puppet 0.24.6 → 0.24.7

data/lib/puppet/provider/computer/computer.rb

@@ -0,0 +1,22 @@
+require 'puppet/provider/nameservice/directoryservice'
+
+Puppet::Type.type(:computer).provide :directoryservice, :parent => Puppet::Provider::NameService::DirectoryService do
+    desc "Computer object management using DirectoryService on OS X.
+    Note that these are distinctly different kinds of objects to 'hosts',
+    as they require a MAC address and can have all sorts of policy attached to
+    them.
+    
+    This provider only manages Computer objects in the local directory service
+    domain, not in remote directories.
+    
+    If you wish to manage /etc/hosts on Mac OS X, then simply use the host
+    type as per other platforms.
+
+    "
+
+    confine :operatingsystem => :darwin
+    defaultfor :operatingsystem => :darwin
+    
+    # hurray for abstraction. The nameservice directoryservice provider can
+    # handle everything we need. super.
+end

data/lib/puppet/provider/confine.rb

@@ -42,6 +42,9 @@ class Puppet::Provider::Confine
         for_binary
     end
 
+    # Used for logging.
+    attr_accessor :label
+
     def initialize(values)
         values = [values] unless values.is_a?(Array)
         @values = values
@@ -61,7 +64,7 @@ class Puppet::Provider::Confine
     def valid?
         values.each do |value|
             unless pass?(value)
-                Puppet.debug message(value)
+                Puppet.debug(label + ": " + message(value))
                 return false
             end
         end

data/lib/puppet/provider/confine/variable.rb

@@ -24,8 +24,13 @@ class Puppet::Provider::Confine::Variable < Puppet::Provider::Confine
         @facter_value
     end
 
+    def initialize(values)
+        super
+        @values = @values.collect { |v| v.to_s.downcase }
+    end
+
     def message(value)
-        "facter value '%s' for '%s' not in required list '%s'" % [value, self.name, values.join(",")]
+        "facter value '%s' for '%s' not in required list '%s'" % [test_value, self.name, values.join(",")]
     end
 
     # Compare the passed-in value to the retrieved value.
@@ -35,10 +40,16 @@ class Puppet::Provider::Confine::Variable < Puppet::Provider::Confine
 
     def reset
         # Reset the cache.  We want to cache it during a given
-        # run, but across runs.
+        # run, but not across runs.
         @facter_value = nil
     end
 
+    def valid?
+        @values.include?(test_value.to_s.downcase)
+    ensure
+        reset
+    end
+
     private
 
     def setting?

data/lib/puppet/provider/confine_collection.rb

@@ -19,10 +19,13 @@ class Puppet::Provider::ConfineCollection
                 confine.name = test
                 @confines << confine
             end
+            @confines[-1].label = self.label
         end
     end
 
-    def initialize
+    attr_reader :label
+    def initialize(label)
+        @label = label
         @confines = []
     end
 

data/lib/puppet/provider/confiner.rb

@@ -7,7 +7,7 @@ module Puppet::Provider::Confiner
 
     def confine_collection
         unless defined?(@confine_collection)
-            @confine_collection = Puppet::Provider::ConfineCollection.new
+            @confine_collection = Puppet::Provider::ConfineCollection.new(self.to_s)
         end
         @confine_collection
     end

data/lib/puppet/provider/group/directoryservice.rb

@@ -15,9 +15,12 @@
 require 'puppet/provider/nameservice/directoryservice'
 
 Puppet::Type.type(:group).provide :directoryservice, :parent => Puppet::Provider::NameService::DirectoryService do
-    desc "Group management using DirectoryService on OS X."
-    
+    desc "Group management using DirectoryService on OS X.
+
+  "
+        
     commands :dscl => "/usr/bin/dscl"
     confine :operatingsystem => :darwin
-    #defaultfor :operatingsystem => :darwin
+    defaultfor :operatingsystem => :darwin
+    has_feature :manages_members
 end

data/lib/puppet/provider/group/groupadd.rb

@@ -1,8 +1,11 @@
 require 'puppet/provider/nameservice/objectadd'
 
 Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameService::ObjectAdd do
-    desc "Group management via ``groupadd`` and its ilk.  The default
-        for most platforms"
+    desc "Group management via ``groupadd`` and its ilk.
+
+    The default for most platforms
+
+  "
 
     commands :add => "groupadd", :delete => "groupdel", :modify => "groupmod"
 

data/lib/puppet/provider/group/ldap.rb

@@ -1,16 +1,18 @@
 require 'puppet/provider/ldap'
 
 Puppet::Type.type(:group).provide :ldap, :parent => Puppet::Provider::Ldap do
-    desc "Group management via ``ldap``.  This provider requires that you
-        have valid values for all of the ldap-related settings,
-        including ``ldapbase``.  You will also almost definitely need settings
-        for ``ldapuser`` and ``ldappassword``, so that your clients can write
-        to ldap.
+    desc "Group management via ``ldap``.
+
+    This provider requires that you have valid values for all of the
+    ldap-related settings, including ``ldapbase``.  You will also almost
+    definitely need settings for ``ldapuser`` and ``ldappassword``, so that
+    your clients can write to ldap.
         
-        Note that this provider will automatically generate a GID for you if
-        you do not specify one, but it is a potentially expensive operation,
-        as it iterates across all existing groups to pick the appropriate next
-        one."
+    Note that this provider will automatically generate a GID for you if you do
+    not specify one, but it is a potentially expensive operation, as it
+    iterates across all existing groups to pick the appropriate next one.
+
+  "
 
     confine :true => Puppet.features.ldap?, :false => (Puppet[:ldapuser] == "")
 

data/lib/puppet/provider/group/netinfo.rb

@@ -1,11 +1,15 @@
-# Manage NetInfo POSIX objects.  Probably only used on OS X, but I suppose
-# it could be used elsewhere.
+# Manage NetInfo POSIX objects.
+#
+# This provider has been deprecated. You should be using the directoryservice
+# nameservice provider instead.
+
 require 'puppet/provider/nameservice/netinfo'
 
 Puppet::Type.type(:group).provide :netinfo, :parent => Puppet::Provider::NameService::NetInfo do
-    desc "Group management using NetInfo."
+    desc "Group management using NetInfo.
+
+  "
     commands :nireport => "nireport", :niutil => "niutil"
 
-    defaultfor :operatingsystem => :darwin
 end
 

data/lib/puppet/provider/group/pw.rb

@@ -1,7 +1,11 @@
 require 'puppet/provider/nameservice/pw'
 
 Puppet::Type.type(:group).provide :pw, :parent => Puppet::Provider::NameService::PW do
-    desc "Group management via ``pw``.  Only works on FreeBSD."
+    desc "Group management via ``pw``.
+
+    Only works on FreeBSD.
+
+  "
 
     commands :pw => "/usr/sbin/pw"
     defaultfor :operatingsystem => :freebsd

data/lib/puppet/provider/host/netinfo.rb

@@ -4,8 +4,11 @@ require 'puppet/provider/nameservice/netinfo'
 
 Puppet::Type.type(:host).provide :netinfo, :parent => Puppet::Provider::NameService::NetInfo,
     :netinfodir => "machines" do
-    desc "Host management in NetInfo.  This provider is highly experimental and is known
-        not to work currently."
+    desc "Host management in NetInfo.
+
+    This provider is highly experimental and is known not to work currently.
+
+  "
     commands :nireport => "nireport", :niutil => "niutil"
     commands :mountcmd => "mount", :umount => "umount", :df => "df"
 

data/lib/puppet/provider/macauthorization/macauthorization.rb

@@ -0,0 +1,315 @@
+require 'facter'
+require 'facter/util/plist'
+require 'puppet'
+require 'tempfile'
+
+Puppet::Type.type(:macauthorization).provide :macauthorization, :parent => Puppet::Provider do
+
+    desc "Manage Mac OS X authorization database rules and rights.
+
+  "
+
+    commands :security => "/usr/bin/security"
+    commands :sw_vers => "/usr/bin/sw_vers"
+    
+    confine :operatingsystem => :darwin
+    
+    # This should be confined based on macosx_productversion once
+    # http://projects.reductivelabs.com/issues/show/1796 
+    # is resolved.
+    if FileTest.exists?("/usr/bin/sw_vers")
+        product_version = sw_vers "-productVersion"
+    
+        confine :true => if /^10.5/.match(product_version) or /^10.6/.match(product_version)
+            true
+        end
+    end
+       
+    defaultfor :operatingsystem => :darwin
+    
+    AuthDB = "/etc/authorization"
+    
+    @rights = {}
+    @rules = {}
+    @parsed_auth_db = {}
+    @comment = ""  # Not implemented yet. Is there any real need to?
+    
+    # This map exists due to the use of hyphens and reserved words in
+    # the authorization schema.
+    PuppetToNativeAttributeMap = {  :allow_root => "allow-root",
+                                    :authenticate_user => "authenticate-user",                                    
+                                    :auth_class => "class",
+                                    :k_of_n => "k-of-n",
+                                    :session_owner => "session-owner", }
+    
+    class << self
+        attr_accessor :parsed_auth_db
+        attr_accessor :rights
+        attr_accessor :rules
+        attr_accessor :comments  # Not implemented yet.
+    
+        def prefetch(resources)
+            self.populate_rules_rights
+        end
+    
+        def instances
+            if self.parsed_auth_db == {}
+                self.prefetch(nil)
+            end
+            self.parsed_auth_db.collect do |k,v|
+                new(:name => k)
+            end
+        end
+    
+        def populate_rules_rights
+            auth_plist = Plist::parse_xml(AuthDB)
+            if not auth_plist
+                raise Puppet::Error.new("Cannot parse: #{AuthDB}")
+            end
+            self.rights = auth_plist["rights"].dup
+            self.rules = auth_plist["rules"].dup
+            self.parsed_auth_db = self.rights.dup
+            self.parsed_auth_db.merge!(self.rules.dup)
+        end
+    
+    end
+    
+    # standard required provider instance methods
+    
+    def initialize(resource)
+        if self.class.parsed_auth_db == {}
+            self.class.prefetch(resource)
+        end
+        super
+    end
+    
+    
+    def create
+        # we just fill the @property_hash in here and let the flush method 
+        # deal with it rather than repeating code.
+        new_values = {}
+        validprops = Puppet::Type.type(resource.class.name).validproperties
+        validprops.each do |prop|
+            next if prop == :ensure
+            if value = resource.should(prop) and value != ""
+                new_values[prop] = value
+            end
+        end
+        @property_hash = new_values.dup
+    end
+
+    def destroy
+        # We explicitly delete here rather than in the flush method.
+        case resource[:auth_type]
+        when :right
+            destroy_right
+        when :rule
+            destroy_rule
+        else
+            raise Puppet::Error.new("Must specify auth_type when destroying.")
+        end
+    end
+    
+    def exists?
+        if self.class.parsed_auth_db.has_key?(resource[:name])
+            return true
+        else
+            return false
+        end
+    end
+    
+    
+    def flush
+        # deletion happens in the destroy methods
+        if resource[:ensure] != :absent
+            case resource[:auth_type]
+            when :right
+                flush_right
+            when :rule
+                flush_rule
+            else
+                raise Puppet::Error.new("flush requested for unknown type.")
+            end
+            @property_hash.clear
+        end
+    end
+    
+    
+    # utility methods below
+    
+    def destroy_right
+        security "authorizationdb", :remove, resource[:name]
+    end
+    
+    def destroy_rule
+        authdb = Plist::parse_xml(AuthDB)
+        authdb_rules = authdb["rules"].dup
+        if authdb_rules[resource[:name]]
+            begin
+                authdb["rules"].delete(resource[:name])
+                Plist::Emit.save_plist(authdb, AuthDB)
+            rescue Errno::EACCES => e
+                raise Puppet::Error.new("Error saving #{AuthDB}: #{e}")
+            end
+        end
+    end
+    
+    def flush_right
+        # first we re-read the right just to make sure we're in sync for 
+        # values that weren't specified in the manifest. As we're supplying 
+        # the whole plist when specifying the right it seems safest to be 
+        # paranoid given the low cost of quering the db once more.
+        cmds = [] 
+        cmds << :security << "authorizationdb" << "read" << resource[:name]
+        output = execute(cmds, :combine => false)
+        current_values = Plist::parse_xml(output)
+        if current_values.nil?
+            current_values = {}
+        end
+        specified_values = convert_plist_to_native_attributes(@property_hash)
+
+        # take the current values, merge the specified values to obtain a 
+        # complete description of the new values.
+        new_values = current_values.merge(specified_values)
+        set_right(resource[:name], new_values)
+    end
+    
+    def flush_rule
+        authdb = Plist::parse_xml(AuthDB)
+        authdb_rules = authdb["rules"].dup
+        current_values = {}
+        if authdb_rules[resource[:name]]
+            current_values = authdb_rules[resource[:name]]
+        end
+        specified_values = convert_plist_to_native_attributes(@property_hash)
+        new_values = current_values.merge(specified_values)
+        set_rule(resource[:name], new_values)
+    end
+    
+    def set_right(name, values)
+        # Both creates and modifies rights as it simply overwrites them.
+        # The security binary only allows for writes using stdin, so we
+        # dump the values to a tempfile.
+        values = convert_plist_to_native_attributes(values)
+        tmp = Tempfile.new('puppet_macauthorization')
+        begin
+            Plist::Emit.save_plist(values, tmp.path)
+            cmds = [] 
+            cmds << :security << "authorizationdb" << "write" << name
+            output = execute(cmds, :combine => false,
+                             :stdinfile => tmp.path.to_s)
+        rescue Errno::EACCES => e
+            raise Puppet::Error.new("Cannot save right to #{tmp.path}: #{e}")
+        ensure
+            tmp.close
+            tmp.unlink
+        end
+    end
+    
+    def set_rule(name, values)
+        # Both creates and modifies rules as it overwrites the entry in the 
+        # rules dictionary.  Unfortunately the security binary doesn't 
+        # support modifying rules at all so we have to twiddle the whole 
+        # plist... :( See Apple Bug #6386000
+        values = convert_plist_to_native_attributes(values)
+        authdb = Plist::parse_xml(AuthDB)
+        authdb["rules"][name] = values
+
+        begin
+            Plist::Emit.save_plist(authdb, AuthDB)
+        rescue
+            raise Puppet::Error.new("Error writing to: #{AuthDB}")
+        end
+    end
+    
+    def convert_plist_to_native_attributes(propertylist)
+        # This mainly converts the keys from the puppet attributes to the
+        # 'native' ones, but also enforces that the keys are all Strings 
+        # rather than Symbols so that any merges of the resultant Hash are 
+        # sane.
+        newplist = {}
+        propertylist.each_pair do |key, value|
+            next if key == :ensure     # not part of the auth db schema.
+            next if key == :auth_type  # not part of the auth db schema.
+            new_key = key
+            if PuppetToNativeAttributeMap.has_key?(key)
+                new_key = PuppetToNativeAttributeMap[key].to_s
+            elsif not key.is_a?(String)
+                new_key = key.to_s
+            end
+            newplist[new_key] = value
+        end
+        newplist
+    end
+    
+    def retrieve_value(resource_name, attribute)
+        
+        if not self.class.parsed_auth_db.has_key?(resource_name)
+            raise Puppet::Error.new("Cannot find #{resource_name} in auth db")
+        end
+       
+        if PuppetToNativeAttributeMap.has_key?(attribute)
+            native_attribute = PuppetToNativeAttributeMap[attribute]
+        else
+            native_attribute = attribute.to_s
+        end
+
+        if self.class.parsed_auth_db[resource_name].has_key?(native_attribute)
+            value = self.class.parsed_auth_db[resource_name][native_attribute]
+            case value
+            when true, "true", :true
+                value = :true
+            when false, "false", :false
+                value = :false
+            end
+
+            @property_hash[attribute] = value
+            return value
+        else
+            @property_hash.delete(attribute)
+            return ""  # so ralsh doesn't display it.
+        end
+    end
+    
+    
+    # property methods below
+    #
+    # We define them all dynamically apart from auth_type which is a special
+    # case due to not being in the actual authorization db schema.
+    
+    properties = [  :allow_root, :authenticate_user, :auth_class, :comment,
+                    :group, :k_of_n, :mechanisms, :rule, :session_owner,
+                    :shared, :timeout, :tries ]
+
+    properties.each do |field|
+        define_method(field.to_s) do
+            retrieve_value(resource[:name], field)
+        end
+
+        define_method(field.to_s + "=") do |value|
+            @property_hash[field] = value
+        end
+    end
+    
+    def auth_type
+        if resource.should(:auth_type) != nil
+            return resource.should(:auth_type)
+        elsif self.exists?
+            # this is here just for ralsh, so it can work out what type it is.
+            if self.class.rights.has_key?(resource[:name])
+                return :right
+            elsif self.class.rules.has_key?(resource[:name])
+                return :rule
+            else
+                raise Puppet::Error.new("#{resource[:name]} is unknown type.")
+            end
+        else
+            raise Puppet::Error.new("auth_type required for new resources.")
+        end
+    end
+    
+    def auth_type=(value)
+        @property_hash[:auth_type] = value
+    end
+    
+end