puppet 0.24.6 → 0.24.7

data/lib/puppet/type/file/selcontext.rb

@@ -38,18 +38,13 @@ module Puppet
                 return nil
             end
             property_default = self.parse_selinux_context(property, context)
-            self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}"
+            if not property_default.nil?
+                self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}"
+            end
             return property_default
         end
 
         def sync
-            unless @resource.stat(false)
-                stat = @resource.stat(true)
-                unless stat
-                    return nil
-                end
-            end
-
             self.set_selinux_context(@resource[:path], @should, name)
             return :file_changed
         end

data/lib/puppet/type/group.rb

@@ -1,28 +1,22 @@
-# Manage Unix groups.  This class is annoyingly complicated; There
-# is some variety in whether systems use 'groupadd' or 'addgroup', but OS X
-# significantly complicates the picture by using NetInfo.  Eventually we
-# will also need to deal with systems that have their groups hosted elsewhere
-# (e.g., in LDAP).  That will likely only be a problem for OS X, since it
-# currently does not use the POSIX interfaces, since lookupd's cache screws
-# things up.
 
 require 'etc'
 require 'facter'
 
 module Puppet
     newtype(:group) do
-        @doc = "Manage groups.  This type can only create groups.  Group
-            membership must be managed on individual users.  This resource type
-            uses the prescribed native tools for creating groups and generally
-            uses POSIX APIs for retrieving information about them.  It does
-            not directly modify ``/etc/group`` or anything.
+        @doc = "Manage groups. On most platforms this can only create groups.
+            Group membership must be managed on individual users.  
             
-            For most platforms, the tools used are ``groupadd`` and its ilk;
-            for Mac OS X, NetInfo is used.  This is currently unconfigurable,
-            but if you desperately need it to be so, please contact us."
+            On some platforms such as OS X, group membership is managed as an
+            attribute of the group, not the user record. Providers must have 
+            the feature 'manages_members' to manage the 'members' property of
+            a group record."
+        
+        feature :manages_members,
+            "For directories where membership is an attribute of groups not users."
 
-        newproperty(:ensure) do
-            desc "The basic state that the object should be in."
+        ensurable do
+            desc "Create or remove the group."
 
             newvalue(:present) do
                 provider.create
@@ -35,33 +29,6 @@ module Puppet
 
                 :group_removed
             end
-
-            # If they're talking about the thing at all, they generally want to
-            # say it should exist.
-            defaultto do
-                if @resource.managed?
-                    :present
-                else
-                    nil
-                end
-            end
-
-            def retrieve
-                return provider.exists? ? :present : :absent
-            end
-
-            # The default 'sync' method only selects among a list of registered
-            # values.
-            def sync
-                unless self.class.values
-                    self.devfail "No values defined for %s" %
-                        self.class.name
-                end
-
-                # Set ourselves to whatever our should value is.
-                self.set(self.should)
-            end
-
         end
 
         newproperty(:gid) do
@@ -100,13 +67,28 @@ module Puppet
                 return gid
             end
         end
+        
+        newproperty(:members, :array_matching => :all, :required_features => :manages_members) do
+            desc "The members of the group. For directory services where group
+            membership is stored in the group objects, not the users."
+            
+            def change_to_s(currentvalue, newvalue)
+                currentvalue = currentvalue.join(",") if currentvalue != :absent
+                newvalue = newvalue.join(",")
+                super(currentvalue, newvalue)
+            end
+        end
+        
+        newparam(:auth_membership) do
+            desc "whether the provider is authoritative for group membership."
+            defaultto true
+        end
 
         newparam(:name) do
             desc "The group name.  While naming limitations vary by
                 system, it is advisable to keep the name to the degenerate
                 limitations, which is a maximum of 8 characters beginning with
                 a letter."
-
             isnamevar
         end
 

data/lib/puppet/type/k5login.rb

@@ -46,7 +46,7 @@ Puppet::Type.newtype(:k5login) do
             write(@resource.should(:principals))
             should_mode = @resource.should(:mode)
             unless self.mode == should_mode
-                self.mode  should_mode
+                self.mode = should_mode
             end
         end
 

data/lib/puppet/type/macauthorization.rb

@@ -0,0 +1,141 @@
+Puppet::Type.newtype(:macauthorization) do
+    
+    @doc = "Manage the Mac OS X authorization database.
+            See:
+            http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Security_Services/chapter_4_section_5.html for more information."
+    
+    ensurable
+    
+    autorequire(:file) do
+        ["/etc/authorization"]
+    end
+    
+    def munge_boolean(value)
+        case value
+        when true, "true", :true:
+            :true
+        when false, "false", :false
+            :false
+        else
+            raise Puppet::Error("munge_boolean only takes booleans")
+        end
+    end
+    
+    newparam(:name) do
+        desc "The name of the right or rule to be managed.
+        Corresponds to 'key' in Authorization Services. The key is the name 
+        of a rule. A key uses the same naming conventions as a right. The 
+        Security Server uses a rule’s key to match the rule with a right. 
+        Wildcard keys end with a ‘.’. The generic rule has an empty key value. 
+        Any rights that do not match a specific rule use the generic rule."
+
+        isnamevar
+    end
+    
+    newproperty(:auth_type) do
+        desc "type - can be a 'right' or a 'rule'. 'comment' has not yet been 
+        implemented."
+        
+        newvalue(:right)
+        newvalue(:rule)
+        # newvalue(:comment)  # not yet implemented.
+    end
+    
+    newproperty(:allow_root, :boolean => true) do
+        desc "Corresponds to 'allow-root' in the authorization store, renamed 
+        due to hyphens being problematic. Specifies whether a right should be 
+        allowed automatically if the requesting process is running with 
+        uid == 0.  AuthorizationServices defaults this attribute to false if 
+        not specified"
+        
+        newvalue(:true)
+        newvalue(:false)
+        
+        munge do |value|
+            @resource.munge_boolean(value)
+        end
+    end
+    
+    newproperty(:authenticate_user, :boolean => true) do
+        desc "Corresponds to 'authenticate-user' in the authorization store, 
+        renamed due to hyphens being problematic."
+        
+        newvalue(:true)
+        newvalue(:false)
+        
+        munge do |value|
+            @resource.munge_boolean(value)
+        end
+    end
+
+    newproperty(:auth_class) do
+        desc "Corresponds to 'class' in the authorization store, renamed due 
+        to 'class' being a reserved word."
+        
+        newvalue(:user)
+        newvalue(:'evaluate-mechanisms')
+    end
+    
+    newproperty(:comment) do
+        desc "The 'comment' attribute for authorization resources."
+    end
+    
+    newproperty(:group) do
+        desc "The user must authenticate as a member of this group. This 
+        attribute can be set to any one group."
+    end
+    
+    newproperty(:k_of_n) do
+        desc "k-of-n. Built-in rights only show a value of '1' or absent, 
+        other values may be acceptable. Undocumented."
+    end
+    
+    newproperty(:mechanisms, :array_matching => :all) do
+        desc "an array of suitable mechanisms."
+    end
+    
+    newproperty(:rule, :array_match => :all) do
+        desc "The rule(s) that this right refers to."
+    end
+
+    newproperty(:session_owner, :boolean => true) do
+        desc "Corresponds to 'session-owner' in the authorization store, 
+        renamed due to hyphens being problematic.  Whether the session owner 
+        automatically matches this rule or right."
+        
+        newvalue(:true)
+        newvalue(:false)
+        
+        munge do |value|
+            @resource.munge_boolean(value)
+        end
+    end
+    
+    newproperty(:shared, :boolean => true) do
+        desc "If this is set to true, then the Security Server marks the
+        credentials used to gain this right as shared. The Security Server 
+        may use any shared credentials to authorize this right. For maximum 
+        security, set sharing to false so credentials stored by the Security 
+        Server for one application may not be used by another application."
+        
+        newvalue(:true)
+        newvalue(:false)
+        
+        munge do |value|
+            @resource.munge_boolean(value)
+        end
+    end
+    
+    newproperty(:timeout) do
+        desc "The credential used by this rule expires in the specified 
+        number of seconds. For maximum security where the user must 
+        authenticate every time, set the timeout to 0. For minimum security, 
+        remove the timeout attribute so the user authenticates only once per 
+        session."
+    end
+    
+    newproperty(:tries) do
+        desc "The number of tries allowed."
+    end
+    
+end

data/lib/puppet/type/mcx.rb

@@ -0,0 +1,115 @@
+#--
+# Copyright (C) 2008 Jeffrey J McCune.
+
+# This program and entire repository is free software; you can
+# redistribute it and/or modify it under the terms of the GNU 
+# General Public License as published by the Free Software 
+# Foundation; either version 2 of the License, or any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# Author: Jeff McCune <mccune.jeff@gmail.com>
+
+Puppet::Type.newtype(:mcx) do
+
+    @doc = "MCX object management using DirectoryService on OS X.
+
+Original Author: Jeff McCune <mccune.jeff@gmail.com>
+
+The default provider of this type merely manages the XML plist as
+reported by the dscl -mcxexport command.  This is similar to the
+content property of the file type in Puppet.
+
+The recommended method of using this type is to use Work Group Manager
+to manage users and groups on the local computer, record the resulting
+puppet manifest using the command 'ralsh mcx' then deploying this
+to other machines.
+"
+    feature :manages_content, \
+        "The provider can manage MCXSettings as a string.",
+        :methods => [:content, :content=]
+
+    ensurable do
+        desc "Create or remove the MCX setting."
+
+        newvalue(:present) do
+            provider.create
+        end
+
+        newvalue(:absent) do
+            provider.destroy
+        end
+
+    end
+
+    newparam(:name) do
+        desc "The name of the resource being managed.
+        The default naming convention follows Directory Service paths::
+
+          /Computers/localhost
+          /Groups/admin
+          /Users/localadmin
+
+        The ds_type and ds_name type parameters are not necessary if the
+        default naming convention is followed."
+        isnamevar
+    end
+    
+    newparam(:ds_type) do
+
+        desc "The DirectoryService type this MCX setting attaches to."
+
+        newvalues(:user, :group, :computer, :computerlist)
+
+    end
+
+    newparam(:ds_name) do
+        desc "The name to attach the MCX Setting to.
+        e.g. 'localhost' when ds_type => computer. This setting is not
+        required, as it may be parsed so long as the resource name is
+        parseable.  e.g. /Groups/admin where 'group' is the dstype."
+    end
+
+    newproperty(:content, :required_features => :manages_content) do
+        desc "The XML Plist.  The value of MCXSettings in DirectoryService.
+        This is the standard output from the system command:
+        dscl localhost -mcxexport /Local/Default/<ds_type>/<ds_name>
+        Note that ds_type is capitalized and plural in the dscl command."
+    end
+
+    # JJM Yes, this is not DRY at all.  Because of the code blocks
+    # autorequire must be done this way.  I think.
+
+    def setup_autorequire(type)
+        # value returns a Symbol
+        name = value(:name)
+        ds_type = value(:ds_type)
+        ds_name = value(:ds_name)
+        if ds_type == type
+            rval = [ ds_name.to_s ]
+        else
+            rval = [ ]
+        end
+        rval
+    end
+
+    autorequire(:user) do
+        setup_autorequire(:user)
+    end
+
+    autorequire(:group) do
+        setup_autorequire(:group)
+    end
+
+    autorequire(:computer) do
+        setup_autorequire(:computer)
+    end
+
+end

data/lib/puppet/type/mount.rb

@@ -143,7 +143,7 @@ module Puppet
             desc "Whether to dump the mount.  Not all platforms
                 support this. Valid values are ``1`` or ``0``. Default is ``0``."
 
-             newvalue(%r{(0|1)}) { }
+             newvalue(%r{(0|1)})
 
             defaultto {
                 if @resource.managed?

data/lib/puppet/type/nagios_hostdependency.rb

@@ -0,0 +1,3 @@
+require 'puppet/util/nagios_maker'
+
+Puppet::Util::NagiosMaker.create_nagios_type :hostdependency

data/lib/puppet/type/ssh_authorized_key.rb

@@ -38,6 +38,22 @@ module Puppet
                   should be specified as an array."
 
             defaultto do :absent end
+
+            def is_to_s(value)
+                if value == :absent or value.include?(:absent)
+                    super
+                else
+                    value.join(",")
+                end
+            end
+
+            def should_to_s(value)
+                if value == :absent or value.include?(:absent)
+                    super
+                else
+                    value.join(",")
+                end
+            end
         end
 
         autorequire(:user) do

data/lib/puppet/type/tidy.rb

@@ -2,7 +2,10 @@ module Puppet
     newtype(:tidy, :parent => Puppet.type(:file)) do
         @doc = "Remove unwanted files based on specific criteria.  Multiple
             criteria are OR'd together, so a file that is too large but is not
-            old enough will still get tidied."
+            old enough will still get tidied.
+            
+            You must specify either the size or age of the file (or both) for
+            files to be tidied."
 
         newparam(:path) do
             desc "The path to the file or directory to manage.  Must be fully
@@ -41,6 +44,18 @@ module Puppet
             end
 
             def insync?(is)
+                begin
+                    stat = File.lstat(resource[:path])
+                rescue Errno::ENOENT
+                    info "Tidy target does not exist; ignoring"
+                    return true
+                end
+
+                if stat.ftype == "directory" and ! @resource[:rmdirs]
+                    self.debug "Not tidying directories"
+                    return true
+                end
+
                 if is.is_a?(Symbol)
                     if [:absent, :notidy].include?(is)
                         return true
@@ -97,20 +112,17 @@ module Puppet
                 file = @resource[:path]
                 case File.lstat(file).ftype
                 when "directory":
-                    if @resource[:rmdirs]
-                        subs = Dir.entries(@resource[:path]).reject { |d|
-                            d == "." or d == ".."
-                        }.length
-                        if subs > 0
-                            self.info "%s has %s children; not tidying" %
-                                [@resource[:path], subs]
-                            self.info Dir.entries(@resource[:path]).inspect
-                        else
-                            Dir.rmdir(@resource[:path])
-                        end
+                    # If 'rmdirs' is disabled, then we would have never
+                    # gotten to this method.
+                    subs = Dir.entries(@resource[:path]).reject { |d|
+                        d == "." or d == ".."
+                    }.length
+                    if subs > 0
+                        self.info "%s has %s children; not tidying" %
+                            [@resource[:path], subs]
+                        self.info Dir.entries(@resource[:path]).inspect
                     else
-                        self.debug "Not tidying directories"
-                        return nil
+                        Dir.rmdir(@resource[:path])
                     end
                 when "file":
                     @resource.handlebackup(file)
@@ -249,6 +261,23 @@ module Puppet
         newparam(:recurse) do
             desc "If target is a directory, recursively descend
                 into the directory looking for files to tidy."
+
+            newvalues(:true, :false, :inf, /^[0-9]+$/)
+
+            # Replace the validation so that we allow numbers in
+            # addition to string representations of them.
+            validate { |arg| }
+            munge do |value|
+                newval = super(value)
+                case newval
+                when :true, :inf: true
+                when :false: false
+                when Integer, Fixnum, Bignum: value
+                when /^\d+$/: Integer(value)
+                else
+                    raise ArgumentError, "Invalid recurse value %s" % value.inspect
+                end
+            end
         end
 
         newparam(:rmdirs) do