puppet 2.7.9 → 2.7.11

data/lib/puppet/provider/user/user_role_add.rb

@@ -1,3 +1,4 @@
+require 'puppet/util'
 require 'puppet/util/user_attr'
 
 Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source => :useradd do
@@ -145,11 +146,22 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     run([command(:modify)] + build_keys_cmd(keys_hash) << @resource[:name], "modify attribute key pairs")
   end
 
+
+  # This helper makes it possible to test this on stub data without having to
+  # do too many crazy things!
+  def target_file_path
+    "/etc/shadow"
+  end
+  private :target_file_path
+
   #Read in /etc/shadow, find the line for this user (skipping comments, because who knows) and return it
   #No abstraction, all esoteric knowledge of file formats, yay
   def shadow_entry
     return @shadow_entry if defined? @shadow_entry
-    @shadow_entry = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/ }.collect { |l| l.chomp.split(':') }.find { |user, _| user == @resource[:name] }
+    @shadow_entry = File.readlines(target_file_path).
+      reject { |r| r =~ /^[^\w]/ }.
+      collect { |l| l.chomp.split(':') }.
+      find { |user, _| user == @resource[:name] }
   end
 
   def password
@@ -164,33 +176,31 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     shadow_entry ? shadow_entry[4] : :absent
   end
 
-  #Read in /etc/shadow, find the line for our used and rewrite it with the new pw
-  #Smooth like 80 grit
+  # Read in /etc/shadow, find the line for our used and rewrite it with the
+  # new pw.  Smooth like 80 grit sandpaper.
+  #
+  # Now uses the `replace_file` mechanism to minimize the chance that we lose
+  # data, but it is still terrible.  We still skip platform locking, so a
+  # concurrent `vipw -s` session will have no idea we risk data loss.
   def password=(cryptopw)
     begin
-      File.open(shadow_file, "r") do |shadow|
-        File.open("#{shadow_file}_tmp", "w", 0600) do |shadow_tmp|
-          while line = shadow.gets
-            line_arr = line.split(':')
-            if line_arr[0] == @resource[:name]
-              line_arr[1] = cryptopw
-              line_arr[2] = Time.now().to_i / 86400
-              line = line_arr.join(':')
-            end
-            shadow_tmp.print line
+      shadow = File.read(target_file_path)
+
+      # Go Mifune loves the race here where we can lose data because
+      # /etc/shadow changed between reading it and writing it.
+      # --daniel 2012-02-05
+      Puppet::Util.replace_file(target_file_path, 0640) do |fh|
+        shadow.each_line do |line|
+          line_arr = line.split(':')
+          if line_arr[0] == @resource[:name]
+            line_arr[1] = cryptopw
+            line = line_arr.join(':')
           end
+          fh.print line
         end
       end
-      File.rename("#{shadow_file}_tmp", shadow_file)
     rescue => detail
-      fail "Could not write temporary shadow file: #{detail}"
-    ensure
-      # Make sure this *always* gets deleted
-      File.unlink("#{shadow_file}_tmp") if File.exist?("#{shadow_file}_tmp")
+      fail "Could not write replace #{target_file_path}: #{detail}"
     end
   end
-
-  private
-
-  def shadow_file; '/etc/shadow'; end
 end

data/lib/puppet/provider/user/windows_adsi.rb

@@ -22,6 +22,7 @@ Puppet::Type.type(:user).provide :windows_adsi do
 
   def create
     @user = Puppet::Util::ADSI::User.create(@resource[:name])
+    @user.password = @resource[:password]
     @user.commit
 
     [:comment, :home, :groups].each do |prop|

data/lib/puppet/rails/benchmark.rb

@@ -58,6 +58,6 @@ module Puppet::Rails::Benchmark
       data = {}
     end
     data[branch] = $benchmarks
-    Puppet::Util.secure_open(file, "w") { |f| f.print YAML.dump(data) }
+    Puppet::Util.replace_file(file, 0644) { |f| f.print YAML.dump(data) }
   end
 end

data/lib/puppet/reports/store.rb

@@ -1,4 +1,6 @@
 require 'puppet'
+require 'fileutils'
+require 'tempfile'
 
 Puppet::Reports.register_report(:store) do
   desc "Store the yaml report on disk.  Each host sends its report as a YAML dump
@@ -29,10 +31,15 @@ Puppet::Reports.register_report(:store) do
 
     file = File.join(dir, name)
 
+    f = Tempfile.new(name, dir)
     begin
-      File.open(file, "w", 0640) do |f|
+      begin
+        f.chmod(0640)
         f.print to_yaml
+      ensure
+        f.close
       end
+      FileUtils.mv(f.path, file)
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
       Puppet.warning "Could not write report for #{client} at #{file}: #{detail}"

data/lib/puppet/resource/catalog.rb

@@ -547,7 +547,11 @@ class Puppet::Resource::Catalog < Puppet::SimpleGraph
     ::File.open(Puppet[:resourcefile], "w") do |f|
       to_print = resources.map do |resource|
         next unless resource.managed?
-        "#{resource.type}[#{resource[resource.name_var]}]"
+        if resource.name_var
+          "#{resource.type}[#{resource[resource.name_var]}]"
+        else
+          "#{resource.ref.downcase}"
+        end
       end.compact
       f.puts to_print.join("\n")
     end

data/lib/puppet/simple_graph.rb

@@ -136,18 +136,7 @@ class Puppet::SimpleGraph
               s[:seen][top] = false
               this_scc << top
             end until top == vertex
-            # NOTE: if we don't reverse we get the components in the opposite
-            # order to what a human being would expect; reverse should be an
-            # O(1) operation, without even copying, because we know the length
-            # of the source, but I worry that an implementation will get this
-            # wrong.  Still, the worst case is O(n) for n vertices as we can't
-            # possibly put a vertex into two SCCs.
-            #
-            # Also, my feeling is that most implementations are going to do
-            # better with a reverse operation than a string of 'unshift'
-            # insertions at the head of the array; if they were going to mess
-            # up the performance of one, it would be unshift.
-            s[:scc] << this_scc.reverse
+            s[:scc] << this_scc
           end
           recur.pop               # done with this node, finally.
         end
@@ -181,7 +170,15 @@ class Puppet::SimpleGraph
       end
     end
 
-    state[:scc].select { |c| c.length > 1 }
+    # To provide consistent results to the user, given that a hash is never
+    # assured to return the same order, and given our graph processing is
+    # based on hash tables, we need to sort the cycles internally, as well as
+    # the set of cycles.
+    #
+    # Given we are in a failure state here, any extra cost is more or less
+    # irrelevant compared to the cost of a fix - which is on a human
+    # time-scale.
+    state[:scc].select { |c| c.length > 1 }.map {|x| x.sort }.sort
   end
 
   # Perform a BFS on the sub graph representing the cycle, with a view to
@@ -215,7 +212,7 @@ class Puppet::SimpleGraph
       end
     end
 
-    return found
+    return found.sort
   end
 
   def report_cycles_in_graph

data/lib/puppet/transaction.rb

@@ -100,6 +100,7 @@ class Puppet::Transaction
       if resource.is_a?(Puppet::Type::Component)
         Puppet.warning "Somehow left a component in the relationship graph"
       else
+        resource.info "Starting to evaluate the resource" if Puppet[:evaltrace] and @catalog.host_config?
         seconds = thinmark { eval_resource(resource) }
         resource.info "Evaluated in %0.2f seconds" % seconds if Puppet[:evaltrace] and @catalog.host_config?
       end
@@ -317,10 +318,6 @@ class Puppet::Transaction
       @blockers = {}
       @unguessable_deterministic_key = Hash.new { |h,k| h[k] = Digest::SHA1.hexdigest("NaCl, MgSO4 (salts) and then #{k.ref}") }
       @providerless_types = []
-      vertices.each do |v|
-        blockers[v] = direct_dependencies_of(v).length
-        enqueue(v) if blockers[v] == 0
-      end
     end
     def method_missing(*args,&block)
       real_graph.send(*args,&block)
@@ -335,6 +332,13 @@ class Puppet::Transaction
 
       real_graph.add_edge(f,t,label)
     end
+    # Enqueue the initial set of resources, those with no dependencies.
+    def enqueue_roots
+      vertices.each do |v|
+        blockers[v] = direct_dependencies_of(v).length
+        enqueue(v) if blockers[v] == 0
+      end
+    end
     # Decrement the blocker count for the resource by 1. If the number of
     # blockers is unknown, count them and THEN decrement by 1.
     def unblock(resource)
@@ -364,6 +368,8 @@ class Puppet::Transaction
     def traverse(&block)
       real_graph.report_cycles_in_graph
 
+      enqueue_roots
+
       deferred_resources = []
 
       while (resource = next_resource) && !transaction.stop_processing?

data/lib/puppet/transaction/report.rb

@@ -115,7 +115,7 @@ class Puppet::Transaction::Report
 
   # Provide a raw hash summary of this report.
   def raw_summary
-    report = {}
+    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s
@@ -151,7 +151,7 @@ class Puppet::Transaction::Report
 
   def calculate_event_metrics
     metrics = Hash.new(0)
-    metrics["total"] = 0
+    %w{total failure success}.each { |m| metrics[m] = 0 }
     resource_statuses.each do |name, status|
       metrics["total"] += status.events.length
       status.events.each do |event|
@@ -163,9 +163,15 @@ class Puppet::Transaction::Report
   end
 
   def calculate_resource_metrics
-    metrics = Hash.new(0)
+    metrics = {}
     metrics["total"] = resource_statuses.length
 
+    # force every resource key in the report to be present
+    # even if no resources is in this given state
+    Puppet::Resource::Status::STATES.each do |state|
+      metrics[state.to_s] = 0
+    end
+
     resource_statuses.each do |name, status|
       Puppet::Resource::Status::STATES.each do |state|
         metrics[state.to_s] += 1 if status.send(state)

data/lib/puppet/type.rb

@@ -23,6 +23,17 @@ class Type
   include Puppet::FileCollection::Lookup
   include Puppet::Util::Tagging
 
+  ###############################
+  # Comparing type instances.
+  include Comparable
+  def <=>(other)
+    # We only order against other types, not arbitrary objects.
+    return nil unless other.is_a? Puppet::Type
+    # Our natural order is based on the reference name we use when comparing
+    # against other type instances.
+    self.ref <=> other.ref
+  end
+
   ###############################
   # Code related to resource type attributes.
   class << self
@@ -107,11 +118,9 @@ class Type
   def self.ensurable?
     # If the class has all three of these methods defined, then it's
     # ensurable.
-    ens = [:exists?, :create, :destroy].inject { |set, method|
-      set &&= self.public_method_defined?(method)
+    [:exists?, :create, :destroy].all? { |method|
+      self.public_method_defined?(method)
     }
-
-    ens
   end
 
   def self.apply_to_device
@@ -1500,11 +1509,14 @@ class Type
 
       # We need to add documentation for each provider.
       def self.doc
-        @doc + "  Available providers are:\n\n" + parenttype.providers.sort { |a,b|
+        # Since we're mixing @doc with text from other sources, we must normalize
+        # its indentation with scrub. But we don't need to manually scrub the
+        # provider's doc string, since markdown_definitionlist sanitizes its inputs.
+        scrub(@doc) + "Available providers are:\n\n" + parenttype.providers.sort { |a,b|
           a.to_s <=> b.to_s
         }.collect { |i|
-          "* **#{i}**: #{parenttype().provider(i).doc}"
-        }.join("\n")
+          markdown_definitionlist( i, scrub(parenttype().provider(i).doc) )
+        }.join
       end
 
       defaultto {

data/lib/puppet/type/exec.rb

@@ -170,7 +170,7 @@ module Puppet
       desc "The group to run the command as.  This seems to work quite
         haphazardly on different platforms -- it is a platform issue
         not a Ruby or Puppet one, since the same variety exists when
-        running commnands as different users in the shell."
+        running commands as different users in the shell."
       # Validation is handled by the SUIDManager class.
     end
 

data/lib/puppet/type/file.rb

@@ -9,11 +9,14 @@ require 'puppet/network/handler'
 require 'puppet/util/diff'
 require 'puppet/util/checksums'
 require 'puppet/util/backups'
+require 'puppet/util/symbolic_file_mode'
 
 Puppet::Type.newtype(:file) do
   include Puppet::Util::MethodHelper
   include Puppet::Util::Checksums
   include Puppet::Util::Backups
+  include Puppet::Util::SymbolicFileMode
+
   @doc = "Manages local files, including setting ownership and
     permissions, creation of both files and directories, and
     retrieving entire files from remote servers.  As Puppet matures, it
@@ -734,7 +737,7 @@ Puppet::Type.newtype(:file) do
 
     mode = self.should(:mode) # might be nil
     umask = mode ? 000 : 022
-    mode_int = mode ? mode.to_i(8) : nil
+    mode_int = mode ? symbolic_mode_to_int(mode, 0644) : nil
 
     content_checksum = Puppet::Util.withumask(umask) { ::File.open(path, 'wb', mode_int ) { |f| write_content(f) } }
 

data/lib/puppet/type/file/ensure.rb

@@ -1,6 +1,10 @@
+
 module Puppet
   Puppet::Type.type(:file).ensurable do
     require 'etc'
+    require 'puppet/util/symbolic_file_mode'
+    include Puppet::Util::SymbolicFileMode
+
     desc <<-EOT
       Whether to create files that don't currently exist.
       Possible values are *absent*, *present*, *file*, and *directory*.
@@ -63,7 +67,7 @@ module Puppet
       end
       if mode
         Puppet::Util.withumask(000) do
-          Dir.mkdir(@resource[:path], mode.to_i(8))
+          Dir.mkdir(@resource[:path], symbolic_mode_to_int(mode, 755, true))
         end
       else
         Dir.mkdir(@resource[:path])

data/lib/puppet/type/file/mode.rb

@@ -3,6 +3,9 @@
 # specifying the full mode.
 module Puppet
   Puppet::Type.type(:file).newproperty(:mode) do
+    require 'puppet/util/symbolic_file_mode'
+    include Puppet::Util::SymbolicFileMode
+
     desc "Mode the file should be.  Currently relatively limited:
       you must specify the exact mode the file should be.
 
@@ -23,23 +26,32 @@ module Puppet
       mode 644, and all of the directories will have mode 755."
 
     validate do |value|
-      if value.is_a?(String) and value !~ /^[0-7]+$/
-        raise Puppet::Error, "File modes can only be octal numbers, not #{should.inspect}"
+      unless value.nil? or valid_symbolic_mode?(value)
+        raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
     end
 
-    munge do |should|
-      if should.is_a?(String)
-        should.to_i(8).to_s(8)
-      else
-        should.to_s(8)
+    munge do |value|
+      return nil if value.nil?
+
+      unless valid_symbolic_mode?(value)
+        raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
+
+      normalize_symbolic_mode(value)
+    end
+
+    def desired_mode_from_current(desired, current)
+      current = current.to_i(8) if current.is_a? String
+      is_a_directory = @resource.stat and @resource.stat.directory?
+      symbolic_mode_to_int(desired, current, is_a_directory)
     end
 
     # If we're a directory, we need to be executable for all cases
     # that are readable.  This should probably be selectable, but eh.
     def dirmask(value)
-      if FileTest.directory?(resource[:path])
+      orig = value
+      if FileTest.directory?(resource[:path]) and value =~ /^\d+$/ then
         value = value.to_i(8)
         value |= 0100 if value & 0400 != 0
         value |= 010 if value & 040 != 0
@@ -61,6 +73,13 @@ module Puppet
       end
     end
 
+    def property_matches?(current, desired)
+      return false unless current
+      current_bits = normalize_symbolic_mode(current)
+      desired_bits = desired_mode_from_current(desired, current).to_s(8)
+      current_bits == desired_bits
+    end
+
     # Ideally, dirmask'ing could be done at munge time, but we don't know if 'ensure'
     # will eventually be a directory or something else. And unfortunately, that logic
     # depends on the ensure, source, and target properties. So rather than duplicate
@@ -74,12 +93,28 @@ module Puppet
       super
     end
 
+    # Finally, when we sync the mode out we need to transform it; since we
+    # don't have access to the calculated "desired" value here, or the
+    # "current" value, only the "should" value we need to retrieve again.
+    def sync
+      current = @resource.stat ? @resource.stat.mode : 0644
+      set(desired_mode_from_current(@should[0], current).to_s(8))
+    end
+
+    def change_to_s(old_value, desired)
+      return super if desired =~ /^\d+$/
+
+      old_bits = normalize_symbolic_mode(old_value)
+      new_bits = normalize_symbolic_mode(desired_mode_from_current(desired, old_bits))
+      super(old_bits, new_bits) + " (#{desired})"
+    end
+
     def should_to_s(should_value)
-      should_value.rjust(4,"0")
+      should_value.rjust(4, "0")
     end
 
     def is_to_s(currentvalue)
-      currentvalue.rjust(4,"0")
+      currentvalue.rjust(4, "0")
     end
   end
 end