t mode; + if (attr->copy.preserve) + { + mode = sstat->st_mode; + } + else if (dest_exists) + { + mode = dest_stat.st_mode; + } + else + { + mode = CF_PERMS_DEFAULT; + } + mode &= 0777; /* Never preserve SUID bit */ + if (!CopyRegularFileNet(source, ToChangesPath(new), - sstat->st_size, attr->copy.encrypt, conn, sstat->st_mode)) + sstat->st_size, attr->copy.encrypt, conn, mode)) { RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'", source, conn->remoteip); From 30f58eb78a7561d95398009c402fee5a2c7d029b Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 20 Aug 2025 16:48:26 -0500 Subject: [PATCH 222/255] Fixed invalid colon separating host and path from cifs and panfs in fstab This commit introduces a conditional check to format the device string for CIFS and PanFS without a colon (:), as required by their specific syntax. It also updates the logging to show the full fstab entry that is being added. Additionally, the log message has been updated to be more descriptive, now displaying the full fstab entry that is being added. Ticket: CFE-4494 (cherry picked from commit 582c6c28ba0691169790a9b1b0509cee9917b5a3) --- cf-agent/nfs.c | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/cf-agent/nfs.c b/cf-agent/nfs.c index 73c8005243..997cae4967 100644 --- a/cf-agent/nfs.c +++ b/cf-agent/nfs.c @@ -468,29 +468,49 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi mountpt = name; fstype = a->mount.mount_type; + char device[CF_BUFSIZE]; + if (StringEqual(fstype, "cifs") || StringEqual(fstype, "panfs")) + { + NDEBUG_UNUSED int ret = snprintf(device, sizeof(device), "%s%s", host, rmountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); + } + else + { + NDEBUG_UNUSED int ret = snprintf(device, sizeof(device), "%s:%s", host, rmountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); + } + #if defined(__QNX__) || defined(__QNXNTO__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s %s\t%s 0 0", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s %s\t%s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_CRAY) char fstype_upper[CF_BUFSIZE]; strlcpy(fstype_upper, fstype, CF_BUFSIZE); ToUpperStrInplace(fstype_upper); - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s %s\t%s", host, rmountpt, mountpt, fstype_upper, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s %s\t%s", device, mountpt, fstype_upper, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); break; #elif defined(__hpux) - snprintf(fstab, CF_BUFSIZE, "%s:%s %s \t %s \t %s 0 0", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s %s \t %s \t %s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_AIX) - snprintf(fstab, CF_BUFSIZE, - "%s:\n\tdev\t= %s\n\ttype\t= %s\n\tvfs\t= %s\n\tnodename\t= %s\n\tmount\t= true\n\toptions\t= %s\n\taccount\t= false\n", - mountpt, rmountpt, fstype, fstype, host, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, + "%s:\n\tdev\t= %s\n\ttype\t= %s\n\tvfs\t= %s\n\tnodename\t= %s\n\tmount\t= true\n\toptions\t= %s\n\taccount\t= false\n", + mountpt, rmountpt, fstype, fstype, host, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__linux__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s \t %s \t %s", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__) || defined(__APPLE__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s \t %s \t %s 0 0", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__sun) || defined(sco) || defined(__SCO_DS) - snprintf(fstab, CF_BUFSIZE, "%s:%s - %s %s - yes %s", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s - %s %s - yes %s", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__CYGWIN__) - snprintf(fstab, CF_BUFSIZE, "/bin/mount %s:%s %s", host, rmountpt, mountpt); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "/bin/mount %s %s", device, mountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); #else #error "Could not determine format of fstab entry on this platform." #endif @@ -503,7 +523,7 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi { AppendItem(&FSTABLIST, fstab, NULL); FSTAB_EDITS++; - cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "Adding file system '%s:%s' to '%s'", host, rmountpt, + cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "Adding file system entry '%s' to '%s'", fstab, VFSTAB[VSYSTEMHARDCLASS]); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); changes += 1; From 1b499ae6316ba735ad115a5f01a0c4f8a6ab635e Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Fri, 22 Aug 2025 17:18:39 -0500 Subject: [PATCH 223/255] Added documentation references for file system table configuration (cherry picked from commit 4cc65278c490ebfc9948f480d223c751a6201da2) --- cf-agent/nfs.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cf-agent/nfs.c b/cf-agent/nfs.c index 997cae4967..c7602fa4b6 100644 --- a/cf-agent/nfs.c +++ b/cf-agent/nfs.c @@ -481,6 +481,9 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi } #if defined(__QNX__) || defined(__QNXNTO__) + // QNX documents 4 fstab fields : https://www.qnx.com/developers/docs/7.1/index.html#com.qnx.doc.neutrino.utilities/topic/f/fstab.html + // specialdevice mountpoint type mountoptions + // TODO Remove DUMP and PASS options used here (unsupported)? NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s %s\t%s 0 0", device, mountpt, fstype, opts); assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_CRAY) @@ -492,9 +495,13 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi assert(ret >= 0 && ret < CF_BUFSIZE); break; #elif defined(__hpux) + // HP-UX documents 7 fstab fields: https://nixdoc.net/man-pages/HP-UX/man4/fstab.4.html + // deviceSpecialFile directory type options backupFrequency passNumber comment + // TODO Bring promise comment in as the 7th comment field # promise comment (stripped of newlines) NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s %s \t %s \t %s 0 0", device, mountpt, fstype, opts); assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_AIX) + // AIX uses /etc/filesystems: https://www.ibm.com/docs/en/aix/7.2.0?topic=files-filesystems-file NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s:\n\tdev\t= %s\n\ttype\t= %s\n\tvfs\t= %s\n\tnodename\t= %s\n\tmount\t= true\n\toptions\t= %s\n\taccount\t= false\n", mountpt, rmountpt, fstype, fstype, host, opts); @@ -503,12 +510,18 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s", device, mountpt, fstype, opts); assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__) || defined(__APPLE__) + // BSDs document 6 fstab fields https://man.freebsd.org/cgi/man.cgi?fstab(5) + // Device Mountpoint FStype Options Dump Pass NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s 0 0", device, mountpt, fstype, opts); assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__sun) || defined(sco) || defined(__SCO_DS) + // SunOS uses /etc/fstab and documents 7 fields: https://docs.oracle.com/cd/E19455-01/805-6331/fsadm-59727/index.html + // deviceToMount deviceToFsck mountPoint FStype fsckPass automount? mountOptions + // - is used for deviceToFsck for read-only and network based file systems NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s - %s %s - yes %s", device, mountpt, fstype, opts); assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__CYGWIN__) + // https://cygwin.com/cygwin-ug-net/using.html#mount-table NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "/bin/mount %s %s", device, mountpt); assert(ret >= 0 && ret < CF_BUFSIZE); #else From 760062907f86e347efb624f114d0064b355d1dcd Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 29 Aug 2025 12:59:01 +0200 Subject: [PATCH 224/255] Atomic permissions during file copy Temporary file is now set to promised permissions before replacing it with original during remote copy from. Ticket: ENT-13163 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit c1d8cd03137d8c678dbfaf92ba3dd604f4fcc65f) --- cf-agent/verify_files_utils.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 440f7cd97c..91e81f64c5 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -70,6 +70,7 @@ #include /* GetGroupName(), GetUserName() */ #include +#include "cf3.defs.h" #define CF_RECURSION_LIMIT 100 @@ -1569,6 +1570,13 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } mode &= 0777; /* Never preserve SUID bit */ + /* If perms are promised for this file, use those instead */ + if ((attr->perms.plus != CF_SAMEMODE) && (attr->perms.minus != CF_SAMEMODE)) + { + mode |= attr->perms.plus; + mode &= ~(attr->perms.minus); + } + if (!CopyRegularFileNet(source, ToChangesPath(new), sstat->st_size, attr->copy.encrypt, conn, mode)) { From ceabeb07b51c2e7e925a81d47c76f8a2f31e782f Mon Sep 17 00:00:00 2001 From: Bastian Triller Date: Fri, 12 Sep 2025 08:16:00 +0200 Subject: [PATCH 225/255] examples/services: Fix service_bundle example (cherry picked from commit 49130df0360156a3d72f013703898ef87bff8aba) --- examples/services_default_service_bundle.cf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/examples/services_default_service_bundle.cf b/examples/services_default_service_bundle.cf index 7182d20f8d..2adeafc400 100644 --- a/examples/services_default_service_bundle.cf +++ b/examples/services_default_service_bundle.cf @@ -9,7 +9,7 @@ bundle agent main body service_method my_custom_service { - service_type => "generic"; + service_bundle => service_my_custom_service($(this.promiser), $(this.service_policy)); } bundle agent service_my_custom_service(service, state) @@ -25,5 +25,3 @@ bundle agent service_my_custom_service(service, state) #@ ``` #+end_src - - From bb63ed984587462689469dac88c609a8b9343150 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Mon, 22 Sep 2025 13:29:12 -0500 Subject: [PATCH 226/255] Added example using nth() with key (cherry picked from commit cf7fd102044a3d833e3a85d774753af55a233c40) --- examples/nth-key.cf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 examples/nth-key.cf diff --git a/examples/nth-key.cf b/examples/nth-key.cf new file mode 100644 index 0000000000..63f8973c84 --- /dev/null +++ b/examples/nth-key.cf @@ -0,0 +1,20 @@ +#+begin_src cfengine3 +bundle agent main +{ + vars: + "d" data => '{ "key1": "dvalue1", "key2": "dvalue2" }'; + "a[key1]" string => "value1"; + "a[key2]" string => "value2"; + + reports: + "$(with)" with => nth( a, key1 ); + "$(with)" with => nth( d, key1 ); +} +#+end_src +############################################################################### +#+begin_src example_output +#@ ``` +#@ R: value1 +#@ R: dvalue1 +#@ ``` +#+end_src From 4d765b9fcea2aa8d9f810d20dd03acc409ded914 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Tue, 23 Sep 2025 10:53:24 -0500 Subject: [PATCH 227/255] Update examples/nth-key.cf Co-authored-by: Craig Comstock (cherry picked from commit 2bd97ad26a4970546159dc9f12c7f58234c7507e) --- examples/nth-key.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/nth-key.cf b/examples/nth-key.cf index 63f8973c84..e9363c9e17 100644 --- a/examples/nth-key.cf +++ b/examples/nth-key.cf @@ -7,8 +7,8 @@ bundle agent main "a[key2]" string => "value2"; reports: - "$(with)" with => nth( a, key1 ); - "$(with)" with => nth( d, key1 ); + "$(with)" with => nth( a, "key1" ); + "$(with)" with => nth( d, "key1" ); } #+end_src ############################################################################### From b94204b6cdd723f9856999cbf98b5e01dd4f7136 Mon Sep 17 00:00:00 2001 From: Victor Moene Date: Tue, 2 Sep 2025 12:19:31 +0200 Subject: [PATCH 228/255] macos_unit_tests.yml: specified the deployment target to be macOS 15.4 The function 'strchrnul' has been marked as being introduced in macOS 15.4, although it seems to have been working for as long as we have been testing on macOS. Since warnings are treated as errors, the build will fail. Hence, the simplest way to silence the warning is, it to specify the deployment target to be a minimum of macOS 15.4. ``` logging.c:651:28: error: 'strchrnul' is only available on macOS 15.4 or newer [-Werror,-Wunguarded-availability-new] 651 | char *next_token = strchrnul(token, ','); CC queue.lo | ^~~~~~~~~ /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/_string.h:198:9: note: 'strchrnul' has been marked as being introduced in macOS 15.4 here, but the deployment target is macOS 15.0.0 198 | strchrnul(const char *__s, int __c); CC rb-tree.lo | ^ logging.c:651:28: note: enclose 'strchrnul' in a __builtin_available check to silence this warning 651 | char *next_token = strchrnul(token, ','); | ^~~~~~~~~ 1 error generated. ``` It has been done similarly here: https://github.com/NorthernTechHQ/libntech/pull/255 Signed-off-by: Victor Moene (cherry picked from commit f1c9a913893bf7e5b72c1223ccaa94e2b928e7fc) --- .github/workflows/macos_unit_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index 913f21b405..86de8343cb 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -23,6 +23,6 @@ jobs: PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" ./autogen.sh --enable-debug - name: Compile and link - run: make -j8 CFLAGS="-Werror -Wall" + run: MACOSX_DEPLOYMENT_TARGET=15.4 make -j8 CFLAGS="-Werror -Wall" - name: Run unit tests run: make -C tests/unit check From ddcd547f9c09586b20b240ba9aaa3ed256563d22 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 15 Oct 2025 14:03:04 -0500 Subject: [PATCH 229/255] Fixed cf-support usage of coredumpctl matching Initially we had coredumpctl info /var/cfengine/bin/cf-* which matched the EXE (executable name). We then changed this to /var/cfengine/* which was an incorrect change which limited the EXE to only items at /var/cfengine/ since the star is a glob and expanded to the files in that directory. (commit: 68b8429a85a86f88592a96f5ff3a0f6b857465c9) Instead we should use a find command to find files that are executable under /var/cfengine and run coredumpctl on each one we find. Ticket: ENT-13272 Changelog: title (cherry picked from commit b2f22a237680da3358e6ae809bc72f0f4099aed0) Conflicts: misc/cf-support We didn't cherry pick the previous bad fix in 68b8429 mentioned above so conflicts were present. --- misc/cf-support | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/misc/cf-support b/misc/cf-support index ce59602680..9c5e82eee5 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -158,7 +158,10 @@ fi if expr "$_sysctl_kernel_core_pattern" : ".*/systemd-coredump.*" > /dev/null 2>&1; then echo "Found systemd-coredump used in sysctl kernel.core_pattern \"$_sysctl_kernel_core_pattern\"" echo "Using coredumpctl to analyze CFEngine core dumps" - coredumpctl info /var/cfengine/bin/cf-* 2>/dev/null >> "$_core_log" || true + find /var/cfengine -type f -executable | while IFS='' read -r line + do + coredumpctl info "$line" 2>/dev/null >> "$_core_log" || true + done elif command -v apport-unpack >/dev/null; then echo "Using apport-unpack to analyze CFEngine core dumps" # each crash report has a line with ExecutablePath: which tells us if it is a CFEngine core dump From ff1c167f49ea9565eb84bb1ee7b9e3f63f3ef6ac Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 3 Oct 2025 09:01:15 -0500 Subject: [PATCH 230/255] Adjusted valgrind-check Containerfile to ensure apt update and install are linked and cached together in one layer Otherwise, the update layer can be cached and have bad information for the subsequent two install command layers. As the distribution changes package versions the install layers, if they are not cached, will fail. Also combined the two install commands into one for brevity. Ticket: ENT-13252 Changelog: none (cherry picked from commit c6e385d76b6e266b5223217f12f5558b5d7db67f) Conflicts: tests/valgrind-check/Containerfile To get a smaller change I just combined the update and install apt lines instead of also changing the ubuntu version and package list. --- tests/valgrind-check/Containerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/valgrind-check/Containerfile b/tests/valgrind-check/Containerfile index 3babc0adbd..6e7ad4942b 100644 --- a/tests/valgrind-check/Containerfile +++ b/tests/valgrind-check/Containerfile @@ -1,7 +1,6 @@ FROM ubuntu:20.04 AS build -RUN DEBIAN_FRONTEND=noninteractive apt-get update -y --fix-missing -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python git flex bison byacc automake make autoconf libtool valgrind curl +RUN DEBIAN_FRONTEND=noninteractive apt-get update -y --fix-missing && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev python git flex bison byacc automake make autoconf libtool valgrind curl COPY masterfiles masterfiles COPY core core WORKDIR core From 60c8918fb91c53e870cd553cefdb9afa69b51631 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Sat, 27 Sep 2025 19:58:51 -0500 Subject: [PATCH 231/255] Extended support for move_obstructions beyond copy_from - Added test for copy_from and move_obstructions - Added test and support for content attribute targeting symlink with move_obstructions - Added test and support for move_obstructions for symlinks targeted by inline_mustache - Added tests and support for edit_template mustache and cfengine - Added test for edit_line, disabled because it's failing Ticket: CFE-4591 Changelog: None Co-authored-by: Qwen Code Co-authored-by: Gemini Co-authored-by: Lars Erik Wik Signed-off-by: Lars Erik Wik --- cf-agent/verify_files.c | 14 ++ cf-agent/verify_files_utils.c | 52 +++++ cf-agent/verify_files_utils.h | 1 + .../move_obstructions-promiser-is-symlink.cf | 206 ++++++++++++++++++ 4 files changed, 273 insertions(+) create mode 100644 tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index f1b903f2fe..d1e3c076e5 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -531,6 +531,20 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi result = PromiseResultUpdate(result, ScheduleLinkOperation(ctx, path, a.link.source, &a, pp)); } + if (a.haveedit || a.content || a.edit_template_string) + { + if (exists || link) + { + if (!HandleFileObstruction(ctx, changes_path, &oslb, &a, pp, &result)) + { + goto exit; + } + // After moving, it no longer exists at the original path + exists = (lstat(changes_path, &oslb) != -1); + link = false; + } + } + /* Phase 3a - direct content */ if (a.content) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 91e81f64c5..03b55aa160 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -22,6 +22,7 @@ included file COSL.txt. */ +#include #include #include @@ -2728,6 +2729,57 @@ static PromiseResult VerifyFileAttributes(EvalContext *ctx, const char *file, co return result; } +bool HandleFileObstruction(EvalContext *ctx, const char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result) +{ + // Tell static analysis tools that these pointers do not need to be checked for NULL before dereferencing + assert(sb != NULL); + assert(attr != NULL); + + const mode_t st_mode = sb->st_mode; + const bool move_obstructions = attr->move_obstructions; + + // If path exists, but is not a regular file, it's an obstruction + if (!S_ISREG(st_mode)) + { + if (move_obstructions) + { + if (MakingChanges(ctx, pp, attr, result, "Moving obstructing file '%s'", path)) + { + char backup[CF_BUFSIZE]; + int ret = snprintf(backup, sizeof(backup), "%s.cf-moved", path); + if (ret < 0 || (size_t) ret >= sizeof(backup)) + { + RecordFailure(ctx, pp, attr, "Could not move obstruction '%s': Path too long", + path); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + + if (rename(path, backup) == -1) + { + RecordFailure(ctx, pp, attr, "Could not move obstruction '%s' to '%s'. (rename: %s)", + path, backup, GetErrorStr()); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + else + { + RecordChange(ctx, pp, attr, "Moved obstructing path '%s' to '%s'", path, backup); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); + return true; + } + } + } + else if (!S_ISLNK(st_mode)) + { + RecordFailure(ctx, pp, attr, "Path '%s' is not a regular file and move_obstructions is not set", path); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + } + return true; +} + bool DepthSearch(EvalContext *ctx, char *name, const struct stat *sb, int rlevel, const Attributes *attr, const Promise *pp, dev_t rootdevice, PromiseResult *result) { diff --git a/cf-agent/verify_files_utils.h b/cf-agent/verify_files_utils.h index 7f294c45e0..fdbb8bd8b3 100644 --- a/cf-agent/verify_files_utils.h +++ b/cf-agent/verify_files_utils.h @@ -35,6 +35,7 @@ extern StringSet *SINGLE_COPY_CACHE; void SetFileAutoDefineList(const Rlist *auto_define_list); void VerifyFileLeaf(EvalContext *ctx, char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result); +bool HandleFileObstruction(EvalContext *ctx, const char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result); bool DepthSearch(EvalContext *ctx, char *name, const struct stat *sb, int rlevel, const Attributes *attr, const Promise *pp, dev_t rootdevice, PromiseResult *result); bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attributes *attr, PromiseResult *result_out); void SetSearchDevice(struct stat *sb, const Promise *pp); diff --git a/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf b/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf new file mode 100644 index 0000000000..8e07372895 --- /dev/null +++ b/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf @@ -0,0 +1,206 @@ + +############################################################################## +# +# Test that move_obstructions works consistently for various types of files +# promises targeting a specific file where the promiser is a symlink +# - copy_from +# +############################################################################## + +body file control +{ + inputs => { "../default.cf.sub" }; +} + +############################################################################## +bundle agent __main__ +{ + methods: + "init"; + "test"; + "check"; + "cleanup"; +} + +bundle agent cleanup +{ + vars: + "potential_files_to_delete" + slist => { + # The files we tested + "@(init.test_files)", + "$(init.orig_ln_target_filename)", + # .cfsaved files get created as copy_from replaces files + maplist( "$(this).cfsaved", @(init.test_files) ), + # The special case source file to copy from + maplist( "$(this).source", @(init.test_files) ), + }; + + files: + "$(potential_files_to_delete)" + delete => tidy, + if => fileexists( "$(this.promiser)" ); +} + +bundle agent init +{ + vars: + # Create test files that will serve as obstructions + "test_files" slist => { + "$(G.testdir)/copy_from", + "$(G.testdir)/content", + "$(G.testdir)/edit_template_string_inline_mustache", + "$(G.testdir)/edit_template_cfengine", + "$(G.testdir)/edit_template_mustache", + #"$(G.testdir)/edit_line", + }; + + "orig_ln_target_filename" + string => "$(G.testdir)/orig_ln_target"; + + "orig_ln_target_content" + string => "This content originally lived in a symlink target"; + + files: + # Here we initialize a file which will be a symlinks target + "$(orig_ln_target_filename)" + create => "true", + content => "$(orig_ln_target_content)"; + + # Here we have a symlink that we will be targeting with a content files promise + "$(test_files)" + create => "true", + move_obstructions => "true", + link_from => ln_s( "$(G.testdir)/orig_ln_target" ); + + reports: + DEBUG:: + "$(test_files) initalized" + if => and( fileexists( "$(test_files)" ), + islink( $(test_files) ) ); +} + +body link_from ln_s(x) +{ + link_type => "symlink"; + source => "$(x)"; + when_no_source => "force"; +} +############################################################################## + +bundle agent test +{ + meta: + "description" + string => concat( + "Test move_obstructions with content, edit_template,", + " and edit_template_string" + ); + + files: + # Test move_obstructions with copy_from + # This isn't in init because it's specific to copy_from needing to have a source file. + "$(G.testdir)/copy_from.source" + content => "$(check.expected_content)", + if => fileexists( "$(G.testdir)/copy_from" ); + + "$(G.testdir)/copy_from" + move_obstructions => "true", + copy_from => local_dcp("$(G.testdir)/copy_from.source"), + if => fileexists( "$(this.promiser)" ); + + "$(G.testdir)/edit_template_cfengine" + move_obstructions => "true", + template_method => "cfengine", + edit_template => "$(G.testdir)/copy_from.source", + if => fileexists( "$(this.promiser)" ); + + "$(G.testdir)/edit_template_mustache" + move_obstructions => "true", + template_method => "mustache", + edit_template => "$(G.testdir)/copy_from.source", + if => fileexists( "$(this.promiser)" ); + + # Test move_obstructions with content attribute + "$(G.testdir)/content" + move_obstructions => "true", + content => "$(check.expected_content)", + if => fileexists( "$(this.promiser)" ); + + # Test move_obstructions with template_method inline_mustache + "$(G.testdir)/edit_template_string_inline_mustache" + move_obstructions => "true", + template_method => "inline_mustache", + edit_template_string => "$(check.expected_content)", + if => fileexists( "$(this.promiser)" ); + + # # Test move_obstructions with edit_line + # "$(G.testdir)/edit_line" + # move_obstructions => "true", + # edit_line => insert_lines("$(check.expected_content)"), + # if => fileexists( "$(this.promiser)" ); + +} + +############################################################################## + +bundle agent check +{ + vars: + "expected_content" string => "This is content promised targeting a symlink."; + "num_test_files" int => length( @(init.test_files) ); + + # We check the promised: + # - for each test file + # - content + # - type + + "num_expected_test_ok_classes" + int => int( eval( "$(num_test_files)*2", math, infix) ); + + classes: + "DEBUG" expression => "any"; + "all_test_files_exist" + expression => filesexist( @(init.test_files) ); + + all_test_files_exist:: + # Once we verified that all the test files exist we can check all the expectations + + # These class strings will be canonified as classes, they are tagged for easy identification + + "$(init.test_files) type as expected" + meta => { "test_ok_class" }, + if => isplain( "$(init.test_files)" ); + + "$(init.test_files) content as expected" + meta => { "test_ok_class" }, + if => strcmp( readfile("$(init.test_files)"), + "$(expected_content)"); + + "overall_success" + expression => strcmp( length( classesmatching( ".*", "test_ok_class" ) ), + "$(num_expected_test_ok_classes)" ); + + reports: + !all_test_files_exist:: + "The test does not appear to have been initialized, the expected test files are missing $(with)" + with => concat( "(", join( ",", @(init.test_files) ), ")" ); + + DEBUG:: + + "Number of test files: $(num_test_files)"; + + "Number of expected test ok classes to pass: $(num_expected_test_ok_classes)"; + + "$(with) test_ok_classes:" + with => length( classesmatching( ".*", "test_ok_class" ) ); + + "$(with)" + with => join( "$(const.n)", classesmatching( ".*", "test_ok_class" ) ); + + overall_success:: + "$(this.promise_filename) Pass"; + + !overall_success:: + "$(this.promise_filename) FAIL"; +} From 9f371443498a8ee71f305da76bb617053c8cbaa2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 28 Oct 2025 12:59:00 -0500 Subject: [PATCH 232/255] Adjusted selinux policy to be more resilient to updates In rhel-10 the current policy errored out due to missing key_socket class. Because we were specifying each class explicitly we were prone to trouble when changes happened in the kernel and selinux-policy (the package/repo which builds the .pp policy file). Replacing all of the class elements with a single all_kernel_class_perms macro will allow us to get what we want: all of the classes available for use in our policy but in a way that will change outside of our policy. Ticket: ENT-13016 Changelog: none (cherry picked from commit 721bbe24a1b7bd172b74f864b158b1dad2a657a1) --- misc/selinux/cfengine-enterprise.te.all | 82 +------------------------ 1 file changed, 1 insertion(+), 81 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 1d23c987db..154e5e9c7f 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -93,87 +93,7 @@ require { type rpm_script_t; type fsadm_exec_t; type lvm_exec_t; - class lockdown { confidentiality integrity }; - class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind }; - class mctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; - class udp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown node_bind }; - class sock_file { create write getattr setattr unlink }; - class rawip_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class packet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class unix_stream_socket { create ioctl read getattr lock write setattr append bind connect connectto getopt setopt shutdown }; - class unix_dgram_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown sendto }; - class appletalk_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_route_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown nlmsg_read getopt }; - class netlink_firewall_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_tcpdiag_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_nflog_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_xfrm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_selinux_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_audit_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_ip6fw_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_dnrt_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_kobject_uevent_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class tun_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_iscsi_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_fib_lookup_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_connector_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_netfilter_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_generic_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_scsitransport_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_rdma_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_crypto_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class sctp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class icmp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ax25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ipx_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netrom_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class atmpvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class x25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class xdp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rose_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class decnet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class atmsvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rds_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class irda_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class pppox_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class llc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class can_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class tipc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class bluetooth_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class iucv_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rxrpc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class isdn_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class phonet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ieee802154_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class caif_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class alg_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class nfc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class vsock_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class kcm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class qipcrtr_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class smc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class bridge_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class dccp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ib_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class mpls_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr sigchld }; - class fd use; - class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto watch watch_reads }; - class fifo_file { create open getattr setattr read write append rename link unlink ioctl lock relabelfrom relabelto }; - class dir { getattr read search open write add_name remove_name lock ioctl create setattr rmdir }; - class filesystem getattr; - class lnk_file { create getattr read unlink }; - class capability { dac_read_search sys_module chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace kill net_bind_service }; - class cap_userns sys_ptrace; - class capability2 { mac_admin mac_override block_suspend syslog wake_alarm }; - class association { sendto recvfrom setcontext polmatch }; - class security setsecparam; - class service { start stop status reload enable disable }; - class system { module_request }; - class memprotect mmap_zero; - class peer recv; - class chr_file { getattr }; + all_kernel_class_perms } From b5a8a7c86172c5f5333632d6364c1a7970787c48 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 10 Sep 2025 14:00:44 -0500 Subject: [PATCH 233/255] Added sysvinit cf-php-fpm service script for Mission Portal Ticket: ENT-13234 Changelog: title (cherry picked from commit 2ff61922577215f644d568f3902dddf61a150a58) --- misc/init.d/cf-php-fpm.in | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 misc/init.d/cf-php-fpm.in diff --git a/misc/init.d/cf-php-fpm.in b/misc/init.d/cf-php-fpm.in new file mode 100644 index 0000000000..7d217655a2 --- /dev/null +++ b/misc/init.d/cf-php-fpm.in @@ -0,0 +1,35 @@ +#! /bin/sh +# copied from /etc/init.d/procps written by Elrond +# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing. +if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then + set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script +fi +### BEGIN INIT INFO +# Provides: cf-php-fpm +# Required-Start: +# Required-Stop: +# Should-Start: +# X-Start-Before: +# Default-Start: S +# Default-Stop: +# Short-Description: Start CFEngine Mission Portal php-fpm service +# Description: CFEngine Enterprise PHP FastCGI Process Manager +### END INIT INFO + +# shellcheck disable=SC2034 +DESC=cf-php-fpm +PREFIX=${CFTEST_PREFIX:-@workdir@} +DAEMON=$PREFIX/httpd/php/sbin/php-fpm +PIDFILE=$PREFIX/httpd/php-fpm.pid + +do_start_cmd() { + STATUS=0 + "$DAEMON" --pid "$PIDFILE" --force-stderr || STATUS="$?" + return $STATUS +} + +do_stop_cmd() { + if [ -f "$PIDFILE" ]; then + kill -9 "-$(cat "$PIDFILE")" + fi +} From cf0956830eb9009ebb88635042756639080714f3 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 10 Sep 2025 14:20:43 -0500 Subject: [PATCH 234/255] Removed useless output from cfengine3 init script Lack of >/dev/null in ps --help command caused useless output of ``` --cols, --columns, --width ``` when running /etc/init.d/cfengine3 for any command. Ticket: ENT-13234 Changelog: title (cherry picked from commit b66efc9708480ca25195e04a4904659afa26d290) --- misc/init.d/cfengine3.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/init.d/cfengine3.in b/misc/init.d/cfengine3.in index 6017e7e212..bb320630a8 100644 --- a/misc/init.d/cfengine3.in +++ b/misc/init.d/cfengine3.in @@ -150,7 +150,7 @@ fi CURRENT_PS_UID=__none__ INSIDE_CONTAINER=-1 -if ps --help 2>/dev/null | egrep -e '--cols\b' > /dev/null || ps --help output 2>/dev/null | egrep -e '--cols\b'; then +if ps --help 2>/dev/null | egrep -e '--cols\b' > /dev/null || ps --help output 2>/dev/null | egrep -e '--cols\b' > /dev/null; then # There is a bug in SUSE which means that ps output will be truncated even # when piped to grep, if the terminal size is small. However using --cols # will override it. NOTE: On Suse 12 and 15, `ps` mentions `--cols` only From 8ae9d2df6a3f4c35843fcf45152345a0994c1719 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 29 Oct 2025 15:51:22 -0500 Subject: [PATCH 235/255] Fixed move_obstructions support when using content, and edit_template Added missing changelog entry. Ticket: CFE-4591 Changelog: Title (cherry picked from commit 37caf778b73a40b47b413577ae127e22823f2cd3) From 9ce5442b40e7ae5725a306eafeff96951e7bdf29 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 30 Oct 2025 20:44:47 -0500 Subject: [PATCH 236/255] Adjusted cf3_with_library to handle case where --with-feature is not defined In the case of pam and lmdb, due to checks for brew, --with-pam and --with-lmdb, if not specified by the user, are not defined. This resulted in -R/lib being added to LMDB_LDFLAGS and PAM_LDFLAGS and by appending: CORE_LDFLAGS. This -R/lib adds an RPATH which rhel-10 rpmbuild complains about since it is a standard path that should not be included in RPATHS. Ticket: ENT-13016 Changelog: none (cherry picked from commit 2264624af9a47e85d6d44b92c8cb8fc2463b40ff) (cherry picked from commit 2f1ffa847958b23a237770fcebd2aff3bf7a631c) --- m4/cf3_with_library.m4 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/m4/cf3_with_library.m4 b/m4/cf3_with_library.m4 index ee47d7d11d..dde7181dfb 100644 --- a/m4/cf3_with_library.m4 +++ b/m4/cf3_with_library.m4 @@ -84,7 +84,8 @@ AC_DEFUN([CF3_WITH_LIBRARY], if test "x$with_[$1]" != xyes && test "x$with_[$1]" != xcheck && test "x$with_[$1]" != x/usr && - test "x$with_[$1]" != x/ + test "x$with_[$1]" != x/ && + test -n "$with_[$1]" then ULN[]_LDFLAGS="$ULN[]_LDFLAGS -R$with_[$1]/lib" fi From 514ce3723c6d1cb4bc2395a6487676e448a1d5c1 Mon Sep 17 00:00:00 2001 From: Ihor Aleksandrychiev Date: Tue, 4 Nov 2025 14:34:21 +0200 Subject: [PATCH 237/255] Added 3.21.8 ChangeLog entries Ticket: ENT-13334 ChangeLog: None Signed-off-by: Ihor Aleksandrychiev --- ChangeLog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ChangeLog b/ChangeLog index ce1e599562..4b29b92dd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +3.21.8: + - Added sysvinit cf-php-fpm service script for Mission Portal + (ENT-13234) + - Atomic permissions during file copy. + Temporary file is now set to promised permissions before replacing it + with original during remote copy from. (ENT-13163) + - Fixed bug where remote file copy always preserves source perms. + Remote file copy with the 'copy_from' attribute now only preserves + source file permissions if the 'preserve' attribute in 'body copy_from' + is true. Otherwise it will use the permissions of the destination file + if it already exists and default permissions if it does not. (ENT-11988) + - Fixed cf-support usage of coredumpctl matching (ENT-13272) + - Fixed move_obstructions support when using content, and edit_template (CFE-4591) + - Fixed handling of promise locking with edit line + Fixed bug where rendered files can result in erroneously empty files + as a result of promise locking. (ENT-9980) + - Removed useless output from cfengine3 init script (ENT-13234) + 3.21.7: - Fixed issue where rhel >8 packages would not have correct openssl dependency version (ENT-12587) From 18ff2319b43e2d42a4359ddf80462048e29180ce Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 5 Nov 2025 12:06:49 -0600 Subject: [PATCH 238/255] Added note to INSTALL about procps package requirement for process promises on alpine linux (cherry picked from commit eb317d19b42d17ba49ffbc4d1fdb759612ac4257) --- INSTALL | 2 ++ 1 file changed, 2 insertions(+) diff --git a/INSTALL b/INSTALL index 2f44779299..7e2a19bde3 100644 --- a/INSTALL +++ b/INSTALL @@ -155,6 +155,8 @@ sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb ./autogen.sh --without-pam +Note that in order for process promises to work you must install the procps package for a "proper" ps command instead of busybox. + * Termux (2020-04-24) pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml From 169edcec4a0738cabc5fabb98ef805de2ee39046 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 13 Nov 2025 09:51:17 -0600 Subject: [PATCH 239/255] Added skip for run_lastseen_threaded_load.sh test on HP/UX Ticket: ENT-7541 Changelog: none (cherry picked from commit 519f54f42f194ea0159bea1950fc951e2e49a81d) --- tests/load/run_lastseen_threaded_load.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/load/run_lastseen_threaded_load.sh b/tests/load/run_lastseen_threaded_load.sh index aebcf21a91..64293cbb9a 100755 --- a/tests/load/run_lastseen_threaded_load.sh +++ b/tests/load/run_lastseen_threaded_load.sh @@ -1,10 +1,11 @@ #!/bin/sh -if [ "x$label" = "xPACKAGES_x86_64_solaris_10" ] ; -then - echo "Skipping lastseen_threaded_load on $label" +for skip_label in PACKAGES_x86_64_solaris_10 PACKAGES_ia64_hpux_11.23; do + if [ "$label" = "$skip_label" ]; then + echo "Skipping $0 on label $skip_label" exit 0; -fi + fi +done echo "Starting run_lastseen_threaded_load.sh test" From a3921ebf639e0fffd8cbf5ec064e7c6bd4c5b115 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 20 Nov 2025 16:20:21 +0100 Subject: [PATCH 240/255] Fixed struct stat layout mismatch on HP-UX due to include order On HP-UX IA-64, verify_files_utils.c included before config.h was loaded, causing struct stat and off_t to use 32-bit layout instead of the 64-bit layout required by _FILE_OFFSET_BITS=64. This resulted in st_size being read from the wrong offset, producing garbage values (e.g., 236662833 instead of 821 bytes) and "file corrupted in transit" errors during local file copies. Fixed by including platform.h first to ensure _FILE_OFFSET_BITS=64 is defined before any system headers. Ticket: ENT-13508 Signed-off-by: Lars Erik Wik (cherry picked from commit 2b418c02fa72e7bd25939de3de073d83b913d28f) --- cf-agent/verify_files_utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 03b55aa160..8882164f6d 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -22,6 +22,7 @@ included file COSL.txt. */ +#include #include #include #include From 2cc6a1c79d6491f1ba961fbaad103bcc8aa2944d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 21 Nov 2025 10:17:36 +0100 Subject: [PATCH 241/255] Fixed diskfree() returning garbage value Always include platform.h before system headers. Otherwise types such as off_t will use 32-bit layout instead of the 64-bit layout required by _FILE_OFFSET_BITS=64 on HP-UX. Ticket: ENT-13531 Signed-off-by: Lars Erik Wik (cherry picked from commit c30bead8b473df8397c9c91091315ce36f7a351f) --- libpromises/evalfunction.c | 1 + libpromises/storage_tools.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 49aceeed68..852d7fde43 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -22,6 +22,7 @@ included file COSL.txt. */ +#include #include #include diff --git a/libpromises/storage_tools.c b/libpromises/storage_tools.c index 5e44dc0341..1edd3052f8 100644 --- a/libpromises/storage_tools.c +++ b/libpromises/storage_tools.c @@ -22,6 +22,8 @@ included file COSL.txt. */ +#include + #include #ifdef HAVE_SYS_STATFS_H From be1bca80de181a133c8443d43344989d0b3ff533 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 25 Nov 2025 07:52:55 -0600 Subject: [PATCH 242/255] Fixed length checking in StatFile If a symlink resolves to a path that is longer than the maximum allowed by the protocol, currently 4088 bytes, then an error response is generated. Previously the server side would ignore an error from SendTransaction() due to the large size and the client-side would hang/timeout waiting for a response. Ticket: ENT-13542 Changelog: title (cherry picked from commit 90220ca8c932a21a6ea457a42bcca7929a10d6a8) --- cf-serverd/server_common.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c index a4fc8e5a77..06ae1b9b10 100644 --- a/cf-serverd/server_common.c +++ b/cf-serverd/server_common.c @@ -704,6 +704,7 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) /* the simplest way to transfer the data is to convert them into */ /* plain text and interpret them on the other side. */ { + assert(conn != NULL); Stat cfst; struct stat statbuf, statlinkbuf; char linkbuf[CF_BUFSIZE], filename[CF_BUFSIZE - 128]; @@ -846,10 +847,17 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) memset(sendbuffer, 0, CF_MSGSIZE); + // +3 because we need to prepend 'OK:' to the path + if (strlen(linkbuf)+3 > CF_MSGSIZE) { + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "BAD: Symlink resolves to a path too long (%ld) to send over the protocol.", strlen(linkbuf)+3); + assert(ret > 0 && ret < CF_MSGSIZE); + SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE); + return -1; + } if (cfst.cf_readlink != NULL) { - strcpy(sendbuffer, "OK:"); - strcat(sendbuffer, cfst.cf_readlink); + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "OK:%s", linkbuf); + assert(ret > 0 && ret < CF_MSGSIZE); } else { From 6a83897482005eb5060341af22c90b4a1ada5901 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 26 Nov 2025 12:32:45 +0100 Subject: [PATCH 243/255] See ticket for info Ticket: ENT-13535 Signed-off-by: Lars Erik Wik (cherry picked from commit a89590c700f57b28f942350daa45568e44f3584c) --- .../17_users/unsafe/user_command.cf | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 tests/acceptance/17_users/unsafe/user_command.cf diff --git a/tests/acceptance/17_users/unsafe/user_command.cf b/tests/acceptance/17_users/unsafe/user_command.cf new file mode 100644 index 0000000000..946f20ce35 --- /dev/null +++ b/tests/acceptance/17_users/unsafe/user_command.cf @@ -0,0 +1,61 @@ +############################################################################## +# +# See ticket ENT-13535 for info. +# +############################################################################## + +body common control +{ + bundlesequence => { "init", "test", "check", "clean" }; +} + +body delete tidy +{ + dirlinks => "delete"; + rmdirs => "true"; +} + +############################################################################## + +bundle agent init +{ + users: + "test_user" + policy => "absent"; + + files: + "/tmp/some-random-file.txt" + delete => tidy; +} + +############################################################################## + +bundle agent test +{ + meta: + "description" -> { "ENT-13535" } + string => "See ticket ENT-13535 for info"; + "test_skip_unsupported" + string => "windows", + comment => "Not applicable for Windows since it uses a C API"; + + users: + linux:: + "test_user; echo 'Hello CFEngine' > /tmp/some-random-file.txt" + policy => "present"; +} + +############################################################################## + +bundle agent check +{ + reports: + "$(this.promise_filename) $(with)" + with => ifelse(fileexists("/tmp/some-random-file.txt"), "FAIL", "Pass"); +} + +bundle agent clean +{ + methods: + "init"; +} From 0b022cbca0b1696a98c76cb15178ae2d9ac7e165 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 26 Nov 2025 16:31:07 +0100 Subject: [PATCH 244/255] verify_users_pam.c: fixed whitespace issues Signed-off-by: Lars Erik Wik (cherry picked from commit 0907c642d44f39a2f9ae7b45e0cc3cbd0d6124f2) --- cf-agent/verify_users_pam.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index c405c7d1fa..31ac03eaf6 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -1000,13 +1000,13 @@ static bool EqualGid(const char *key, const struct group *entry) { assert(entry != NULL); - unsigned long gid; + unsigned long gid; int ret = StringToUlong(key, &gid); if (ret != 0) { LogStringToLongError(key, "EqualGid", ret); return false; - } + } return (gid == entry->gr_gid); } @@ -1153,16 +1153,16 @@ static void TransformGidsToGroups(StringSet **list) StringSetDestroy(old_list); } -static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, +static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, const struct passwd *passwd_info, - uint32_t *changemap, - StringSet *groups_to_set, + uint32_t *changemap, + StringSet *groups_to_set, StringSet *current_secondary_groups) { assert(u != NULL); assert(passwd_info != NULL); - if (u->description != NULL && + if (u->description != NULL && !StringEqual(u->description, passwd_info->pw_gecos)) { CFUSR_SETBIT(*changemap, i_comment); @@ -1212,17 +1212,17 @@ static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, if (SafeStringLength(u->group_primary) != 0) { - bool group_could_be_gid = (strlen(u->group_primary) == + bool group_could_be_gid = (strlen(u->group_primary) == strspn(u->group_primary, "0123456789")); // We try name first, even if it looks like a gid. Only fall back to gid. errno = 0; - struct group *group_info = GetGrEntry(u->group_primary, + struct group *group_info = GetGrEntry(u->group_primary, &EqualGroupName); if (group_info == NULL && errno != 0) { - Log(LOG_LEVEL_ERR, - "Could not obtain information about group '%s': %s", + Log(LOG_LEVEL_ERR, + "Could not obtain information about group '%s': %s", u->group_primary, GetErrorStr()); CFUSR_SETBIT(*changemap, i_group); } @@ -1234,7 +1234,7 @@ static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, int ret = StringToUlong(u->group_primary, &gid); if (ret != 0) { - LogStringToLongError(u->group_primary, + LogStringToLongError(u->group_primary, "VerifyIfUserNeedsModifs", ret); CFUSR_SETBIT(*changemap, i_group); } From f71ffff5838996b9d4d7bf02119d185bea9d078c Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 28 Nov 2025 13:04:08 +0100 Subject: [PATCH 245/255] Execute users commands directly instead through a shell See ticket for more info. Ticket: ENT-13535 Signed-off-by: Lars Erik Wik (cherry picked from commit 497bc588d218c021c193a22554079d82063c2cf7) --- cf-agent/verify_users_pam.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index 31ac03eaf6..b5a27f95e9 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -420,7 +420,7 @@ static bool ChangePasswordHashUsingChpasswd(const char *puser, const char *passw int status; const char *cmd_str = CHPASSWD " -e"; Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd_str); - FILE *cmd = cf_popen_sh(cmd_str, "w"); + FILE *cmd = cf_popen(cmd_str, "w", true); if (!cmd) { Log(LOG_LEVEL_ERR, "Could not launch password changing command '%s': %s.", cmd_str, GetErrorStr()); @@ -652,12 +652,20 @@ static bool ExecuteUserCommand(const char *puser, const char *cmd, size_t sizeof Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd); - int status = system(cmd); - if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + FILE *fptr = cf_popen(cmd, "w", true); + if (!fptr) { Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd); return false; } + + int status = cf_pclose(fptr); + if (status) + { + Log(LOG_LEVEL_ERR, "'%s' returned non-zero status: %i\n", cmd, status); + return false; + } + return true; } From 656155d75d4576225b5646c315400b76453e5b8b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 3 Dec 2025 10:45:07 +0100 Subject: [PATCH 246/255] Changed severity of log level in CreateTableColumns() Changed the severity of the log message "Trying to create table..." from `LOG_LEVEL_ERR` to `LOG_LEVEL_VERBOSE`. Signed-off-by: Lars Erik Wik (cherry picked from commit 59f11a5d0eea79c3c676592559305df65096e702) --- cf-agent/verify_databases.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cf-agent/verify_databases.c b/cf-agent/verify_databases.c index 65980b731f..e6b804c783 100644 --- a/cf-agent/verify_databases.c +++ b/cf-agent/verify_databases.c @@ -748,7 +748,7 @@ static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) char **name_table, **type_table; int no_of_cols = RlistLen(columns); - Log(LOG_LEVEL_ERR, "Trying to create table '%s'", table); + Log(LOG_LEVEL_VERBOSE, "Trying to create table '%s'", table); if (!NewSQLColumns(table, columns, &name_table, &type_table, &size_table, &done)) { From 1376a0063258635f755590a622d064c68d66a8e6 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 3 Dec 2025 10:54:55 +0100 Subject: [PATCH 247/255] Fixed use of uninitialized buffer in CreateTableColumns() Fixed potential bug causing an uninitialized buffer (containing garbage data) to be sent as a database query when creating a table in the databases promise type. Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 832ad349bbecc14d9c14186a7c3b51dacede0396) --- cf-agent/verify_databases.c | 45 ++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/cf-agent/verify_databases.c b/cf-agent/verify_databases.c index e6b804c783..251ee3e46f 100644 --- a/cf-agent/verify_databases.c +++ b/cf-agent/verify_databases.c @@ -755,35 +755,38 @@ static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) return false; } - if (no_of_cols > 0) + if (no_of_cols <= 0) { - snprintf(query, CF_BUFSIZE - 1, "create table %s(", table); + Log(LOG_LEVEL_ERR, "Attempted to create table '%s' without any columns", table); + return false; + } - for (i = 0; i < no_of_cols; i++) - { - Log(LOG_LEVEL_VERBOSE, "Forming column template %s %s %d", name_table[i], type_table[i], - size_table[i]);; + snprintf(query, CF_BUFSIZE - 1, "create table %s(", table); - if (size_table[i] > 0) - { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); - } - else - { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s", name_table[i], type_table[i]); - } - - strcat(query, entry); + for (i = 0; i < no_of_cols; i++) + { + Log(LOG_LEVEL_VERBOSE, "Forming column template %s %s %d", name_table[i], type_table[i], + size_table[i]);; - if (i < no_of_cols - 1) - { - strcat(query, ","); - } + if (size_table[i] > 0) + { + snprintf(entry, CF_MAXVARSIZE - 1, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); + } + else + { + snprintf(entry, CF_MAXVARSIZE - 1, "%s %s", name_table[i], type_table[i]); } - strcat(query, ")"); + strcat(query, entry); + + if (i < no_of_cols - 1) + { + strcat(query, ","); + } } + strcat(query, ")"); + CfVoidQueryDB(cfdb, query); DeleteSQLColumns(name_table, type_table, size_table, done, no_of_cols); return true; From b40c0ea155a530b181c3c4a758affd6e16e8756b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 3 Dec 2025 11:10:53 +0100 Subject: [PATCH 248/255] Fixed buffer overflow in CreateTableColumns() Fixed potential buffer overflow when creating tables using the databases promise type. Ticket: ENT-13552 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit ff4f9a65194cd9532a64f493dddafb3cb22f2ece) --- cf-agent/verify_databases.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/cf-agent/verify_databases.c b/cf-agent/verify_databases.c index 251ee3e46f..b18ff93138 100644 --- a/cf-agent/verify_databases.c +++ b/cf-agent/verify_databases.c @@ -743,7 +743,6 @@ static int TableExists(CfdbConn *cfdb, char *name) static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) { - char entry[CF_MAXVARSIZE], query[CF_BUFSIZE]; int i, *size_table, *done; char **name_table, **type_table; int no_of_cols = RlistLen(columns); @@ -761,7 +760,8 @@ static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) return false; } - snprintf(query, CF_BUFSIZE - 1, "create table %s(", table); + Buffer *query = BufferNew(); + BufferPrintf(query, "create table %s(", table); for (i = 0; i < no_of_cols; i++) { @@ -770,24 +770,23 @@ static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) if (size_table[i] > 0) { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); + BufferAppendF(query, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); } else { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s", name_table[i], type_table[i]); + BufferAppendF(query, "%s %s", name_table[i], type_table[i]); } - strcat(query, entry); - if (i < no_of_cols - 1) { - strcat(query, ","); + BufferAppendChar(query, ','); } } - strcat(query, ")"); + BufferAppendChar(query, ')'); - CfVoidQueryDB(cfdb, query); + CfVoidQueryDB(cfdb, BufferData(query)); + BufferDestroy(query); DeleteSQLColumns(name_table, type_table, size_table, done, no_of_cols); return true; } From 2cb4323f67528a5832d572c4d39274f7978935d0 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Wed, 3 Dec 2025 11:45:10 +0100 Subject: [PATCH 249/255] cf_sql.{c,h}: constified arguments in DB query functions Signed-off-by: Lars Erik Wik (cherry picked from commit 6b6a90d3366cf120525be511960311fe1b6a610c) --- cf-agent/cf_sql.c | 4 ++-- cf-agent/cf_sql.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cf-agent/cf_sql.c b/cf-agent/cf_sql.c index 6bf2a46956..f2782fb06e 100644 --- a/cf-agent/cf_sql.c +++ b/cf-agent/cf_sql.c @@ -384,7 +384,7 @@ void CfCloseDB(CfdbConn *cfdb) /*****************************************************************************/ -void CfVoidQueryDB(CfdbConn *cfdb, char *query) +void CfVoidQueryDB(CfdbConn *cfdb, const char *query) { if (!cfdb->connected) { @@ -398,7 +398,7 @@ void CfVoidQueryDB(CfdbConn *cfdb, char *query) /*****************************************************************************/ -void CfNewQueryDB(CfdbConn *cfdb, char *query) +void CfNewQueryDB(CfdbConn *cfdb, const char *query) { cfdb->result = false; cfdb->row = 0; diff --git a/cf-agent/cf_sql.h b/cf-agent/cf_sql.h index 5b2779fe46..e126107437 100644 --- a/cf-agent/cf_sql.h +++ b/cf-agent/cf_sql.h @@ -42,8 +42,8 @@ typedef struct void CfConnectDB(CfdbConn *cfdb, DatabaseType dbtype, char *remotehost, char *dbuser, char *passwd, char *db); void CfCloseDB(CfdbConn *cfdb); -void CfVoidQueryDB(CfdbConn *cfdb, char *query); -void CfNewQueryDB(CfdbConn *cfdb, char *query); +void CfVoidQueryDB(CfdbConn *cfdb, const char *query); +void CfNewQueryDB(CfdbConn *cfdb, const char *query); char **CfFetchRow(CfdbConn *cfdb); char *CfFetchColumn(CfdbConn *cfdb, int col); void CfDeleteQuery(CfdbConn *cfdb); From 627181cde35b0e89b68ebd5aae850d5c1919c2d0 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 4 Dec 2025 13:25:26 +0100 Subject: [PATCH 250/255] Constified command argument in ExecPackageCommand() Signed-off-by: Lars Erik Wik (cherry picked from commit ef1f52a0e63f756eb398d9a82c8fbaae5d4f1af9) --- cf-agent/verify_packages.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c index 27d0727f7e..5f0b9c5143 100644 --- a/cf-agent/verify_packages.c +++ b/cf-agent/verify_packages.c @@ -115,7 +115,7 @@ static PromiseResult VerifyPromisedPatch(EvalContext *ctx, const Attributes *a, static char *GetDefaultArch(const char *command); -static bool ExecPackageCommand(EvalContext *ctx, char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result); +static bool ExecPackageCommand(EvalContext *ctx, const char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result); static bool PrependPatchItem(EvalContext *ctx, PackageItem ** list, char *item, PackageItem * chklist, const char *default_arch, const Attributes *a, const Promise *pp); static bool PrependMultiLinePackageItem(EvalContext *ctx, PackageItem ** list, char *item, int reset, const char *default_arch, const Attributes *a, const Promise *pp); @@ -3245,14 +3245,14 @@ const char *PrefixLocalRepository(const Rlist *repositories, const char *package return NULL; } -bool ExecPackageCommand(EvalContext *ctx, char *command, int verify, int setCmdClasses, const Attributes *a, +bool ExecPackageCommand(EvalContext *ctx, const char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result) { assert(a != NULL); assert(pp != NULL); // Dereferenced by cfPS macros bool retval = true; - char *cmd; + const char *cmd; FILE *pfp; int packmanRetval = 0; From e91200be30419b40bc1c2d50d1c080d219333a67 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 28 Nov 2025 13:51:14 +0100 Subject: [PATCH 251/255] Packages promiser is now escaped when using shell commands I also refactored the code to use a dynamic buffer when assembling the commands. Estimating the buffer size needed is error prone and can quickly lead to buffer overflows. Ticket: ENT-13535 Changelog: Title Signed-off-by: Lars Erik Wik (cherry picked from commit aaf314a50bbf7acf3d2f139afdfea02d99fb14df) --- cf-agent/verify_packages.c | 116 ++++++++---------- .../07_packages/packages_command.cf | 92 ++++++++++++++ 2 files changed, 142 insertions(+), 66 deletions(-) create mode 100644 tests/acceptance/07_packages/packages_command.cf diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c index 5f0b9c5143..c8592e6fe5 100644 --- a/cf-agent/verify_packages.c +++ b/cf-agent/verify_packages.c @@ -54,6 +54,7 @@ #include #include #include +#include /* Called structure: @@ -2578,35 +2579,9 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa continue; } - size_t estimated_size = 0; - - for (const PackageItem *pi = pm->pack_list; pi != NULL; pi = pi->next) - { - size_t size = strlen(pi->name) + strlen(" "); - - switch (pm->policy) - { - case PACKAGE_ACTION_POLICY_INDIVIDUAL: - - if (size > estimated_size) - { - estimated_size = size + CF_MAXVARSIZE; - } - break; - - case PACKAGE_ACTION_POLICY_BULK: - - estimated_size += size + CF_MAXVARSIZE; - break; - - default: - break; - } - } - const Promise *const pp = pm->pack_list->pp; Attributes a = GetPackageAttributes(ctx, pp); - char *command_string = NULL; + Buffer *command_buffer = BufferNew(); switch (action) { @@ -2617,14 +2592,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_add_command == NULL) { ProgrammingError("Package add command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Installing %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_add_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_add_command); + BufferAppendString(command_buffer, a.packages.package_add_command); break; case PACKAGE_ACTION_DELETE: @@ -2634,14 +2607,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_delete_command == NULL) { ProgrammingError("Package delete command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Deleting %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_delete_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_delete_command); + BufferAppendString(command_buffer, a.packages.package_delete_command); break; case PACKAGE_ACTION_UPDATE: @@ -2651,14 +2622,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_update_command == NULL) { ProgrammingError("Package update command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Updating %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_update_command) + 2; - command_string = xcalloc(1, estimated_size); - strcpy(command_string, a.packages.package_update_command); + BufferAppendString(command_buffer, a.packages.package_update_command); break; case PACKAGE_ACTION_VERIFY: @@ -2668,33 +2637,32 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_verify_command == NULL) { ProgrammingError("Package verify command undefined"); + BufferDestroy(command_buffer); return false; } - estimated_size += strlen(a.packages.package_verify_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_verify_command); + BufferAppendString(command_buffer, a.packages.package_verify_command); verify = true; break; default: ProgrammingError("Unknown action attempted"); + BufferDestroy(command_buffer); return false; } /* if the command ends with $ then we assume the package manager does not accept package names */ - - if (*(command_string + strlen(command_string) - 1) == '$') + if (BufferData(command_buffer)[BufferSize(command_buffer) - 1] == '$') { - *(command_string + strlen(command_string) - 1) = '\0'; + BufferTrimToMaxLength(command_buffer, BufferSize(command_buffer) - 1); Log(LOG_LEVEL_VERBOSE, "Command does not allow arguments"); PromiseResult result = PROMISE_RESULT_NOOP; EvalContextStackPushPromiseFrame(ctx, pp); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - if (ExecPackageCommand(ctx, command_string, verify, true, &a, pp, &result)) + if (ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, pp, &result)) { Log(LOG_LEVEL_VERBOSE, "Package schedule execution ok (outcome cannot be promised by cf-agent)"); } @@ -2711,9 +2679,9 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcat(command_string, " "); + BufferAppendChar(command_buffer, ' '); - Log(LOG_LEVEL_VERBOSE, "Command prefix '%s'", command_string); + Log(LOG_LEVEL_VERBOSE, "Command prefix '%s'", BufferData(command_buffer)); if (pm->policy == PACKAGE_ACTION_POLICY_INDIVIDUAL) { @@ -2723,15 +2691,14 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa const Promise *const ppi = pi->pp; Attributes a = GetPackageAttributes(ctx, ppi); - const size_t command_len = strlen(command_string); - char *offset = command_string + command_len; + const size_t offset = BufferSize(command_buffer); if ((a.packages.package_file_repositories) && ((action == PACKAGE_ACTION_ADD) || (action == PACKAGE_ACTION_UPDATE))) { const char *sp = PrefixLocalRepository(a.packages.package_file_repositories, pi->name); if (sp != NULL) { - strlcat(offset, sp, estimated_size - command_len); + BufferAppendString(command_buffer, sp); } else { @@ -2740,14 +2707,26 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcat(offset, pi->name); + if (a.packages.package_commands_useshell) + { + /* Put single quotes around package name and escape + * any pre-existing single quotes to prevent shell + * injection. */ + char *escaped = EscapeCharCopy(pi->name, '\'', '\\'); + BufferAppendF(command_buffer, "'%s'", escaped); + free(escaped); + } + else + { + BufferAppendString(command_buffer, pi->name); + } } PromiseResult result = PROMISE_RESULT_NOOP; EvalContextStackPushPromiseFrame(ctx, ppi); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - bool ok = ExecPackageCommand(ctx, command_string, verify, true, &a, ppi, &result); + bool ok = ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, ppi, &result); if (StringEqual(pi->name, PACKAGE_IGNORED_CFE_INTERNAL)) { @@ -2770,7 +2749,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa EvalContextLogPromiseIterationOutcome(ctx, ppi, result); - *offset = '\0'; + BufferTrimToMaxLength(command_buffer, offset); } } else if (pm->policy == PACKAGE_ACTION_POLICY_BULK) @@ -2779,9 +2758,6 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa { if (pi->name) { - const size_t command_len = strlen(command_string); - char *offset = command_string + command_len; - if (a.packages.package_file_repositories && (action == PACKAGE_ACTION_ADD || action == PACKAGE_ACTION_UPDATE)) @@ -2789,7 +2765,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa const char *sp = PrefixLocalRepository(a.packages.package_file_repositories, pi->name); if (sp != NULL) { - strlcpy(offset, sp, estimated_size - command_len); + BufferAppendString(command_buffer, sp); } else { @@ -2798,10 +2774,21 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcpy(offset, pi->name); + if (a.packages.package_commands_useshell) + { + /* Put single quotes around package name and escape + * any pre-existing single quotes to prevent shell + * injection. */ + char *escaped = EscapeCharCopy(pi->name, '\'', '\\'); + BufferAppendF(command_buffer, "'%s'", escaped); + free(escaped); + } + else + { + BufferAppendString(command_buffer, pi->name); + } } - - strcat(command_string, " "); + BufferAppendChar(command_buffer, ' '); } } @@ -2809,7 +2796,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa EvalContextStackPushPromiseFrame(ctx, pp); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - bool ok = ExecPackageCommand(ctx, command_string, verify, true, &a, pp, &result); + bool ok = ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, pp, &result); for (const PackageItem *pi = pm->pack_list; pi != NULL; pi = pi->next) { @@ -2837,10 +2824,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } } - if (command_string) - { - free(command_string); - } + BufferDestroy(command_buffer); } /* We have performed some modification operation on packages, our cache is invalid */ diff --git a/tests/acceptance/07_packages/packages_command.cf b/tests/acceptance/07_packages/packages_command.cf new file mode 100644 index 0000000000..4bece4865f --- /dev/null +++ b/tests/acceptance/07_packages/packages_command.cf @@ -0,0 +1,92 @@ +####################################################### +# +# See ticket ENT-13536 for info +# +####################################################### + +body common control +{ + inputs => { "../default.cf.sub" }; + bundlesequence => { "G", "g", default("$(this.promise_filename)") }; + version => "1.0"; + cache_system_functions => "false"; +} + +body package_method mock +{ + package_changes => "individual"; + package_list_command => "$(g.pm) --list-installed"; + + package_list_name_regex => "^[^:]*"; + package_list_version_regex => ":(?<=:).*(?=:)"; + package_list_arch_regex => "[^:]\w+$"; + package_installed_regex => "^[^:]*"; + + package_add_command => "$(g.pm) --add "; + package_update_command => "$(g.pm) --update "; + package_delete_command => "$(g.pm) --delete "; + package_verify_command => "$(g.pm) --verify "; +} + +bundle common g +{ + classes: + "mpm_declared" not => strcmp(getenv("MOCK_PACKAGE_MANAGER", "65535"), ""); + + vars: + mpm_declared:: + "pm" string => getenv("MOCK_PACKAGE_MANAGER", "65535"); + + !mpm_declared:: + "pm" string => "$(G.mock_package_manager)"; +} + +####################################################### + +bundle agent init +{ + commands: + "$(g.pm) --clear-installed"; + "$(g.pm) --clear-available"; + "$(g.pm) --populate-available imagisoft:1.0i:teapot"; + + files: + "$(G.testfile)" + delete => tidy; +} + +####################################################### + +bundle agent test +{ + meta: + "test_skip_unsupported" string => "windows", + meta => { "ENT-10215" }; + + vars: + "name" string => "imagisoft"; + "version" string => "1.0i"; + "arch" string => "teapot"; + + packages: + "imagisoft; echo 'Hello CFEngine' > '$(G.testfile)';" + package_policy => "add", + package_method => mock; +} + +####################################################### + +bundle agent check +{ + reports: + "$(this.promise_filename) $(with)" + with => ifelse(fileexists("$(G.testfile)"), "FAIL", "Pass"); +} + +####################################################### + +bundle agent clean +{ + methods: + "init"; +} From 098b156ca02fb29dc3c6cac9c8659bb9368492ac Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 4 Dec 2025 14:31:49 -0600 Subject: [PATCH 252/255] Fixed package related acceptance test for Windows platform related to quoting arguments Ticket: ENT-13535 Changelog: none (cherry picked from commit 6f97d0a852d48b3b4aec08298f3985d6bddca047) Signed-off-by: Lars Erik Wik --- tests/acceptance/07_packages/repositories.cf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/acceptance/07_packages/repositories.cf b/tests/acceptance/07_packages/repositories.cf index 0691813510..13f6802c12 100644 --- a/tests/acceptance/07_packages/repositories.cf +++ b/tests/acceptance/07_packages/repositories.cf @@ -15,16 +15,18 @@ bundle agent init # Due to shell rules, windows includes certain characters on certain commands, # while Unix does not. windows:: + "single_quote" string => "'"; "q" string => '"'; "s" string => ' '; !windows:: + "single_quote" string => ''; "q" string => ''; "s" string => ''; methods: "make" usebundle => file_make("$(G.testfile).expected", " -$(s)filerepo DELETE delete-exact-version-2.2.3.i386.rpm +$(s)filerepo DELETE $(single_quote)delete-exact-version-2.2.3.i386.rpm$(single_quote) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-greaterthan-version-2.2.3.i386.rpm$(q) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-greaterorequal-version-2.2.3.i386.rpm$(q) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-lessthan-version-2.2.3.i386.rpm$(q) From 8ff144f7d5aa1c517e5ae91e819ac1daa891a68e Mon Sep 17 00:00:00 2001 From: Ihor Aleksandrychiev Date: Fri, 5 Dec 2025 14:41:26 +0200 Subject: [PATCH 253/255] Changed ChangePasswordHashUsingChpass logging info Removed unnecessary information Ticket: ENT-13573 Signed-off-by: Ihor Aleksandrychiev (cherry picked from commit 7262bf2a4374f7b1fbb8413066a93aa773df17a8) --- cf-agent/verify_users_pam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index b5a27f95e9..9b74afc9ab 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -680,7 +680,7 @@ static bool ChangePasswordHashUsingChpass(const char *puser, const char *passwor StringAppend(cmd, "\' ", sizeof(cmd)); StringAppend(cmd, puser, sizeof(cmd)); - Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd); + Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s' using chpass.", puser); return ExecuteUserCommand(puser, cmd, sizeof(cmd), "changing", "Changing"); } From deb3b2ace111ca7d67138241051cdc844243d7ad Mon Sep 17 00:00:00 2001 From: Ihor Aleksandrychiev Date: Fri, 5 Dec 2025 15:09:20 +0200 Subject: [PATCH 254/255] Do not log executed command by ExecuteUserCommand Signed-off-by: Ihor Aleksandrychiev (cherry picked from commit d950a2571bfaba945e0702c1bf2fadc02e7599da) --- cf-agent/verify_users_pam.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index 9b74afc9ab..eaf91419de 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -650,19 +650,19 @@ static bool ExecuteUserCommand(const char *puser, const char *cmd, size_t sizeof return false; } - Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd); + Log(LOG_LEVEL_VERBOSE, "ExecuteUserCommand: %s user '%s'.", cap_action_msg, puser); FILE *fptr = cf_popen(cmd, "w", true); if (!fptr) { - Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd); + Log(LOG_LEVEL_ERR, "ExecuteUserCommand: returned error while %s user '%s'.", action_msg, puser); return false; } int status = cf_pclose(fptr); if (status) { - Log(LOG_LEVEL_ERR, "'%s' returned non-zero status: %i\n", cmd, status); + Log(LOG_LEVEL_ERR, "ExecuteUserCommand: returned non-zero status: %i\n", status); return false; } From e50d9b2ed225b7eebe8f9029068b1ebf3e3fb558 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 18 Dec 2025 22:55:29 +0100 Subject: [PATCH 255/255] Bumped .CFVERSION number to 3.21.9 Signed-off-by: Ole Herman Schumacher Elgesem --- .CFVERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.CFVERSION b/.CFVERSION index 8ba17c9ac4..ac3a4bd51e 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.8 +3.21.9