puppet 2.6.1 → 2.6.2

data/lib/puppet/parser/resource.rb

@@ -64,6 +64,7 @@ class Puppet::Parser::Resource < Puppet::Resource
 
   # Retrieve the associated definition and evaluate it.
   def evaluate
+    return if evaluated?
     @evaluated = true
     if klass = resource_type and ! builtin_type?
       finish
@@ -93,6 +94,7 @@ class Puppet::Parser::Resource < Puppet::Resource
     @finished = true
     add_defaults
     add_metaparams
+    add_scope_tags
     validate
   end
 
@@ -259,6 +261,12 @@ class Puppet::Parser::Resource < Puppet::Resource
     end
   end
 
+  def add_scope_tags
+    if scope_resource = scope.resource
+      tag(*scope_resource.tags)
+    end
+  end
+
   # Accept a parameter from an override.
   def override_parameter(param)
     # This can happen if the override is defining a new parameter, rather

data/lib/puppet/parser/type_loader.rb

@@ -3,25 +3,56 @@ require 'puppet/node/environment'
 class Puppet::Parser::TypeLoader
   include Puppet::Node::Environment::Helper
 
-  class Helper < Hash
+  # Helper class that makes sure we don't try to import the same file
+  # more than once from either the same thread or different threads.
+  class Helper
     include MonitorMixin
-    def done_with(item)
-      synchronize do
-        delete(item)[:busy].signal if self.has_key?(item) and self[item][:loader] == Thread.current
-      end
+    def initialize
+      super
+      # These hashes are indexed by filename
+      @state = {} # :doing or :done
+      @thread = {} # if :doing, thread that's doing the parsing
+      @cond_var = {} # if :doing, condition var that will be signaled when done.
     end
-    def owner_of(item)
-      synchronize do
-        if !self.has_key? item
-          self[item] = { :loader => Thread.current, :busy => self.new_cond}
-          :nobody
-        elsif self[item][:loader] == Thread.current
-          :this_thread
+
+    # Execute the supplied block exactly once per file, no matter how
+    # many threads have asked for it to run.  If another thread is
+    # already executing it, wait for it to finish.  If this thread is
+    # already executing it, return immediately without executing the
+    # block.
+    #
+    # Note: the reason for returning immediately if this thread is
+    # already executing the block is to handle the case of a circular
+    # import--when this happens, we attempt to recursively re-parse a
+    # file that we are already in the process of parsing.  To prevent
+    # an infinite regress we need to simply do nothing when the
+    # recursive import is attempted.
+    def do_once(file)
+      need_to_execute = synchronize do
+        case @state[file]
+        when :doing
+          if @thread[file] != Thread.current
+            @cond_var[file].wait
+          end
+          false
+        when :done
+          false
         else
-          flag = self[item][:busy]
-          flag.wait
-          flag.signal
-          :another_thread
+          @state[file] = :doing
+          @thread[file] = Thread.current
+          @cond_var[file] = new_cond
+          true
+        end
+      end
+      if need_to_execute
+        begin
+          yield
+        ensure
+          synchronize do
+            @state[file] = :done
+            @thread.delete(file)
+            @cond_var.delete(file).broadcast
+          end
         end
       end
     end
@@ -51,8 +82,7 @@ class Puppet::Parser::TypeLoader
       unless file =~ /^#{File::SEPARATOR}/
         file = File.join(dir, file)
       end
-      unless imported? file
-        @imported[file] = true
+      @loading_helper.do_once(file) do
         parse_file(file)
       end
     end
@@ -60,27 +90,20 @@ class Puppet::Parser::TypeLoader
     modname
   end
 
-  def imported?(file)
-    @imported.has_key?(file)
-  end
-
   def known_resource_types
     environment.known_resource_types
   end
 
   def initialize(env)
     self.environment = env
-    @loaded = {}
-    @loading = Helper.new
-
-    @imported = {}
+    @loading_helper = Helper.new
   end
 
   def load_until(namespaces, name)
     return nil if name == "" # special-case main.
     name2files(namespaces, name).each do |filename|
       modname = begin
-        import_if_possible(filename)
+        import(filename)
       rescue Puppet::ImportError => detail
         # We couldn't load the item
         # I'm not convienced we should just drop these errors, but this
@@ -96,10 +119,6 @@ class Puppet::Parser::TypeLoader
     nil
   end
 
-  def loaded?(name)
-    @loaded.include?(name)
-  end
-
   def name2files(namespaces, name)
     return [name.sub(/^::/, '').gsub("::", File::SEPARATOR)] if name =~ /^::/
 
@@ -126,21 +145,4 @@ class Puppet::Parser::TypeLoader
     parser.file = file
     parser.parse
   end
-
-  # Utility method factored out of load for handling thread-safety.
-  # This isn't tested in the specs, because that's basically impossible.
-  def import_if_possible(file, current_file = nil)
-    @loaded[file] || begin
-      case @loading.owner_of(file)
-      when :this_thread
-        nil
-      when :another_thread
-        import_if_possible(file,current_file)
-      when :nobody
-        @loaded[file] = import(file,current_file)
-      end
-    ensure
-      @loading.done_with(file)
-    end
-  end
 end

data/lib/puppet/provider/nameservice.rb

@@ -165,6 +165,7 @@ class Puppet::Provider::NameService < Puppet::Provider
 
     begin
       execute(self.addcmd)
+      execute(self.passcmd) if self.feature? :manages_password_age
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, "Could not create #{@resource.class.name} #{@resource.name}: #{detail}"
     end

data/lib/puppet/provider/nameservice/objectadd.rb

@@ -13,7 +13,8 @@ class ObjectAdd < Puppet::Provider::NameService
   end
 
   def modifycmd(param, value)
-    cmd = [command(:modify), flag(param), value]
+    cmd = [command(param.to_s =~ /password_.+_age/ ? :password : :modify)]
+    cmd << flag(param) << value
     if @resource.allowdupe? && ((param == :uid) || (param == :gid and self.class.name == :groupadd))
       cmd << "-o"
     end

data/lib/puppet/provider/service/freebsd.rb

@@ -78,7 +78,7 @@ Puppet::Type.type(:service).provide :freebsd, :parent => :init do
 
   # Add a new setting to the rc files
   def rc_add(service, rcvar, yesno)
-    append = "\n\# Added by Puppet\n#{rcvar}_enable=\"#{yesno}\""
+    append = "\# Added by Puppet\n#{rcvar}_enable=\"#{yesno}\"\n"
     # First, try the one-file-per-service style
     if File.exists?(@@rcconf_dir)
       File.open(@@rcconf_dir + "/#{service}", File::WRONLY | File::APPEND | File::CREAT, 0644) {

data/lib/puppet/provider/service/launchd.rb

@@ -38,6 +38,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
 
   commands :launchctl => "/bin/launchctl"
   commands :sw_vers => "/usr/bin/sw_vers"
+  commands :plutil => "/usr/bin/plutil"
 
   defaultfor :operatingsystem => :darwin
   confine :operatingsystem => :darwin
@@ -52,6 +53,12 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   Launchd_Overrides = "/var/db/launchd.db/com.apple.launchd/overrides.plist"
 
 
+  # Read a plist, whether its format is XML or in Apple's "binary1"
+  # format.
+  def self.read_plist(path)
+    Plist::parse_xml(plutil('-convert', 'xml1', '-o', '-', path))
+  end
+
   # returns a label => path map for either all jobs, or just a single
   # job if the label is specified
   def self.jobsearch(label=nil)
@@ -62,8 +69,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
           next if f =~ /^\..*$/
           next if FileTest.directory?(f)
           fullpath = File.join(path, f)
-          job = Plist::parse_xml(fullpath)
-          if job and job.has_key?("Label")
+          if FileTest.file?(fullpath) and job = read_plist(fullpath) and job.has_key?("Label")
             if job["Label"] == label
               return { label => fullpath }
             else
@@ -118,8 +124,11 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def plist_from_label(label)
     job = self.class.jobsearch(label)
     job_path = job[label]
-    job_plist = Plist::parse_xml(job_path)
-    raise Puppet::Error.new("Unable to parse launchd plist at path: #{job_path}") if not job_plist
+    if FileTest.file?(job_path)
+      job_plist = self.class.read_plist(job_path)
+    else
+      raise Puppet::Error.new("Unable to parse launchd plist at path: #{job_path}")
+    end
     [job_path, job_plist]
   end
 
@@ -200,9 +209,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     if self.class.get_macosx_version_major == "10.6":
-      overrides = Plist::parse_xml(Launchd_Overrides)
-
-      unless overrides.nil?
+      if FileTest.file?(Launchd_Overrides) and overrides = self.class.read_plist(Launchd_Overrides)
         if overrides.has_key?(resource[:name])
           overrides_disabled = overrides[resource[:name]]["Disabled"] if overrides[resource[:name]].has_key?("Disabled")
         end
@@ -227,7 +234,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   # versions this is stored in the job plist itself.
   def enable
     if self.class.get_macosx_version_major == "10.6"
-      overrides = Plist::parse_xml(Launchd_Overrides)
+      overrides = self.class.read_plist(Launchd_Overrides)
       overrides[resource[:name]] = { "Disabled" => false }
       Plist::Emit.save_plist(overrides, Launchd_Overrides)
     else
@@ -242,7 +249,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
 
   def disable
     if self.class.get_macosx_version_major == "10.6"
-      overrides = Plist::parse_xml(Launchd_Overrides)
+      overrides = self.class.read_plist(Launchd_Overrides)
       overrides[resource[:name]] = { "Disabled" => true }
       Plist::Emit.save_plist(overrides, Launchd_Overrides)
     else

data/lib/puppet/provider/ssh_authorized_key/parsed.rb

@@ -61,6 +61,13 @@ require 'puppet/provider/parsedfile'
       Dir.mkdir(dir, dir_perm)
       File.chown(uid, nil, dir)
     end
+
+    # ParsedFile usually calls backup_target much later in the flush process,
+    # but our SUID makes that fail to open filebucket files for writing.
+    # Fortunately, there's already logic to make sure it only ever happens once,
+    # so calling it here supresses the later attempt by our superclass's flush method.
+    self.class.backup_target(target)
+
     Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super }
     File.chown(uid, nil, target)
     File.chmod(file_perm, target)

data/lib/puppet/provider/user/hpux.rb

@@ -26,5 +26,4 @@ Puppet::Type.type(:user).provide :hpuxuseradd, :parent => :useradd do
   def modifycmd(param,value)
     super.insert(1,"-F")
   end
-
 end

data/lib/puppet/provider/user/user_role_add.rb

@@ -6,13 +6,15 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
 
   defaultfor :operatingsystem => :solaris
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :role_add => "roleadd", :role_delete => "roledel", :role_modify => "rolemod"
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage", :role_add => "roleadd", :role_delete => "roledel", :role_modify => "rolemod"
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
   options :roles, :flag => "-R"
   options :auths, :flag => "-A"
   options :profiles, :flag => "-P"
+  options :password_min_age, :flag => "-m"
+  options :password_max_age, :flag => "-M"
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
@@ -22,14 +24,14 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     value !~ /\s/
   end
 
-  has_features :manages_homedir, :allows_duplicates, :manages_solaris_rbac, :manages_passwords
+  has_features :manages_homedir, :allows_duplicates, :manages_solaris_rbac, :manages_passwords, :manages_password_age
 
   #must override this to hand the keyvalue pairs
   def add_properties
     cmd = []
     Puppet::Type.type(:user).validproperties.each do |property|
       #skip the password because we can't create it with the solaris useradd
-      next if [:ensure, :password].include?(property)
+      next if [:ensure, :password, :password_min_age, :password_max_age].include?(property)
       # 1680 Now you can set the hashed passwords on solaris:lib/puppet/provider/user/user_role_add.rb
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
@@ -79,6 +81,7 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
       run(transition("normal"), "transition role to")
     else
       run(addcmd, "create")
+      run(passcmd, "change password policy for")
     end
     # added to handle case when password is specified
     self.password = @resource[:password] if @resource[:password]
@@ -140,14 +143,23 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     run([command(:modify)] + build_keys_cmd(keys_hash) << @resource[:name], "modify attribute key pairs")
   end
 
-  #Read in /etc/shadow, find the line for this user (skipping comments, because who knows) and return the hashed pw (the second entry)
+  #Read in /etc/shadow, find the line for this user (skipping comments, because who knows) and return it
   #No abstraction, all esoteric knowledge of file formats, yay
+  def shadow_entry
+    return @shadow_entry if defined? @shadow_entry
+    @shadow_entry = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/ }.collect { |l| l.chomp.split(':') }.find { |user, _| user == @resource[:name] }
+  end
+
   def password
-    #got perl?
-    if ary = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/}.collect { |l| l.split(':')[0..1] }.find { |user, passwd| user == @resource[:name] }
-      pass = ary[1]
-    end
-    pass
+    shadow_entry[1] if shadow_entry
+  end
+
+  def min_age
+    shadow_entry ? shadow_entry[3] : :absent
+  end
+
+  def max_age
+    shadow_entry ? shadow_entry[4] : :absent
   end
 
   #Read in /etc/shadow, find the line for our used and rewrite it with the new pw

data/lib/puppet/provider/user/useradd.rb

@@ -3,11 +3,13 @@ require 'puppet/provider/nameservice/objectadd'
 Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameService::ObjectAdd do
   desc "User management via `useradd` and its ilk.  Note that you will need to install the `Shadow Password` Ruby library often known as ruby-libshadow to manage user passwords."
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod"
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage"
 
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
+  options :password_min_age, :flag => "-m"
+  options :password_max_age, :flag => "-M"
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
@@ -17,9 +19,9 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     value !~ /\s/
   end
 
-  has_features :manages_homedir, :allows_duplicates
+  has_features :manages_homedir, :allows_duplicates, :manages_expiry
 
-  has_feature :manages_passwords if Puppet.features.libshadow?
+  has_features :manages_passwords, :manages_password_age if Puppet.features.libshadow?
 
   def check_allow_dup
     @resource.allowdupe? ? ["-o"] : []
@@ -35,10 +37,20 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd
   end
 
+  def check_manage_expiry
+    cmd = []
+    if @resource[:expiry]
+      cmd << "-e #{@resource[:expiry]}"
+    end
+
+    cmd
+  end
+
   def add_properties
     cmd = []
     Puppet::Type.type(:user).validproperties.each do |property|
       next if property == :ensure
+      next if property.to_s =~ /password_.+_age/
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       if value = @resource.should(property) and value != ""
@@ -53,9 +65,38 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd += add_properties
     cmd += check_allow_dup
     cmd += check_manage_home
+    cmd += check_manage_expiry
     cmd << @resource[:name]
   end
 
+  def passcmd
+    cmd = [command(:password)]
+    [:password_min_age, :password_max_age].each do |property|
+      if value = @resource.should(property)
+        cmd << flag(property) << value
+      end
+    end
+    cmd << @resource[:name]
+  end
+
+  def min_age
+    if Puppet.features.libshadow?
+      if ent = Shadow::Passwd.getspnam(@resource.name)
+        return ent.sp_min
+      end
+    end
+    :absent
+  end
+
+  def max_age
+    if Puppet.features.libshadow?
+      if ent = Shadow::Passwd.getspnam(@resource.name)
+        return ent.sp_max
+      end
+    end
+    :absent
+  end
+
   # Retrieve the password using the Shadow Password library
   def password
     if Puppet.features.libshadow?