puppet 2.7.9 → 2.7.11

data/lib/puppet/provider/augeas/augeas.rb

@@ -17,10 +17,12 @@ require 'augeas' if Puppet.features.augeas?
 require 'strscan'
 require 'puppet/util'
 require 'puppet/util/diff'
+require 'puppet/util/package'
 
 Puppet::Type.type(:augeas).provide(:augeas) do
   include Puppet::Util
   include Puppet::Util::Diff
+  include Puppet::Util::Package
 
   confine :true => Puppet.features.augeas?
 
@@ -149,7 +151,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do
       debug("Opening augeas with root #{root}, lens path #{load_path}, flags #{flags}")
       @aug = Augeas::open(root, load_path,flags)
 
-      debug("Augeas version #{get_augeas_version} is installed") if get_augeas_version >= "0.3.6"
+      debug("Augeas version #{get_augeas_version} is installed") if versioncmp(get_augeas_version, "0.3.6") >= 0
 
       if resource[:incl]
         aug.set("/augeas/load/Xfm/lens", resource[:lens])
@@ -285,7 +287,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do
         # If we have a verison of augeas which is at least 0.3.6 then we
         # can make the changes now, see if changes were made, and
         # actually do the save.
-        if return_value and get_augeas_version >= "0.3.6"
+        if return_value and versioncmp(get_augeas_version, "0.3.6") >= 0
           debug("Will attempt to save and only run if files changed")
           set_augeas_save_mode(SAVE_NEWFILE)
           do_execute_changes
@@ -325,7 +327,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do
     begin
       open_augeas
       saved_files = @aug.match("/augeas/events/saved")
-      if saved_files
+      unless saved_files.empty?
         saved_files.each do |key|
           root = resource[:root].sub(/^\/$/, "")
           saved_file = @aug.get(key).to_s.sub(/^\/files/, root)
@@ -337,7 +339,7 @@ Puppet::Type.type(:augeas).provide(:augeas) do
         end
       else
         debug("No saved files, re-executing augeas")
-        set_augeas_save_mode(SAVE_OVERWRITE) if get_augeas_version >= "0.3.6"
+        set_augeas_save_mode(SAVE_OVERWRITE) if versioncmp(get_augeas_version, "0.3.6") >= 0
         do_execute_changes
         success = @aug.save
         fail("Save failed with return code #{success}") if success != true

data/lib/puppet/provider/group/pw.rb

@@ -1,34 +1,48 @@
 require 'puppet/provider/nameservice/pw'
 
 Puppet::Type.type(:group).provide :pw, :parent => Puppet::Provider::NameService::PW do
-  desc "Group management via `pw`.
+  desc "Group management via `pw` on FreeBSD."
 
-  Only works on FreeBSD.
+  commands :pw => "pw"
+  has_features :manages_members
 
-  "
-
-  commands :pw => "/usr/sbin/pw"
   defaultfor :operatingsystem => :freebsd
 
+  options :members, :flag => "-M", :method => :mem
+
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end
 
   def addcmd
     cmd = [command(:pw), "groupadd", @resource[:name]]
+
     if gid = @resource.should(:gid)
       unless gid == :absent
         cmd << flag(:gid) << gid
       end
     end
 
-    # Apparently, contrary to the man page, groupadd does
-    # not accept -o.
-    #if @parent[:allowdupe] == :true
-    #    cmd << "-o"
-    #end
+    if members = @resource.should(:members)
+      unless members == :absent
+        if members.is_a?(Array)
+          members = members.join(",")
+        end
+        cmd << "-M" << members
+      end
+    end
+
+    cmd << "-o" if @resource.allowdupe?
 
     cmd
   end
+
+  def modifycmd(param, value)
+    # members may be an array, need a comma separated list
+    if param == :members and value.is_a?(Array)
+      value = value.join(",")
+    end
+    super(param, value)
+  end
 end
 

data/lib/puppet/provider/nameservice/directoryservice.rb

@@ -2,7 +2,7 @@ require 'puppet'
 require 'puppet/provider/nameservice'
 require 'facter/util/plist'
 require 'cgi'
-
+require 'fileutils'
 
 class Puppet::Provider::NameService
 class DirectoryService < Puppet::Provider::NameService
@@ -21,6 +21,7 @@ class DirectoryService < Puppet::Provider::NameService
   commands :dscl => "/usr/bin/dscl"
   commands :dseditgroup => "/usr/sbin/dseditgroup"
   commands :sw_vers => "/usr/bin/sw_vers"
+  commands :plutil => '/usr/bin/plutil'
   confine :operatingsystem => :darwin
   defaultfor :operatingsystem => :darwin
 
@@ -60,6 +61,8 @@ class DirectoryService < Puppet::Provider::NameService
   }
 
   @@password_hash_dir = "/var/db/shadow/hash"
+  @@users_plist_dir    = '/var/db/dslocal/nodes/Default/users'
+
 
   def self.instances
     # JJM Class method that provides an array of instance objects of this
@@ -193,7 +196,7 @@ class DirectoryService < Puppet::Provider::NameService
     # stored in the user record. It is stored at a path that involves the
     # UUID of the user record for non-Mobile local acccounts.
     # Mobile Accounts are out of scope for this provider for now
-    attribute_hash[:password] = self.get_password(attribute_hash[:guid]) if @resource_type.validproperties.include?(:password) and Puppet.features.root?
+    attribute_hash[:password] = self.get_password(attribute_hash[:guid], attribute_hash[:name]) if @resource_type.validproperties.include?(:password) and Puppet.features.root?
     attribute_hash
   end
 
@@ -268,46 +271,144 @@ class DirectoryService < Puppet::Provider::NameService
   end
 
   def self.set_password(resource_name, guid, password_hash)
-    password_hash_file = "#{@@password_hash_dir}/#{guid}"
-    begin
-      File.open(password_hash_file, 'w') { |f| f.write(password_hash)}
-    rescue Errno::EACCES => detail
-      fail("Could not write to password hash file: #{detail}")
+    # Use Puppet::Util::Package.versioncmp() to catch the scenario where a
+    # version '10.10' would be < '10.7' with simple string comparison. This
+    # if-statement only executes if the current version is less-than 10.7
+    if (Puppet::Util::Package.versioncmp(get_macosx_version_major, '10.7') == -1)
+      password_hash_file = "#{@@password_hash_dir}/#{guid}"
+      begin
+        File.open(password_hash_file, 'w') { |f| f.write(password_hash)}
+      rescue Errno::EACCES => detail
+        fail("Could not write to password hash file: #{detail}")
+      end
+
+      # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of
+      # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it
+      # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if
+      # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and
+      # we can do this with the merge command. This allows people to continue to
+      # use other custom AuthenticationAuthority attributes without stomping on them.
+      #
+      # There is a potential problem here in that we're only doing this when setting
+      # the password, and the attribute could get modified at other times while the
+      # hash doesn't change and so this doesn't get called at all... but
+      # without switching all the other attributes to merge instead of create I can't
+      # see a simple enough solution for this that doesn't modify the user record
+      # every single time. This should be a rather rare edge case. (famous last words)
+
+      dscl_vector = self.get_exec_preamble("-merge", resource_name)
+      dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
+      begin
+        dscl_output = execute(dscl_vector)
+      rescue Puppet::ExecutionFailure => detail
+        fail("Could not set AuthenticationAuthority.")
+      end
+    else
+      # 10.7 uses salted SHA512 password hashes which are 128 characters plus
+      # an 8 character salt. Previous versions used a SHA1 hash padded with
+      # zeroes. If someone attempts to use a password hash that worked with
+      # a previous version of OX X, we will fail early and warn them.
+      if password_hash.length != 136
+        fail("OS X 10.7 requires a Salted SHA512 hash password of 136 characters. \
+             Please check your password and try again.")
+      end
+
+      if File.exists?("#{@@users_plist_dir}/#{resource_name}.plist")
+        # If a plist already exists in /var/db/dslocal/nodes/Default/users, then
+        # we will need to extract the binary plist from the 'ShadowHashData'
+        # key, log the new password into the resultant plist's 'SALTED-SHA512'
+        # key, and then save the entire structure back.
+        users_plist = Plist::parse_xml(plutil( '-convert', 'xml1', '-o', '/dev/stdout', \
+                                       "#{@@users_plist_dir}/#{resource_name}.plist"))
+
+        # users_plist['ShadowHashData'][0].string is actually a binary plist
+        # that's nested INSIDE the user's plist (which itself is a binary
+        # plist).
+        password_hash_plist = users_plist['ShadowHashData'][0].string
+        converted_hash_plist = convert_binary_to_xml(password_hash_plist)
+
+        # converted_hash_plist['SALTED-SHA512'].string expects a Base64 encoded
+        # string. The password_hash provided as a resource attribute is a
+        # hex value. We need to convert the provided hex value to a Base64
+        # encoded string to nest it in the converted hash plist.
+        converted_hash_plist['SALTED-SHA512'].string = \
+          password_hash.unpack('a2'*(password_hash.size/2)).collect { |i| i.hex.chr }.join
+
+        # Finally, we can convert the nested plist back to binary, embed it
+        # into the user's plist, and convert the resultant plist back to
+        # a binary plist.
+        changed_plist = convert_xml_to_binary(converted_hash_plist)
+        users_plist['ShadowHashData'][0].string = changed_plist
+        Plist::Emit.save_plist(users_plist, "#{@@users_plist_dir}/#{resource_name}.plist")
+        plutil('-convert', 'binary1', "#{@@users_plist_dir}/#{resource_name}.plist")
+      end
+    end
+  end
+
+  def self.get_password(guid, username)
+    # Use Puppet::Util::Package.versioncmp() to catch the scenario where a
+    # version '10.10' would be < '10.7' with simple string comparison. This
+    # if-statement only executes if the current version is less-than 10.7 
+    if (Puppet::Util::Package.versioncmp(get_macosx_version_major, '10.7') == -1)
+      password_hash = nil
+      password_hash_file = "#{@@password_hash_dir}/#{guid}"
+      if File.exists?(password_hash_file) and File.file?(password_hash_file)
+        fail("Could not read password hash file at #{password_hash_file}") if not File.readable?(password_hash_file)
+        f = File.new(password_hash_file)
+        password_hash = f.read
+        f.close
+      end
+      password_hash
+    else
+      if File.exists?("#{@@users_plist_dir}/#{username}.plist")
+        # If a plist exists in /var/db/dslocal/nodes/Default/users, we will
+        # extract the binary plist from the 'ShadowHashData' key, decode the
+        # salted-SHA512 password hash, and then return it.
+        users_plist = Plist::parse_xml(plutil('-convert', 'xml1', '-o', '/dev/stdout', "#{@@users_plist_dir}/#{username}.plist"))
+        if users_plist['ShadowHashData']
+          # users_plist['ShadowHashData'][0].string is actually a binary plist
+          # that's nested INSIDE the user's plist (which itself is a binary
+          # plist).
+          password_hash_plist = users_plist['ShadowHashData'][0].string
+          converted_hash_plist = convert_binary_to_xml(password_hash_plist)
+
+          # converted_hash_plist['SALTED-SHA512'].string is a Base64 encoded
+          # string. The password_hash provided as a resource attribute is a
+          # hex value. We need to convert the Base64 encoded string to a
+          # hex value and provide it back to Puppet.
+          password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0]
+          password_hash
+        end
+      end
     end
+  end
 
-    # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of
-    # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it
-    # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if
-    # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and
-    # we can do this with the merge command. This allows people to continue to
-    # use other custom AuthenticationAuthority attributes without stomping on them.
-    #
-    # There is a potential problem here in that we're only doing this when setting
-    # the password, and the attribute could get modified at other times while the
-    # hash doesn't change and so this doesn't get called at all... but
-    # without switching all the other attributes to merge instead of create I can't
-    # see a simple enough solution for this that doesn't modify the user record
-    # every single time. This should be a rather rare edge case. (famous last words)
-
-    dscl_vector = self.get_exec_preamble("-merge", resource_name)
-    dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
-    begin
-      dscl_output = execute(dscl_vector)
-    rescue Puppet::ExecutionFailure => detail
-      fail("Could not set AuthenticationAuthority.")
+  # This method will accept a hash that has been returned from Plist::parse_xml
+  # and convert it to a binary plist (string value).
+  def self.convert_xml_to_binary(plist_data)
+    Puppet.debug('Converting XML plist to binary')
+    Puppet.debug('Executing: \'plutil -convert binary1 -o - -\'')
+    IO.popen('plutil -convert binary1 -o - -', mode='r+') do |io|
+      io.write plist_data.to_plist
+      io.close_write
+      @converted_plist = io.read
     end
+    @converted_plist
   end
 
-  def self.get_password(guid)
-    password_hash = nil
-    password_hash_file = "#{@@password_hash_dir}/#{guid}"
-    if File.exists?(password_hash_file) and File.file?(password_hash_file)
-      fail("Could not read password hash file at #{password_hash_file}") if not File.readable?(password_hash_file)
-      f = File.new(password_hash_file)
-      password_hash = f.read
-      f.close
+  # This method will accept a binary plist (as a string) and convert it to a
+  # hash via Plist::parse_xml.
+  def self.convert_binary_to_xml(plist_data)
+    Puppet.debug('Converting binary plist to XML')
+    Puppet.debug('Executing: \'plutil -convert xml1 -o - -\'')
+    IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io|
+      io.write plist_data
+      io.close_write
+      @converted_plist = io.read
     end
-    password_hash
+    Puppet.debug('Converting XML values to a hash.')
+    @plist_hash = Plist::parse_xml(@converted_plist)
+    @plist_hash
   end
 
   # Unlike most other *nixes, OS X doesn't provide built in functionality
@@ -468,7 +569,14 @@ class DirectoryService < Puppet::Provider::NameService
         begin
           execute(cmd)
         rescue Puppet::ExecutionFailure => detail
-          fail("Could not remove #{member} from group: #{@resource.name}, #{detail}")
+          # TODO: We're falling back to removing the member using dscl due to rdar://8481241
+          # This bug causes dseditgroup to fail to remove a member if that member doesn't exist
+          cmd = [:dscl, ".", "-delete", "/Groups/#{@resource.name}", "GroupMembership", member]
+          begin
+            execute(cmd)
+          rescue Puppet::ExecutionFailure => detail
+            fail("Could not remove #{member} from group: #{@resource.name}, #{detail}")
+          end
         end
       end
     end
@@ -535,3 +643,4 @@ class DirectoryService < Puppet::Provider::NameService
   end
 end
 end
+

data/lib/puppet/provider/package/pip.rb

@@ -102,7 +102,7 @@ Puppet::Type.type(:package).provide :pip,
       self.class.commands :pip => pathname
       pip *args
     else
-      raise e
+      raise e, 'Could not locate the pip command.'
     end
   end
 end

data/lib/puppet/provider/package/yum.rb

@@ -56,7 +56,6 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
     wanted = @resource[:name]
     operation = :install
 
-    # XXX: We don't actually deal with epochs here.
     case should
     when true, false, Symbol
       # pass
@@ -87,7 +86,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
     unless upd.nil?
       # FIXME: there could be more than one update for a package
       # because of multiarch
-      return "#{upd[:version]}-#{upd[:release]}"
+      return "#{upd[:epoch]}:#{upd[:version]}-#{upd[:release]}"
     else
       # Yum didn't find updates, pretend the current
       # version is the latest

data/lib/puppet/provider/service/debian.rb

@@ -42,11 +42,25 @@ Puppet::Type.type(:service).provide :debian, :parent => :init do
     # See x-man-page://invoke-rc.d
     if [104, 106].include?($CHILD_STATUS.exitstatus)
       return :true
+    elsif [105].include?($CHILD_STATUS.exitstatus)
+      # 105 is unknown, which generally means the the iniscript does not support query
+      # The debian policy states that the initscript should support methods of query
+      # For those that do not, peform the checks manually
+      # http://www.debian.org/doc/debian-policy/ch-opersys.html
+      if get_start_link_count >= 4
+        return :true
+      else
+        return :false
+      end
     else
       return :false
     end
   end
 
+  def get_start_link_count
+    Dir.glob("/etc/rc*.d/S*#{@resource[:name]}").length
+  end
+
   def enable
     update_rc "-f", @resource[:name], "remove"
     update_rc @resource[:name], "defaults"

data/lib/puppet/provider/service/launchd.rb

@@ -196,7 +196,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     did_enable_job = false
     cmds = []
     cmds << :launchctl << :load
-    if self.enabled? == :false  # launchctl won't load disabled jobs
+    if self.enabled? == :false  || self.status == :stopped # launchctl won't load disabled jobs
       cmds << "-w"
       did_enable_job = true
     end

data/lib/puppet/provider/service/smf.rb

@@ -58,7 +58,7 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
     when :maintenance
       [command(:adm), :clear, @resource[:name]]
     else
-      [command(:adm), :enable, @resource[:name]]
+      [command(:adm), :enable, "-s", @resource[:name]]
     end
   end
 
@@ -98,7 +98,7 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
   end
 
   def stopcmd
-    [command(:adm), :disable, @resource[:name]]
+    [command(:adm), :disable, "-s", @resource[:name]]
   end
 end
 

data/lib/puppet/provider/user/pw.rb

@@ -1,16 +1,18 @@
 require 'puppet/provider/nameservice/pw'
+require 'open3'
 
 Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::PW do
   desc "User management via `pw` on FreeBSD."
 
   commands :pw => "pw"
-  has_features :manages_homedir, :allows_duplicates
+  has_features :manages_homedir, :allows_duplicates, :manages_passwords, :manages_expiry
 
   defaultfor :operatingsystem => :freebsd
 
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
+  options :expiry, :method => :expire
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
@@ -23,10 +25,14 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
   def addcmd
     cmd = [command(:pw), "useradd", @resource[:name]]
     @resource.class.validproperties.each do |property|
-      next if property == :ensure
+      next if property == :ensure or property == :password
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       if value = @resource.should(property) and value != ""
+        if property == :expiry
+          # FreeBSD uses DD-MM-YYYY rather than YYYY-MM-DD
+          value = value.split("-").reverse.join("-")
+        end
         cmd << flag(property) << value
       end
     end
@@ -37,5 +43,53 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
 
     cmd
   end
+
+  def modifycmd(param, value)
+    if param == :expiry
+      # FreeBSD uses DD-MM-YYYY rather than YYYY-MM-DD
+      value = value.split("-").reverse.join("-")
+    end
+    cmd = super(param, value)
+    cmd << "-m" if @resource.managehome?
+    cmd
+  end
+
+  def create
+    super
+
+    # Set the password after create if given
+    self.password = @resource[:password] if @resource[:password]
+  end
+
+  # use pw to update password hash
+  def password=(cryptopw)
+    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    stdin, stdout, stderr = Open3.popen3("pw user mod #{@resource[:name]} -H 0")
+    stdin.puts(cryptopw)
+    stdin.close
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+  end
+
+  # get password from /etc/master.passwd
+  def password
+    Puppet.debug "checking password for user '#{@resource[:name]}' method called"
+    current_passline = `getent passwd #{@resource[:name]}`
+    current_password = current_passline.chomp.split(':')[1] if current_passline
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called : '#{current_password}'"
+    current_password
+  end
+
+  # Get expiry from system and convert to Puppet-style date
+  def expiry
+    expiry = self.get(:expiry)
+    expiry = :absent if expiry == 0
+
+    if expiry != :absent
+      t = Time.at(expiry)
+      expiry = "%4d-%02d-%02d" % [t.year, t.month, t.mday]
+    end
+
+    expiry
+  end
 end