RubyGems - puppet - Versions diffs - 3.3.2 → 3.4.0.rc1 - Mend

puppet 3.3.2 → 3.4.0.rc1

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (589) hide show

data/CONTRIBUTING.md +22 -0
data/Gemfile +11 -2
data/README.md +13 -17
data/README_DEVELOPER.md +1 -1
data/Rakefile +1 -1
data/examples/hiera/README.md +4 -4
data/ext/debian/puppetmaster.init +1 -0
data/ext/debian/rules +2 -5
data/ext/nagios/check_puppet.rb +7 -7
data/ext/osx/file_mapping.yaml +1 -1
data/ext/osx/preflight.erb +34 -19
data/ext/rack/{files/config.ru → config.ru} +0 -0
data/ext/rack/{files/apache2.conf → example-passenger-vhost.conf} +6 -0
data/ext/redhat/puppet.spec.erb +20 -2
data/ext/systemd/{puppetagent.service → puppet.service} +0 -0
data/lib/hiera_puppet.rb +2 -2
data/lib/puppet/agent.rb +1 -6
data/lib/puppet/application.rb +15 -2
data/lib/puppet/application/agent.rb +2 -7
data/lib/puppet/application/apply.rb +8 -13
data/lib/puppet/application/cert.rb +47 -7
data/lib/puppet/application/device.rb +1 -6
data/lib/puppet/application/face_base.rb +1 -1
data/lib/puppet/application/filebucket.rb +1 -1
data/lib/puppet/application/inspect.rb +3 -12
data/lib/puppet/application/master.rb +1 -6
data/lib/puppet/application/queue.rb +1 -6
data/lib/puppet/application/resource.rb +2 -6
data/lib/puppet/coercion.rb +11 -0
data/lib/puppet/configurer.rb +5 -3
data/lib/puppet/configurer/downloader.rb +3 -1
data/lib/puppet/configurer/plugin_handler.rb +10 -0
data/lib/puppet/confine.rb +80 -0
data/lib/puppet/{provider/confine → confine}/exists.rb +3 -3
data/lib/puppet/{provider/confine → confine}/false.rb +2 -2
data/lib/puppet/{provider/confine → confine}/feature.rb +2 -2
data/lib/puppet/{provider/confine → confine}/true.rb +2 -2
data/lib/puppet/{provider/confine → confine}/variable.rb +2 -2
data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb} +4 -4
data/lib/puppet/{provider/confiner.rb → confiner.rb} +4 -4
data/lib/puppet/daemon.rb +2 -6
data/lib/puppet/data_binding.rb +2 -30
data/lib/puppet/defaults.rb +283 -174
data/lib/puppet/error.rb +1 -0
data/lib/puppet/external/nagios.rb +0 -2
data/lib/puppet/external/nagios/base.rb +4 -3
data/lib/puppet/external/nagios/grammar.ry +173 -112
data/lib/puppet/external/nagios/parser.rb +233 -184
data/lib/puppet/face/file/store.rb +1 -1
data/lib/puppet/face/module/generate.rb +5 -7
data/lib/puppet/face/parser.rb +12 -2
data/lib/puppet/face/plugin.rb +6 -0
data/lib/puppet/feature/base.rb +16 -0
data/lib/puppet/feature/external_facts.rb +5 -0
data/lib/puppet/feature/libuser.rb +1 -1
data/lib/puppet/feature/msgpack.rb +1 -0
data/lib/puppet/feature/rails.rb +2 -2
data/lib/puppet/file_bucket/dipper.rb +8 -6
data/lib/puppet/file_bucket/file.rb +17 -1
data/lib/puppet/file_serving/base.rb +21 -10
data/lib/puppet/file_serving/configuration.rb +5 -7
data/lib/puppet/file_serving/configuration/parser.rb +1 -1
data/lib/puppet/file_serving/content.rb +1 -1
data/lib/puppet/file_serving/fileset.rb +3 -3
data/lib/puppet/file_serving/metadata.rb +22 -18
data/lib/puppet/file_serving/mount/file.rb +1 -1
data/lib/puppet/file_serving/mount/pluginfacts.rb +35 -0
data/lib/puppet/file_system.rb +3 -0
data/lib/puppet/file_system/file.rb +261 -0
data/lib/puppet/file_system/file18.rb +5 -0
data/lib/puppet/file_system/file19.rb +5 -0
data/lib/puppet/file_system/file19windows.rb +113 -0
data/lib/puppet/file_system/memory_file.rb +31 -0
data/lib/puppet/file_system/tempfile.rb +20 -0
data/lib/puppet/indirector/active_record.rb +1 -0
data/lib/puppet/indirector/catalog/compiler.rb +28 -0
data/lib/puppet/indirector/certificate_request/memory.rb +6 -0
data/lib/puppet/indirector/data_binding/hiera.rb +46 -2
data/lib/puppet/indirector/direct_file_server.rb +2 -2
data/lib/puppet/indirector/facts/facter.rb +25 -0
data/lib/puppet/indirector/file_bucket_file/file.rb +60 -74
data/lib/puppet/indirector/indirection.rb +5 -1
data/lib/puppet/indirector/json.rb +1 -1
data/lib/puppet/indirector/key/ca.rb +4 -0
data/lib/puppet/indirector/key/file.rb +7 -3
data/lib/puppet/indirector/key/memory.rb +6 -0
data/lib/puppet/indirector/node/write_only_yaml.rb +2 -2
data/lib/puppet/indirector/request.rb +17 -11
data/lib/puppet/indirector/resource/ral.rb +5 -0
data/lib/puppet/indirector/resource/rest.rb +1 -0
data/lib/puppet/indirector/resource/store_configs.rb +4 -0
data/lib/puppet/indirector/rest.rb +2 -1
data/lib/puppet/indirector/ssl_file.rb +7 -7
data/lib/puppet/indirector/terminus.rb +4 -0
data/lib/puppet/indirector/yaml.rb +3 -3
data/lib/puppet/interface/documentation.rb +4 -11
data/lib/puppet/module.rb +19 -6
data/lib/puppet/module_tool/applications/builder.rb +1 -1
data/lib/puppet/module_tool/applications/installer.rb +1 -1
data/lib/puppet/module_tool/checksums.rb +1 -1
data/lib/puppet/module_tool/dependency.rb +7 -3
data/lib/puppet/module_tool/metadata.rb +6 -2
data/lib/puppet/module_tool/tar.rb +2 -1
data/lib/puppet/module_tool/tar/gnu.rb +6 -2
data/lib/puppet/module_tool/tar/mini.rb +2 -0
data/lib/puppet/module_tool/tar/solaris.rb +2 -5
data/lib/puppet/network/authconfig.rb +0 -2
data/lib/puppet/network/authentication.rb +1 -1
data/lib/puppet/network/authstore.rb +6 -7
data/lib/puppet/network/format.rb +2 -3
data/lib/puppet/network/format_handler.rb +16 -11
data/lib/puppet/network/format_support.rb +14 -0
data/lib/puppet/network/formats.rb +26 -0
data/lib/puppet/network/http/connection.rb +8 -41
data/lib/puppet/network/http/handler.rb +28 -32
data/lib/puppet/network/http/webrick.rb +15 -22
data/lib/puppet/network/http_pool.rb +43 -9
data/lib/puppet/network/rights.rb +0 -0
data/lib/puppet/node.rb +24 -8
data/lib/puppet/node/environment.rb +18 -20
data/lib/puppet/node/facts.rb +23 -6
data/lib/puppet/parameter.rb +15 -2
data/lib/puppet/parameter/boolean.rb +5 -0
data/lib/puppet/parameter/value_collection.rb +6 -4
data/lib/puppet/parser/ast/resourceparam.rb +2 -1
data/lib/puppet/parser/compiler.rb +25 -9
data/lib/puppet/parser/files.rb +1 -1
data/lib/puppet/parser/functions.rb +12 -21
data/lib/puppet/parser/functions/collect.rb +6 -35
data/lib/puppet/parser/functions/contain.rb +26 -0
data/lib/puppet/parser/functions/create_resources.rb +5 -0
data/lib/puppet/parser/functions/extlookup.rb +2 -2
data/lib/puppet/parser/functions/file.rb +1 -1
data/lib/puppet/parser/functions/{reject.rb → filter.rb} +13 -12
data/lib/puppet/parser/functions/fqdn_rand.rb +13 -5
data/lib/puppet/parser/functions/include.rb +18 -1
data/lib/puppet/parser/functions/map.rb +44 -0
data/lib/puppet/parser/functions/select.rb +6 -38
data/lib/puppet/parser/lexer.rb +1 -1
data/lib/puppet/parser/parser_support.rb +1 -1
data/lib/puppet/parser/resource.rb +6 -45
data/lib/puppet/parser/scope.rb +33 -2
data/lib/puppet/parser/type_loader.rb +4 -60
data/lib/puppet/pops/binder/bindings_loader.rb +1 -1
data/lib/puppet/pops/binder/config/binder_config.rb +3 -3
data/lib/puppet/pops/binder/hiera2/bindings_provider.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/confdir_hiera_scheme.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/module_hiera_scheme.rb +2 -2
data/lib/puppet/pops/issues.rb +4 -0
data/lib/puppet/pops/model/ast_transformer.rb +4 -1
data/lib/puppet/pops/model/model_label_provider.rb +1 -1
data/lib/puppet/pops/parser/egrammar.ra +5 -24
data/lib/puppet/pops/parser/eparser.rb +859 -902
data/lib/puppet/pops/parser/lexer.rb +48 -30
data/lib/puppet/pops/parser/parser_support.rb +1 -1
data/lib/puppet/pops/patterns.rb +4 -4
data/lib/puppet/pops/utils.rb +1 -1
data/lib/puppet/pops/validation/checker3_1.rb +25 -20
data/lib/puppet/provider.rb +23 -6
data/lib/puppet/provider/aixobject.rb +0 -0
data/lib/puppet/provider/augeas/augeas.rb +21 -5
data/lib/puppet/provider/confine.rb +5 -79
data/lib/puppet/provider/cron/crontab.rb +0 -0
data/lib/puppet/provider/exec.rb +9 -7
data/lib/puppet/provider/exec/posix.rb +10 -1
data/lib/puppet/provider/exec/windows.rb +1 -1
data/lib/puppet/provider/file/posix.rb +1 -0
data/lib/puppet/provider/file/windows.rb +16 -5
data/lib/puppet/provider/group/aix.rb +0 -0
data/lib/puppet/provider/group/windows_adsi.rb +33 -1
data/lib/puppet/provider/macauthorization/macauthorization.rb +1 -1
data/lib/puppet/provider/mailalias/aliases.rb +0 -0
data/lib/puppet/provider/maillist/mailman.rb +0 -0
data/lib/puppet/provider/mount/parsed.rb +0 -0
data/lib/puppet/provider/nameservice/directoryservice.rb +3 -3
data/lib/puppet/provider/package/appdmg.rb +1 -1
data/lib/puppet/provider/package/apple.rb +1 -1
data/lib/puppet/provider/package/apt.rb +1 -1
data/lib/puppet/provider/package/aptitude.rb +0 -0
data/lib/puppet/provider/package/blastwave.rb +1 -1
data/lib/puppet/provider/package/dpkg.rb +1 -1
data/lib/puppet/provider/package/fink.rb +1 -1
data/lib/puppet/provider/package/freebsd.rb +0 -0
data/lib/puppet/provider/package/gem.rb +0 -0
data/lib/puppet/provider/package/macports.rb +0 -0
data/lib/puppet/provider/package/msi.rb +4 -10
data/lib/puppet/provider/package/nim.rb +8 -8
data/lib/puppet/provider/package/openbsd.rb +1 -1
data/lib/puppet/provider/package/opkg.rb +0 -0
data/lib/puppet/provider/package/pacman.rb +2 -2
data/lib/puppet/provider/package/pkgdmg.rb +1 -1
data/lib/puppet/provider/package/pkgutil.rb +1 -1
data/lib/puppet/provider/package/ports.rb +0 -0
data/lib/puppet/provider/package/rpm.rb +39 -3
data/lib/puppet/provider/package/sun.rb +3 -3
data/lib/puppet/provider/package/sunfreeware.rb +0 -0
data/lib/puppet/provider/package/windows.rb +12 -19
data/lib/puppet/provider/package/windows/package.rb +1 -1
data/lib/puppet/provider/package/yum.rb +2 -2
data/lib/puppet/provider/parsedfile.rb +0 -0
data/lib/puppet/provider/port/parsed.rb +0 -0
data/lib/puppet/provider/service/base.rb +0 -0
data/lib/puppet/provider/service/bsd.rb +3 -3
data/lib/puppet/provider/service/daemontools.rb +8 -8
data/lib/puppet/provider/service/debian.rb +0 -0
data/lib/puppet/provider/service/freebsd.rb +3 -3
data/lib/puppet/provider/service/init.rb +5 -4
data/lib/puppet/provider/service/launchd.rb +35 -24
data/lib/puppet/provider/service/openbsd.rb +23 -0
data/lib/puppet/provider/service/redhat.rb +0 -0
data/lib/puppet/provider/service/runit.rb +3 -3
data/lib/puppet/provider/service/smf.rb +0 -0
data/lib/puppet/provider/service/src.rb +0 -0
data/lib/puppet/provider/service/systemd.rb +0 -0
data/lib/puppet/provider/service/upstart.rb +3 -3
data/lib/puppet/provider/ssh_authorized_key/parsed.rb +2 -2
data/lib/puppet/provider/sshkey/parsed.rb +0 -0
data/lib/puppet/provider/user/aix.rb +0 -0
data/lib/puppet/provider/user/directoryservice.rb +1 -1
data/lib/puppet/provider/user/useradd.rb +1 -1
data/lib/puppet/provider/zone/solaris.rb +1 -1
data/lib/puppet/rails/benchmark.rb +1 -1
data/lib/puppet/reference/configuration.rb +1 -2
data/lib/puppet/reference/indirection.rb +12 -14
data/lib/puppet/relationship.rb +7 -4
data/lib/puppet/reports.rb +2 -2
data/lib/puppet/reports/rrdgraph.rb +1 -1
data/lib/puppet/reports/store.rb +3 -3
data/lib/puppet/reports/tagmail.rb +2 -2
data/lib/puppet/resource.rb +66 -8
data/lib/puppet/resource/catalog.rb +18 -25
data/lib/puppet/resource/status.rb +10 -4
data/lib/puppet/run.rb +6 -2
data/lib/puppet/settings.rb +39 -119
data/lib/puppet/settings/base_setting.rb +8 -9
data/lib/puppet/settings/directory_setting.rb +8 -0
data/lib/puppet/settings/file_setting.rb +35 -1
data/lib/puppet/settings/priority_setting.rb +42 -0
data/lib/puppet/ssl.rb +4 -0
data/lib/puppet/ssl/certificate.rb +18 -0
data/lib/puppet/ssl/certificate_authority.rb +101 -72
data/lib/puppet/ssl/certificate_authority/autosign_command.rb +44 -0
data/lib/puppet/ssl/certificate_authority/interface.rb +21 -17
data/lib/puppet/ssl/certificate_factory.rb +38 -12
data/lib/puppet/ssl/certificate_request.rb +201 -47
data/lib/puppet/ssl/certificate_request_attributes.rb +34 -0
data/lib/puppet/ssl/certificate_revocation_list.rb +2 -2
data/lib/puppet/ssl/host.rb +21 -10
data/lib/puppet/ssl/inventory.rb +6 -10
data/lib/puppet/ssl/key.rb +1 -1
data/lib/puppet/ssl/oids.rb +78 -0
data/lib/puppet/ssl/validator.rb +41 -97
data/lib/puppet/ssl/validator/default_validator.rb +153 -0
data/lib/puppet/ssl/validator/no_validator.rb +17 -0
data/lib/puppet/status.rb +4 -0
data/lib/puppet/test/test_helper.rb +5 -0
data/lib/puppet/transaction.rb +13 -0
data/lib/puppet/transaction/event.rb +8 -3
data/lib/puppet/transaction/report.rb +6 -2
data/lib/puppet/transaction/resource_harness.rb +173 -115
data/lib/puppet/type.rb +30 -13
data/lib/puppet/type/augeas.rb +12 -46
data/lib/puppet/type/component.rb +1 -7
data/lib/puppet/type/cron.rb +0 -0
data/lib/puppet/type/exec.rb +13 -1
data/lib/puppet/type/file.rb +19 -10
data/lib/puppet/type/file/checksum.rb +0 -0
data/lib/puppet/type/file/content.rb +3 -0
data/lib/puppet/type/file/ensure.rb +33 -15
data/lib/puppet/type/file/group.rb +0 -0
data/lib/puppet/type/file/mode.rb +6 -2
data/lib/puppet/type/file/owner.rb +0 -0
data/lib/puppet/type/file/source.rb +65 -14
data/lib/puppet/type/file/target.rb +6 -6
data/lib/puppet/type/file/type.rb +0 -0
data/lib/puppet/type/filebucket.rb +0 -0
data/lib/puppet/type/group.rb +18 -0
data/lib/puppet/type/host.rb +0 -0
data/lib/puppet/type/k5login.rb +4 -4
data/lib/puppet/type/mailalias.rb +0 -0
data/lib/puppet/type/maillist.rb +0 -0
data/lib/puppet/type/mount.rb +15 -1
data/lib/puppet/type/package.rb +7 -1
data/lib/puppet/type/port.rb +0 -0
data/lib/puppet/type/schedule.rb +9 -4
data/lib/puppet/type/service.rb +1 -1
data/lib/puppet/type/sshkey.rb +0 -0
data/lib/puppet/type/tidy.rb +1 -1
data/lib/puppet/type/user.rb +3 -0
data/lib/puppet/type/yumrepo.rb +8 -6
data/lib/puppet/type/zpool.rb +0 -0
data/lib/puppet/util.rb +4 -31
data/lib/puppet/util/adsi.rb +73 -17
data/lib/puppet/util/autoload.rb +3 -3
data/lib/puppet/util/backups.rb +4 -4
data/lib/puppet/util/cacher.rb +7 -13
data/lib/puppet/util/checksums.rb +2 -2
data/lib/puppet/util/classgen.rb +3 -1
data/lib/puppet/util/colors.rb +1 -0
data/lib/puppet/util/command_line.rb +5 -0
data/lib/puppet/util/docs.rb +33 -27
data/lib/puppet/util/execution.rb +42 -18
data/lib/puppet/util/filetype.rb +3 -3
data/lib/puppet/util/instance_loader.rb +2 -2
data/lib/puppet/util/instrumentation.rb +23 -42
data/lib/puppet/util/instrumentation/data.rb +11 -4
data/lib/puppet/util/instrumentation/indirection_probe.rb +11 -4
data/lib/puppet/util/instrumentation/instrumentable.rb +7 -14
data/lib/puppet/util/instrumentation/listener.rb +15 -8
data/lib/puppet/util/instrumentation/listeners/log.rb +4 -10
data/lib/puppet/util/instrumentation/listeners/performance.rb +8 -14
data/lib/puppet/util/limits.rb +12 -0
data/lib/puppet/util/lockfile.rb +2 -2
data/lib/puppet/util/log.rb +14 -6
data/lib/puppet/util/log/destinations.rb +23 -1
data/lib/puppet/util/metric.rb +9 -3
data/lib/puppet/util/monkey_patches.rb +7 -2
data/lib/puppet/util/network_device/config.rb +1 -1
data/lib/puppet/util/plugins.rb +1 -1
data/lib/puppet/util/posix.rb +0 -0
data/lib/puppet/util/profiler.rb +7 -2
data/lib/puppet/util/provider_features.rb +2 -2
data/lib/puppet/util/rdoc.rb +28 -30
data/lib/puppet/util/rdoc/code_objects.rb +75 -25
data/lib/puppet/util/rdoc/generators/puppet_generator.rb +1 -1
data/lib/puppet/util/rdoc/parser.rb +12 -487
data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb +477 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc1.rb +19 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc2.rb +14 -0
data/lib/puppet/util/reference.rb +1 -1
data/lib/puppet/util/resource_template.rb +1 -1
data/lib/puppet/util/selinux.rb +1 -1
data/lib/puppet/util/storage.rb +2 -2
data/lib/puppet/util/suidmanager.rb +1 -1
data/lib/puppet/util/tag_set.rb +29 -0
data/lib/puppet/util/tagging.rb +8 -24
data/lib/puppet/util/watched_file.rb +1 -1
data/lib/puppet/util/watcher.rb +1 -1
data/lib/puppet/util/windows.rb +3 -0
data/lib/puppet/util/windows/access_control_entry.rb +84 -0
data/lib/puppet/util/windows/access_control_list.rb +106 -0
data/lib/puppet/util/windows/file.rb +213 -0
data/lib/puppet/util/windows/process.rb +199 -0
data/lib/puppet/util/windows/root_certs.rb +52 -37
data/lib/puppet/util/windows/security.rb +270 -245
data/lib/puppet/util/windows/security_descriptor.rb +62 -0
data/lib/puppet/util/windows/sid.rb +26 -4
data/lib/puppet/version.rb +2 -2
data/spec/fixtures/releases/jamtur01-apache/lib/puppet/provider/a2mod/debian.rb +1 -1
data/spec/fixtures/unit/indirector/{hiera → data_binding/hiera}/global.yaml +0 -0
data/spec/fixtures/unit/indirector/data_binding/hiera/invalid.yaml +1 -0
data/spec/fixtures/unit/module/trailing-comma.json +24 -0
data/spec/fixtures/unit/util/monkey_patches/x509.pem +32 -0
data/spec/integration/application/apply_spec.rb +1 -1
data/spec/integration/application/doc_spec.rb +1 -1
data/spec/integration/configurer_spec.rb +4 -2
data/spec/integration/data_binding.rb +100 -0
data/spec/integration/indirector/catalog/compiler_spec.rb +16 -13
data/spec/integration/indirector/direct_file_server_spec.rb +3 -5
data/spec/integration/indirector/file_content/file_server_spec.rb +2 -2
data/spec/integration/node/facts_spec.rb +1 -1
data/spec/integration/node_spec.rb +1 -1
data/spec/integration/parser/compiler_spec.rb +90 -0
data/spec/integration/parser/parser_spec.rb +2 -2
data/spec/integration/provider/cron/crontab_spec.rb +3 -5
data/spec/integration/resource/catalog_spec.rb +1 -1
data/spec/integration/ssl/autosign_spec.rb +90 -0
data/spec/integration/ssl/certificate_authority_spec.rb +62 -69
data/spec/integration/ssl/certificate_revocation_list_spec.rb +1 -1
data/spec/integration/ssl/host_spec.rb +1 -1
data/spec/integration/transaction_spec.rb +13 -13
data/spec/integration/type/exec_spec.rb +2 -2
data/spec/integration/type/file_spec.rb +287 -45
data/spec/integration/type/tidy_spec.rb +3 -3
data/spec/integration/util/rdoc/parser_spec.rb +236 -35
data/spec/integration/util/settings_spec.rb +1 -1
data/spec/integration/util/windows/process_spec.rb +22 -0
data/spec/integration/util/windows/security_spec.rb +316 -106
data/spec/lib/matchers/containment_matchers.rb +52 -0
data/spec/lib/puppet_spec/compiler.rb +6 -0
data/spec/lib/puppet_spec/files.rb +20 -21
data/spec/shared_behaviours/documentation_on_faces.rb +3 -3
data/spec/shared_behaviours/file_server_terminus.rb +2 -2
data/spec/shared_contexts/platform.rb +1 -0
data/spec/spec_helper.rb +13 -1
data/spec/unit/agent_spec.rb +0 -12
data/spec/unit/application/agent_spec.rb +4 -4
data/spec/unit/application/apply_spec.rb +18 -2
data/spec/unit/application/cert_spec.rb +8 -6
data/spec/unit/application/device_spec.rb +1 -1
data/spec/unit/application/filebucket_spec.rb +1 -1
data/spec/unit/application/inspect_spec.rb +1 -1
data/spec/unit/application_spec.rb +24 -0
data/spec/unit/configurer/downloader_spec.rb +8 -7
data/spec/unit/configurer/fact_handler_spec.rb +23 -0
data/spec/unit/configurer/plugin_handler_spec.rb +7 -2
data/spec/unit/configurer_spec.rb +15 -5
data/spec/unit/{provider/confine → confine}/exists_spec.rb +12 -12
data/spec/unit/{provider/confine → confine}/false_spec.rb +9 -9
data/spec/unit/{provider/confine → confine}/feature_spec.rb +10 -10
data/spec/unit/{provider/confine → confine}/true_spec.rb +7 -7
data/spec/unit/{provider/confine → confine}/variable_spec.rb +16 -16
data/spec/unit/{provider/confine_collection_spec.rb → confine_collection_spec.rb} +30 -30
data/spec/unit/{provider/confine_spec.rb → confine_spec.rb} +11 -11
data/spec/unit/{provider/confiner_spec.rb → confiner_spec.rb} +4 -4
data/spec/unit/face/parser_spec.rb +54 -0
data/spec/unit/file_bucket/dipper_spec.rb +2 -2
data/spec/unit/file_serving/base_spec.rb +32 -9
data/spec/unit/file_serving/configuration_spec.rb +7 -7
data/spec/unit/file_serving/content_spec.rb +12 -7
data/spec/unit/file_serving/fileset_spec.rb +57 -27
data/spec/unit/file_serving/metadata_spec.rb +74 -12
data/spec/unit/file_serving/mount/file_spec.rb +10 -10
data/spec/unit/file_serving/mount/pluginfacts_spec.rb +73 -0
data/spec/unit/file_system/file_spec.rb +486 -0
data/spec/unit/file_system/tempfile_spec.rb +48 -0
data/spec/unit/graph/relationship_graph_spec.rb +0 -6
data/spec/unit/hiera_puppet_spec.rb +2 -2
data/spec/unit/indirector/catalog/compiler_spec.rb +15 -19
data/spec/unit/indirector/certificate_status/file_spec.rb +30 -40
data/spec/unit/indirector/data_binding/hiera_spec.rb +95 -2
data/spec/unit/indirector/direct_file_server_spec.rb +6 -6
data/spec/unit/indirector/facts/facter_spec.rb +33 -0
data/spec/unit/indirector/file_bucket_file/file_spec.rb +61 -52
data/spec/unit/indirector/file_metadata/file_spec.rb +2 -2
data/spec/unit/indirector/file_server_spec.rb +4 -4
data/spec/unit/indirector/json_spec.rb +4 -4
data/spec/unit/indirector/key/file_spec.rb +13 -14
data/spec/unit/indirector/resource/ral_spec.rb +7 -0
data/spec/unit/indirector/resource/store_configs_spec.rb +11 -0
data/spec/unit/indirector/rest_spec.rb +7 -3
data/spec/unit/indirector/ssl_file_spec.rb +14 -17
data/spec/unit/indirector/yaml_spec.rb +4 -4
data/spec/unit/module_spec.rb +43 -15
data/spec/unit/module_tool/tar/gnu_spec.rb +2 -2
data/spec/unit/module_tool/tar/solaris_spec.rb +2 -2
data/spec/unit/module_tool/tar_spec.rb +45 -0
data/spec/unit/network/authconfig_spec.rb +2 -1
data/spec/unit/network/authentication_spec.rb +2 -2
data/spec/unit/network/format_handler_spec.rb +2 -2
data/spec/unit/network/formats_spec.rb +24 -0
data/spec/unit/network/http/connection_spec.rb +76 -199
data/spec/unit/network/http/handler_spec.rb +33 -34
data/spec/unit/network/http_pool_spec.rb +8 -5
data/spec/unit/node/environment_spec.rb +76 -90
data/spec/unit/node/facts_spec.rb +20 -3
data/spec/unit/node_spec.rb +43 -0
data/spec/unit/parameter/boolean_spec.rb +22 -12
data/spec/unit/parser/ast/resourceparam_spec.rb +51 -0
data/spec/unit/parser/compiler_spec.rb +103 -35
data/spec/unit/parser/eparser_adapter_spec.rb +12 -12
data/spec/unit/parser/files_spec.rb +11 -11
data/spec/unit/parser/functions/contain_spec.rb +185 -0
data/spec/unit/parser/functions/create_resources_spec.rb +13 -5
data/spec/unit/parser/functions/generate_spec.rb +1 -1
data/spec/unit/parser/functions_spec.rb +2 -2
data/spec/unit/parser/lexer_spec.rb +1 -1
data/spec/unit/parser/methods/each_spec.rb +1 -1
data/spec/unit/parser/methods/{select_spec.rb → filter_spec.rb} +11 -11
data/spec/unit/parser/methods/map_spec.rb +95 -0
data/spec/unit/parser/methods/reduce_spec.rb +12 -11
data/spec/unit/parser/methods/shared.rb +5 -5
data/spec/unit/parser/methods/slice_spec.rb +13 -13
data/spec/unit/parser/parser_spec.rb +1 -1
data/spec/unit/parser/resource/param_spec.rb +44 -0
data/spec/unit/parser/resource_spec.rb +16 -15
data/spec/unit/pops/model/ast_transformer_spec.rb +18 -4
data/spec/unit/pops/parser/lexer_spec.rb +22 -5
data/spec/unit/pops/parser/parse_calls_spec.rb +5 -5
data/spec/unit/pops/transformer/transform_calls_spec.rb +6 -6
data/spec/unit/pops/transformer/transform_containers_spec.rb +2 -2
data/spec/unit/pops/validator/validator_spec.rb +31 -0
data/spec/unit/provider/augeas/augeas_spec.rb +57 -2
data/spec/unit/provider/exec/posix_spec.rb +8 -3
data/spec/unit/provider/file/posix_spec.rb +2 -2
data/spec/unit/provider/group/windows_adsi_spec.rb +70 -3
data/spec/unit/provider/nameservice/directoryservice_spec.rb +3 -3
data/spec/unit/provider/package/apt_spec.rb +1 -1
data/spec/unit/provider/package/msi_spec.rb +15 -42
data/spec/unit/provider/package/openbsd_spec.rb +3 -3
data/spec/unit/provider/package/rpm_spec.rb +56 -13
data/spec/unit/provider/package/windows_spec.rb +15 -19
data/spec/unit/provider/service/base_spec.rb +1 -1
data/spec/unit/provider/service/daemontools_spec.rb +18 -8
data/spec/unit/provider/service/freebsd_spec.rb +3 -3
data/spec/unit/provider/service/gentoo_spec.rb +5 -2
data/spec/unit/provider/service/init_spec.rb +17 -17
data/spec/unit/provider/service/launchd_spec.rb +76 -23
data/spec/unit/provider/service/openbsd_spec.rb +125 -0
data/spec/unit/provider/service/openwrt_spec.rb +1 -1
data/spec/unit/provider/service/runit_spec.rb +12 -5
data/spec/unit/provider/service/upstart_spec.rb +4 -4
data/spec/unit/provider/ssh_authorized_key/parsed_spec.rb +5 -5
data/spec/unit/provider/user/directoryservice_spec.rb +4 -4
data/spec/unit/provider/zone/solaris_spec.rb +1 -1
data/spec/unit/provider_spec.rb +2 -2
data/spec/unit/reports/http_spec.rb +19 -34
data/spec/unit/reports/store_spec.rb +2 -2
data/spec/unit/resource/catalog_spec.rb +81 -11
data/spec/unit/resource/status_spec.rb +11 -1
data/spec/unit/resource/type_spec.rb +30 -1
data/spec/unit/resource_spec.rb +40 -4
data/spec/unit/settings/file_setting_spec.rb +2 -2
data/spec/unit/settings/path_setting_spec.rb +2 -2
data/spec/unit/settings/priority_setting_spec.rb +66 -0
data/spec/unit/settings_spec.rb +16 -31
data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb +30 -0
data/spec/unit/ssl/certificate_authority_spec.rb +129 -134
data/spec/unit/ssl/certificate_factory_spec.rb +18 -0
data/spec/unit/ssl/certificate_request_attributes_spec.rb +61 -0
data/spec/unit/ssl/certificate_request_spec.rb +103 -0
data/spec/unit/ssl/certificate_spec.rb +31 -18
data/spec/unit/ssl/host_spec.rb +34 -8
data/spec/unit/ssl/inventory_spec.rb +27 -62
data/spec/unit/ssl/key_spec.rb +4 -4
data/spec/unit/ssl/oids_spec.rb +48 -0
data/spec/unit/ssl/validator_spec.rb +49 -6
data/spec/unit/status_spec.rb +9 -0
data/spec/unit/transaction/event_spec.rb +1 -9
data/spec/unit/transaction/report_spec.rb +20 -1
data/spec/unit/transaction/resource_harness_spec.rb +60 -210
data/spec/unit/transaction_spec.rb +54 -8
data/spec/unit/type/component_spec.rb +2 -2
data/spec/unit/type/exec_spec.rb +14 -7
data/spec/unit/type/file/content_spec.rb +13 -2
data/spec/unit/type/file/ctime_spec.rb +1 -1
data/spec/unit/type/file/mode_spec.rb +48 -2
data/spec/unit/type/file/mtime_spec.rb +1 -1
data/spec/unit/type/file/source_spec.rb +177 -7
data/spec/unit/type/file_spec.rb +63 -71
data/spec/unit/type/group_spec.rb +20 -0
data/spec/unit/type/k5login_spec.rb +3 -3
data/spec/unit/type/mount_spec.rb +53 -0
data/spec/unit/type/nagios_spec.rb +216 -0
data/spec/unit/type/package_spec.rb +7 -1
data/spec/unit/type/schedule_spec.rb +6 -0
data/spec/unit/type/service_spec.rb +3 -3
data/spec/unit/type/tidy_spec.rb +14 -14
data/spec/unit/type/user_spec.rb +9 -0
data/spec/unit/type_spec.rb +86 -4
data/spec/unit/util/adsi_spec.rb +120 -12
data/spec/unit/util/autoload_spec.rb +14 -14
data/spec/unit/util/backups_spec.rb +29 -21
data/spec/unit/util/checksums_spec.rb +2 -1
data/spec/unit/util/command_line_spec.rb +41 -0
data/spec/unit/util/docs_spec.rb +91 -0
data/spec/unit/util/execution_spec.rb +26 -2
data/spec/unit/util/filetype_spec.rb +7 -7
data/spec/unit/util/lockfile_spec.rb +2 -2
data/spec/unit/util/log/destinations_spec.rb +32 -0
data/spec/unit/util/monkey_patches_spec.rb +41 -0
data/spec/unit/util/pidlock_spec.rb +6 -6
data/spec/unit/util/rdoc/parser_spec.rb +15 -13
data/spec/unit/util/rdoc_spec.rb +18 -24
data/spec/unit/util/resource_template_spec.rb +3 -3
data/spec/unit/util/selinux_spec.rb +4 -2
data/spec/unit/util/storage_spec.rb +4 -4
data/spec/unit/util/suidmanager_spec.rb +7 -0
data/spec/unit/util/tag_set_spec.rb +46 -0
data/spec/unit/util/tagging_spec.rb +82 -45
data/spec/unit/util/watcher_spec.rb +4 -1
data/spec/unit/util/windows/access_control_entry_spec.rb +67 -0
data/spec/unit/util/windows/access_control_list_spec.rb +133 -0
data/spec/unit/util/windows/root_certs_spec.rb +10 -8
data/spec/unit/util/windows/security_descriptor_spec.rb +117 -0
data/spec/unit/util/windows/sid_spec.rb +69 -0
data/spec/unit/util_spec.rb +7 -7
data/tasks/ci.rake +17 -36
metadata +2811 -2746
checksums.yaml +0 -7
data/examples/mac_automount.pp +0 -16
data/examples/mcx_dock_absent.pp +0 -4
data/examples/mcx_dock_default.pp +0 -118
data/examples/mcx_dock_full.pp +0 -125
data/examples/mcx_dock_invalid.pp +0 -9
data/examples/mcx_nogroup.pp +0 -118
data/examples/mcx_notexists_absent.pp +0 -4
data/ext/rack/README +0 -58
data/ext/rack/manifest.pp +0 -59
data/lib/puppet/external/lock.rb +0 -63
data/lib/puppet/indirector/hiera.rb +0 -39
data/lib/puppet/parser/functions/foreach.rb +0 -95
data/spec/integration/network/server/webrick_spec.rb +0 -76
data/spec/integration/parser/functions_spec.rb +0 -16
data/spec/unit/indirector/hiera_spec.rb +0 -154
data/spec/unit/parser/methods/collect_spec.rb +0 -153
data/spec/unit/parser/methods/foreach_spec.rb +0 -91
data/spec/unit/parser/methods/reject_spec.rb +0 -73
data/spec/unit/resource/resource_type.json +0 -34

data/spec/integration/type/tidy_spec.rb CHANGED

@@ -12,12 +12,12 @@ describe Puppet::Type.type(:tidy) do
   end
   # Testing #355.
-  it "should be able to remove dead links", :unless => Puppet.features.microsoft_windows? do
+  it "should be able to remove dead links", :if => Puppet.features.manages_symlinks? do
     dir = tmpfile("tidy_link_testing")
     link = File.join(dir, "link")
     target = tmpfile("no_such_file_tidy_link_testing")
     Dir.mkdir(dir)
-    File.symlink(target, link)
+    Puppet::FileSystem::File.new(target).symlink(link)
     tidy = Puppet::Type.type(:tidy).new :path => dir, :recurse => true
@@ -26,6 +26,6 @@ describe Puppet::Type.type(:tidy) do
     catalog.apply
-    FileTest.should_not be_symlink(link)
+    Puppet::FileSystem::File.new(link).symlink?.should be_false
   end
 end

data/spec/integration/util/rdoc/parser_spec.rb CHANGED

@@ -1,60 +1,261 @@
 #! /usr/bin/env ruby
 require 'spec_helper'
+require 'puppet/util/rdoc'
-describe "RDoc::Parser", :if => Puppet.features.rdoc1? do
+describe "RDoc::Parser" do
   require 'puppet_spec/files'
   include PuppetSpec::Files
-  before :all do
-    require 'puppet/resource/type_collection'
-    require 'puppet/util/rdoc/parser'
-    require 'puppet/util/rdoc'
-    require 'puppet/util/rdoc/code_objects'
-    require 'rdoc/options'
-    require 'rdoc/rdoc'
+  let(:document_all) { false }
+  let(:tmp_dir) { tmpdir('rdoc_parser_tmp') }
+  let(:doc_dir) { File.join(tmp_dir, 'doc') }
+  let(:manifests_dir) { File.join(tmp_dir, 'manifests') }
+  let(:modules_dir) { File.join(tmp_dir, 'modules') }
+  let(:modules_and_manifests) do
+    {
+      :site => [
+        File.join(manifests_dir, 'site.pp'),
+        <<-EOF
+# The test class comment
+class test {
+  # The virtual resource comment
+  @notify { virtual: }
+  # The a_notify_resource comment
+  notify { a_notify_resource:
+    message => "a_notify_resource message"
+  }
+}
+# The includes_another class comment
+class includes_another {
+  include another
+}
+# The requires_another class comment
+class requires_another {
+  require another
+}
+# node comment
+node foo {
+  include test
+  $a_var = "var_value"
+  realize Notify[virtual]
+  notify { bar: }
+}
+        EOF
+      ],
+      :module_readme => [
+        File.join(modules_dir, 'a_module', 'README'),
+        <<-EOF
+The a_module README docs.
+        EOF
+      ],
+      :module_init => [
+        File.join(modules_dir, 'a_module', 'manifests', 'init.pp'),
+        <<-EOF
+# The a_module class comment
+class a_module {}
+class another {}
+        EOF
+      ],
+      :module_type => [
+        File.join(modules_dir, 'a_module', 'manifests', 'a_type.pp'),
+        <<-EOF
+# The a_type type comment
+define a_module::a_type() {}
+        EOF
+      ],
+      :module_plugin => [
+        File.join(modules_dir, 'a_module', 'lib', 'puppet', 'type', 'a_plugin.rb'),
+        <<-EOF
+# The a_plugin type comment
+Puppet::Type.newtype(:a_plugin) do
+  @doc = "Not presented"
+end
+        EOF
+      ],
+      :module_function => [
+        File.join(modules_dir, 'a_module', 'lib', 'puppet', 'parser', 'a_function.rb'),
+        <<-EOF
+# The a_function function comment
+module Puppet::Parser::Functions
+  newfunction(:a_function, :type => :rvalue) do
+    return
+  end
+end
+        EOF
+      ],
+      :module_fact => [
+        File.join(modules_dir, 'a_module', 'lib', 'facter', 'a_fact.rb'),
+        <<-EOF
+# The a_fact fact comment
+Facter.add("a_fact") do
+end
+        EOF
+      ],
+    }
   end
-  before :each do
-    tmpdir = tmpfile('rdoc_parser_tmp')
-    Dir.mkdir(tmpdir)
-    @parsedfile = File.join(tmpdir, 'init.pp')
+  def write_file(file, content)
+    FileUtils.mkdir_p(File.dirname(file))
+    File.open(file, 'w') do |f|
+      f.puts(content)
+    end
+  end
-    File.open(@parsedfile, 'w') do |f|
-      f.puts '# comment'
-      f.puts 'class ::test {}'
+  def prepare_manifests_and_modules
+    modules_and_manifests.each do |key,array|
+      write_file(*array)
     end
+  end
+  def file_exists_and_matches_content(file, *content_patterns)
+    Puppet::FileSystem::File.exist?(file).should(be_true, "Cannot find #{file}")
+    content_patterns.each do |pattern|
+      content = File.read(file)
+      content.should match(pattern)
+    end
+  end
-    @top_level = stub_everything 'toplevel', :file_relative_name => @parsedfile
-    @module = stub_everything 'module'
-    @puppet_top_level = RDoc::PuppetTopLevel.new(@top_level)
-    RDoc::PuppetTopLevel.stubs(:new).returns(@puppet_top_level)
-    @puppet_top_level.expects(:add_module).returns(@module)
-    @parser = RDoc::Parser.new(@top_level, @parsedfile, nil, Options.instance, RDoc::Stats.new)
+  def some_file_exists_with_matching_content(glob, *content_patterns)
+    Dir.glob(glob).select do |f|
+      contents = File.read(f)
+      content_patterns.all? { |p| p.match(contents) }
+    end.should_not(be_empty, "Could not match #{content_patterns} in any of the files found in #{glob}")
   end
-  after(:each) do
-    File.unlink(@parsedfile)
+  before :each do
+    prepare_manifests_and_modules
+    Puppet.settings[:document_all] = document_all
+    Puppet.settings[:modulepath] = modules_dir
+    Puppet::Util::RDoc.rdoc(doc_dir, [modules_dir, manifests_dir])
   end
-  def get_test_class(toplevel)
-    # toplevel -> main -> test
-    toplevel.classes[0].classes[0]
+  module RdocTesters
+    def has_module_rdoc(module_name, *other_test_patterns)
+      file_exists_and_matches_content(module_path(module_name), /Module:? +#{module_name}/i, *other_test_patterns)
+    end
+    def has_node_rdoc(module_name, node_name, *other_test_patterns)
+      file_exists_and_matches_content(node_path(module_name, node_name), /#{node_name}/, /node comment/, *other_test_patterns)
+    end
+    def has_defined_type(module_name, type_name)
+      file_exists_and_matches_content(module_path(module_name), /#{type_name}.*?\(\s*\)/m, "The .*?#{type_name}.*? type comment")
+    end
+    def has_class_rdoc(module_name, class_name, *other_test_patterns)
+      file_exists_and_matches_content(class_path(module_name, class_name), /#{class_name}.*? class comment/, *other_test_patterns)
+    end
+    def has_plugin_rdoc(module_name, type, name)
+      file_exists_and_matches_content(plugin_path(module_name, type, name), /The .*?#{name}.*?\s*#{type} comment/m, /Type.*?#{type}/m)
+    end
   end
-  it "should parse to RDoc data structure" do
-    @parser.expects(:document_class).with { |n,k,c| n == "::test" and k.is_a?(Puppet::Resource::Type) }
-    @parser.scan
+  shared_examples_for :an_rdoc_site do
+    it "documents the __site__ module" do
+      has_module_rdoc("__site__")
+    end
+    it "documents the __site__::test class" do
+      has_class_rdoc("__site__", "test")
+    end
+    it "documents the __site__::foo node" do
+      has_node_rdoc("__site__", "foo")
+    end
+    it "documents the a_module module" do
+      has_module_rdoc("a_module", /The .*?a_module.*? .*?README.*?docs/m)
+    end
+    it "documents the a_module::a_module class" do
+      has_class_rdoc("a_module", "a_module")
+    end
+    it "documents the a_module::a_type defined type" do
+      has_defined_type("a_module", "a_type")
+    end
+    it "documents the a_module::a_plugin type" do
+      has_plugin_rdoc("a_module", :type, 'a_plugin')
+    end
+    it "documents the a_module::a_function function" do
+      has_plugin_rdoc("a_module", :function, 'a_function')
+    end
+    it "documents the a_module::a_fact fact" do
+      has_plugin_rdoc("a_module", :fact, 'a_fact')
+    end
+    it "documents included classes" do
+      has_class_rdoc("__site__", "includes_another", /Included.*?another/m)
+    end
   end
-  it "should get a PuppetClass for the main class" do
-    @parser.scan.classes[0].should be_a(RDoc::PuppetClass)
+  shared_examples_for :an_rdoc1_site do
+    it "documents required classes" do
+      has_class_rdoc("__site__", "requires_another", /Required Classes.*?another/m)
+    end
+    it "documents realized resources" do
+      has_node_rdoc("__site__", "foo", /Realized Resources.*?Notify\[virtual\]/m)
+    end
+    it "documents global variables" do
+      has_node_rdoc("__site__", "foo", /Global Variables.*?a_var.*?=.*?var_value/m)
+    end
+    describe "when document_all is true" do
+      let(:document_all) { true }
+      it "documents virtual resource declarations" do
+        has_class_rdoc("__site__", "test", /Resources.*?Notify\[virtual\]/m, /The virtual resource comment/)
+      end
+      it "documents resources" do
+        has_class_rdoc("__site__", "test", /Resources.*?Notify\[a_notify_resource\]/m, /message => "a_notify_resource message"/, /The a_notify_resource comment/)
+      end
+    end
   end
-  it "should produce a PuppetClass whose name is test" do
-    get_test_class(@parser.scan).name.should == "test"
+  describe "rdoc1 support", :if => Puppet.features.rdoc1? do
+    def module_path(module_name); "#{doc_dir}/classes/#{module_name}.html" end
+    def node_path(module_name, node_name);  "#{doc_dir}/nodes/**/*.html" end
+    def class_path(module_name, class_name); "#{doc_dir}/classes/#{module_name}/#{class_name}.html" end
+    def plugin_path(module_name, type, name); "#{doc_dir}/plugins/#{name}.html" end
+    include RdocTesters
+    def has_node_rdoc(module_name, node_name, *other_test_patterns)
+      some_file_exists_with_matching_content(node_path(module_name, node_name), /#{node_name}/, /node comment/, *other_test_patterns)
+    end
+    it_behaves_like :an_rdoc_site
+    it_behaves_like :an_rdoc1_site
+    it "references nodes and classes in the __site__ module" do
+      file_exists_and_matches_content("#{doc_dir}/classes/__site__.html", /Node.*__site__::foo/, /Class.*__site__::test/)
+    end
+    it "references functions, facts, and type plugins in the a_module module" do
+      file_exists_and_matches_content("#{doc_dir}/classes/a_module.html", /a_function/, /a_fact/, /a_plugin/, /Class.*a_module::a_module/)
+    end
   end
-  it "should produce a PuppetClass whose comment is 'comment'" do
-    get_test_class(@parser.scan).comment.should == "comment\n"
+  describe "rdoc2 support", :if => !Puppet.features.rdoc1? do
+    def module_path(module_name); "#{doc_dir}/#{module_name}.html" end
+    def node_path(module_name, node_name);  "#{doc_dir}/#{module_name}/__nodes__/#{node_name}.html" end
+    def class_path(module_name, class_name); "#{doc_dir}/#{module_name}/#{class_name}.html" end
+    def plugin_path(module_name, type, name); "#{doc_dir}/#{module_name}/__#{type}s__.html" end
+    include RdocTesters
+    it_behaves_like :an_rdoc_site
   end
 end

data/spec/integration/util/settings_spec.rb CHANGED

@@ -41,7 +41,7 @@ describe Puppet::Settings do
     settings.use(:main)
-    expect(File.stat(settings[:maindir]).mode & 007777).to eq(Puppet.features.microsoft_windows? ? 0755 : 0750)
+    expect(Puppet::FileSystem::File.new(settings[:maindir]).stat.mode & 007777).to eq(Puppet.features.microsoft_windows? ? 0755 : 0750)
   end
   it "reparses configuration if configuration file is touched", :if => !Puppet.features.microsoft_windows? do

data/spec/integration/util/windows/process_spec.rb ADDED

@@ -0,0 +1,22 @@
+#! /usr/bin/env ruby
+require 'spec_helper'
+require 'facter'
+describe "Puppet::Util::Windows::Process", :if => Puppet.features.microsoft_windows?  do
+  describe "as an admin" do
+    it "should have the SeCreateSymbolicLinkPrivilege necessary to create symlinks on Vista / 2008+",
+      :if => Facter.value(:kernelmajversion).to_f >= 6.0 && Puppet.features.microsoft_windows? do
+      # this is a bit of a lame duck test since it requires running user to be admin
+      # a better integration test would create a new user with the privilege and verify
+      Puppet::Util::Windows::User.should be_admin
+      Puppet::Util::Windows::Process.process_privilege_symlink?.should be_true
+    end
+    it "should not have the SeCreateSymbolicLinkPrivilege necessary to create symlinks on 2003 and earlier",
+      :if => Facter.value(:kernelmajversion).to_f < 6.0 && Puppet.features.microsoft_windows? do
+      Puppet::Util::Windows::User.should be_admin
+      Puppet::Util::Windows::Process.process_privilege_symlink?.should be_false
+    end
+  end
+end

data/spec/integration/util/windows/security_spec.rb CHANGED

@@ -16,31 +16,64 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
   before :all do
     @sids = {
       :current_user => Puppet::Util::Windows::Security.name_to_sid(Sys::Admin.get_login),
+      :system => Win32::Security::SID::LocalSystem,
       :admin => Puppet::Util::Windows::Security.name_to_sid("Administrator"),
+      :administrators => Win32::Security::SID::BuiltinAdministrators,
       :guest => Puppet::Util::Windows::Security.name_to_sid("Guest"),
       :users => Win32::Security::SID::BuiltinUsers,
       :power_users => Win32::Security::SID::PowerUsers,
+      :none => Win32::Security::SID::Nobody,
+      :everyone => Win32::Security::SID::Everyone
     }
   end
   let (:sids) { @sids }
   let (:winsec) { WindowsSecurityTester.new }
+  def set_group_depending_on_current_user(path)
+    if sids[:current_user] == sids[:system]
+      # if the current user is SYSTEM, by setting the group to
+      # guest, SYSTEM is automagically given full control, so instead
+      # override that behavior with SYSTEM as group and a specific mode
+      winsec.set_group(sids[:system], path)
+      mode = winsec.get_mode(path)
+      winsec.set_mode(mode & ~WindowsSecurityTester::S_IRWXG, path)
+    else
+      winsec.set_group(sids[:guest], path)
+    end
+  end
   shared_examples_for "only child owner" do
     it "should allow child owner" do
-      check_child_owner
+      winsec.set_owner(sids[:guest], parent)
+      winsec.set_group(sids[:current_user], parent)
+      winsec.set_mode(0700, parent)
+      check_delete(path)
     end
     it "should deny parent owner" do
-      lambda { check_parent_owner }.should raise_error(Errno::EACCES)
+      winsec.set_owner(sids[:guest], path)
+      winsec.set_group(sids[:current_user], path)
+      winsec.set_mode(0700, path)
+      lambda { check_delete(path) }.should raise_error(Errno::EACCES)
     end
     it "should deny group" do
-      lambda { check_group }.should raise_error(Errno::EACCES)
+      winsec.set_owner(sids[:guest], path)
+      winsec.set_group(sids[:current_user], path)
+      winsec.set_mode(0700, path)
+      lambda { check_delete(path) }.should raise_error(Errno::EACCES)
     end
     it "should deny other" do
-      lambda { check_other }.should raise_error(Errno::EACCES)
+      winsec.set_owner(sids[:guest], path)
+      winsec.set_group(sids[:current_user], path)
+      winsec.set_mode(0700, path)
+      lambda { check_delete(path) }.should raise_error(Errno::EACCES)
     end
   end
@@ -63,7 +96,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
         after :each do
           winsec.set_mode(WindowsSecurityTester::S_IRWXU, parent)
-          winsec.set_mode(WindowsSecurityTester::S_IRWXU, path) if File.exists?(path)
+          winsec.set_mode(WindowsSecurityTester::S_IRWXU, path) if Puppet::FileSystem::File.exist?(path)
         end
         describe "#supports_acl?" do
@@ -122,6 +155,26 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
           end
         end
+        it "should preserve inherited full control for SYSTEM when setting owner and group" do
+          # new file has SYSTEM
+          system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
+          system_aces.should_not be_empty
+          # when running under SYSTEM account, multiple ACEs come back
+          # so we only care that we have at least one of these
+          system_aces.any? do |ace|
+            ace.mask == Windows::File::FILE_ALL_ACCESS
+          end.should be_true
+          # changing the owner/group will no longer make the SD protected
+          winsec.set_group(sids[:power_users], path)
+          winsec.set_owner(sids[:administrators], path)
+          system_aces.find do |ace|
+            ace.mask == Windows::File::FILE_ALL_ACCESS && ace.inherited?
+          end.should_not be_nil
+        end
         describe "#mode=" do
           (0000..0700).step(0100) do |mode|
             it "should enforce mode #{mode.to_s(8)}" do
@@ -151,6 +204,28 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
             end
           end
+          it "should preserve full control for SYSTEM when setting mode" do
+            # new file has SYSTEM
+            system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
+            system_aces.should_not be_empty
+            # when running under SYSTEM account, multiple ACEs come back
+            # so we only care that we have at least one of these
+            system_aces.any? do |ace|
+              ace.mask == WindowsSecurityTester::FILE_ALL_ACCESS
+            end.should be_true
+            # changing the mode will make the SD protected
+            winsec.set_group(sids[:none], path)
+            winsec.set_mode(0600, path)
+            # and should have a non-inherited SYSTEM ACE(s)
+            system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
+            system_aces.each do |ace|
+              ace.mask.should == Windows::File::FILE_ALL_ACCESS && ! ace.inherited?
+            end
+          end
           describe "for modes that require deny aces" do
             it "should map everyone to group and owner" do
               winsec.set_mode(0426, path)
@@ -167,6 +242,8 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
           describe "for read-only objects" do
             before :each do
+              winsec.set_group(sids[:none], path)
+              winsec.set_mode(0600, path)
               winsec.add_attributes(path, WindowsSecurityTester::FILE_ATTRIBUTE_READONLY)
               (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero
             end
@@ -176,9 +253,17 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
               (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should == 0
             end
-            it "should leave them read-only if no sid has write permission" do
+            it "should leave them read-only if no sid has write permission and should allow full access for SYSTEM" do
               winsec.set_mode(WindowsSecurityTester::S_IRUSR | WindowsSecurityTester::S_IXGRP, path)
               (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero
+              system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system])
+              # when running under SYSTEM account, and set_group / set_owner hasn't been called
+              # SYSTEM full access will be restored
+              system_aces.any? do |ace|
+                ace.mask == Windows::File::FILE_ALL_ACCESS
+              end.should be_true
             end
           end
@@ -189,31 +274,39 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
         describe "#mode" do
           it "should report when extra aces are encounted" do
-            winsec.set_acl(path, true) do |acl|
-              (544..547).each do |rid|
-                winsec.add_access_allowed_ace(acl, WindowsSecurityTester::STANDARD_RIGHTS_ALL, "S-1-5-32-#{rid}")
-              end
+            sd = winsec.get_security_descriptor(path)
+            (544..547).each do |rid|
+              sd.dacl.allow("S-1-5-32-#{rid}", WindowsSecurityTester::STANDARD_RIGHTS_ALL)
             end
+            winsec.set_security_descriptor(path, sd)
             mode = winsec.get_mode(path)
-            (mode & WindowsSecurityTester::S_IEXTRA).should_not == 0
+            (mode & WindowsSecurityTester::S_IEXTRA).should == WindowsSecurityTester::S_IEXTRA
           end
-          it "should warn if a deny ace is encountered" do
-            winsec.set_acl(path) do |acl|
-              winsec.add_access_denied_ace(acl, WindowsSecurityTester::FILE_GENERIC_WRITE, sids[:guest])
-              winsec.add_access_allowed_ace(acl, WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL, sids[:current_user])
-            end
-            Puppet.expects(:warning).with("Unsupported access control entry type: 0x1")
+          it "should return deny aces" do
+            sd = winsec.get_security_descriptor(path)
+            sd.dacl.deny(sids[:guest], WindowsSecurityTester::FILE_GENERIC_WRITE)
+            winsec.set_security_descriptor(path, sd)
-            winsec.get_mode(path)
+            guest_aces = winsec.get_aces_for_path_by_sid(path, sids[:guest])
+            guest_aces.find do |ace|
+              ace.type == WindowsSecurityTester::ACCESS_DENIED_ACE_TYPE
+            end.should_not be_nil
           end
           it "should skip inherit-only ace" do
-            winsec.set_acl(path) do |acl|
-              winsec.add_access_allowed_ace(acl, WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL, sids[:current_user])
-              winsec.add_access_allowed_ace(acl, WindowsSecurityTester::FILE_GENERIC_READ, Win32::Security::SID::Everyone, WindowsSecurityTester::INHERIT_ONLY_ACE | WindowsSecurityTester::OBJECT_INHERIT_ACE)
-            end
+            sd = winsec.get_security_descriptor(path)
+            dacl = Puppet::Util::Windows::AccessControlList.new
+            dacl.allow(
+              sids[:current_user], WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL
+            )
+            dacl.allow(
+              sids[:everyone],
+              WindowsSecurityTester::FILE_GENERIC_READ,
+              WindowsSecurityTester::INHERIT_ONLY_ACE | WindowsSecurityTester::OBJECT_INHERIT_ACE
+            )
+            winsec.set_security_descriptor(path, sd)
             (winsec.get_mode(path) & WindowsSecurityTester::S_IRWXO).should == 0
           end
@@ -224,9 +317,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
         end
         describe "inherited access control entries" do
-          it "should be absent when the access control list is protected" do
+          it "should be absent when the access control list is protected, and should not remove SYSTEM" do
             winsec.set_mode(WindowsSecurityTester::S_IRWXU, path)
-            (winsec.get_mode(path) & WindowsSecurityTester::S_IEXTRA).should == 0
+            mode = winsec.get_mode(path)
+            [ WindowsSecurityTester::S_IEXTRA,
+              WindowsSecurityTester::S_ISYSTEM_MISSING ].each do |flag|
+              (mode & flag).should_not == flag
+            end
           end
           it "should be present when the access control list is unprotected" do
@@ -234,13 +332,20 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
             allow = WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL
             inherit = WindowsSecurityTester::OBJECT_INHERIT_ACE | WindowsSecurityTester::CONTAINER_INHERIT_ACE
-            winsec.set_acl(parent, true) do |acl|
-              winsec.add_access_allowed_ace(acl, allow, "S-1-1-0", inherit) # everyone
-              (544..547).each do |rid|
-                winsec.add_access_allowed_ace(acl, WindowsSecurityTester::STANDARD_RIGHTS_ALL, "S-1-5-32-#{rid}", inherit)
-              end
+            sd = winsec.get_security_descriptor(parent)
+            sd.dacl.allow(
+              "S-1-1-0", #everyone
+              allow,
+              inherit
+            )
+            (544..547).each do |rid|
+              sd.dacl.allow(
+                "S-1-5-32-#{rid}",
+                WindowsSecurityTester::STANDARD_RIGHTS_ALL,
+                inherit
+              )
             end
+            winsec.set_security_descriptor(parent, sd)
             # unprotect child, it should inherit from parent
             winsec.set_mode(WindowsSecurityTester::S_IRWXU, path, false)
@@ -252,13 +357,13 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
       describe "for an administrator", :if => Puppet.features.root? do
         before :each do
           winsec.set_mode(WindowsSecurityTester::S_IRWXU | WindowsSecurityTester::S_IRWXG, path)
-          winsec.set_group(sids[:guest], path)
+          set_group_depending_on_current_user(path)
           winsec.set_owner(sids[:guest], path)
           lambda { File.open(path, 'r') }.should raise_error(Errno::EACCES)
         end
         after :each do
-          if File.exists?(path)
+          if Puppet::FileSystem::File.exist?(path)
             winsec.set_owner(sids[:current_user], path)
             winsec.set_mode(WindowsSecurityTester::S_IRWXU, path)
           end
@@ -295,16 +400,18 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
             winsec.get_group(path).should == sids[:admin]
           end
-          it "should allow owner and group to be the same sid" do
-            winsec.set_mode(0610, path)
+          it "should combine owner and group rights when they are the same sid" do
             winsec.set_owner(sids[:power_users], path)
             winsec.set_group(sids[:power_users], path)
+            winsec.set_mode(0610, path)
             winsec.get_owner(path).should == sids[:power_users]
             winsec.get_group(path).should == sids[:power_users]
             # note group execute permission added to user ace, and then group rwx value
             # reflected to match
-            winsec.get_mode(path).to_s(8).should == "770"
+            # Exclude missing system ace, since that's not relevant
+            (winsec.get_mode(path) & 0777).to_s(8).should == "770"
           end
           it "should raise an exception if an invalid sid is provided" do
@@ -355,10 +462,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
         end
         describe "#mode" do
-          it "should deny all access when the DACL is empty" do
-            winsec.set_acl(path, true) { |acl| }
+          it "should deny all access when the DACL is empty, including SYSTEM" do
+            sd = winsec.get_security_descriptor(path)
+            # don't allow inherited aces to affect the test
+            protect = true
+            new_sd = Puppet::Util::Windows::SecurityDescriptor.new(sd.owner, sd.group, [], protect)
+            winsec.set_security_descriptor(path, new_sd)
-            winsec.get_mode(path).should == 0
+            winsec.get_mode(path).should == WindowsSecurityTester::S_ISYSTEM_MISSING
           end
           # REMIND: ruby crashes when trying to set a NULL DACL
@@ -378,103 +489,121 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
             winsec.set_mode(0777, path, false)
           end
-          def check_child_owner
-            winsec.set_group(sids[:guest], parent)
-            winsec.set_owner(sids[:guest], parent)
+          describe "is writable and executable" do
+            describe "and sticky bit is set" do
+              it "should allow child owner" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(01700, parent)
-            check_delete(path)
-          end
+                check_delete(path)
+              end
-        def check_parent_owner
-          winsec.set_group(sids[:guest], path)
-          winsec.set_owner(sids[:guest], path)
+              it "should allow parent owner" do
+                winsec.set_owner(sids[:current_user], parent)
+                winsec.set_group(sids[:guest], parent)
+                winsec.set_mode(01700, parent)
-          check_delete(path)
-        end
+                winsec.set_owner(sids[:current_user], path)
+                winsec.set_group(sids[:guest], path)
+                winsec.set_mode(0700, path)
-        def check_group
-          winsec.set_group(sids[:current_user], path)
-          winsec.set_owner(sids[:guest], path)
+                check_delete(path)
+              end
-          winsec.set_owner(sids[:guest], parent)
+              it "should deny group" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(01770, parent)
-          check_delete(path)
-        end
+                winsec.set_owner(sids[:guest], path)
+                winsec.set_group(sids[:current_user], path)
+                winsec.set_mode(0700, path)
-        def check_other
-          winsec.set_group(sids[:guest], path)
-          winsec.set_owner(sids[:guest], path)
+                lambda { check_delete(path) }.should raise_error(Errno::EACCES)
+              end
-          winsec.set_owner(sids[:guest], parent)
+              it "should deny other" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(01777, parent)
-          check_delete(path)
-        end
+                winsec.set_owner(sids[:guest], path)
+                winsec.set_group(sids[:current_user], path)
+                winsec.set_mode(0700, path)
-        describe "is writable and executable" do
-          describe "and sticky bit is set" do
-            before :each do
-              winsec.set_mode(01777, parent)
+                lambda { check_delete(path) }.should raise_error(Errno::EACCES)
+              end
             end
-            it "should allow child owner" do
-              check_child_owner
-            end
+            describe "and sticky bit is not set" do
+              it "should allow child owner" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(0700, parent)
-            it "should allow parent owner" do
-              check_parent_owner
-            end
+                check_delete(path)
+              end
-            it "should deny group" do
-              lambda { check_group }.should raise_error(Errno::EACCES)
-            end
+              it "should allow parent owner" do
+                winsec.set_owner(sids[:current_user], parent)
+                winsec.set_group(sids[:guest], parent)
+                winsec.set_mode(0700, parent)
-            it "should deny other" do
-              lambda { check_other }.should raise_error(Errno::EACCES)
-            end
-          end
+                winsec.set_owner(sids[:current_user], path)
+                winsec.set_group(sids[:guest], path)
+                winsec.set_mode(0700, path)
-          describe "and sticky bit is not set" do
-            before :each do
-              winsec.set_mode(0777, parent)
-            end
+                check_delete(path)
+              end
-            it "should allow child owner" do
-              check_child_owner
-            end
+              it "should allow group" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(0770, parent)
-            it "should allow parent owner" do
-              check_parent_owner
-            end
+                winsec.set_owner(sids[:guest], path)
+                winsec.set_group(sids[:current_user], path)
+                winsec.set_mode(0700, path)
-            it "should allow group" do
-              check_group
-            end
+                check_delete(path)
+              end
-            it "should allow other" do
-              check_other
+              it "should allow other" do
+                winsec.set_owner(sids[:guest], parent)
+                winsec.set_group(sids[:current_user], parent)
+                winsec.set_mode(0777, parent)
+                winsec.set_owner(sids[:guest], path)
+                winsec.set_group(sids[:current_user], path)
+                winsec.set_mode(0700, path)
+                check_delete(path)
+              end
             end
           end
-        end
-        describe "is not writable" do
-          before :each do
-            winsec.set_mode(0555, parent)
+          describe "is not writable" do
+            before :each do
+              winsec.set_group(sids[:current_user], parent)
+              winsec.set_mode(0555, parent)
+            end
+            it_behaves_like "only child owner"
           end
-          it_behaves_like "only child owner"
-        end
+          describe "is not executable" do
+            before :each do
+              winsec.set_group(sids[:current_user], parent)
+              winsec.set_mode(0666, parent)
+            end
-        describe "is not executable" do
-          before :each do
-            winsec.set_mode(0666, parent)
+            it_behaves_like "only child owner"
           end
-          it_behaves_like "only child owner"
         end
       end
     end
   end
-  end
   describe "file" do
     let (:parent) do
@@ -603,9 +732,90 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
         Dir.mkdir(newdir)
         [newfile, newdir].each do |p|
-          winsec.get_mode(p).to_s(8).should == mode640.to_s(8)
+          mode = winsec.get_mode(p)
+          (mode & 07777).to_s(8).should == mode640.to_s(8)
         end
       end
     end
   end
+  context "security descriptor" do
+    let(:path) { tmpfile('sec_descriptor') }
+    let(:read_execute) { 0x201FF }
+    let(:synchronize)  { 0x100000 }
+    before :each do
+      FileUtils.touch(path)
+    end
+    it "preserves aces for other users" do
+      dacl = Puppet::Util::Windows::AccessControlList.new
+      sids_in_dacl = [sids[:current_user], sids[:users]]
+      sids_in_dacl.each do |sid|
+        dacl.allow(sid, read_execute)
+      end
+      sd = Puppet::Util::Windows::SecurityDescriptor.new(sids[:guest], sids[:guest], dacl, true)
+      winsec.set_security_descriptor(path, sd)
+      aces = winsec.get_security_descriptor(path).dacl.to_a
+      aces.map(&:sid).should == sids_in_dacl
+      aces.map(&:mask).all? { |mask| mask == read_execute }.should be_true
+    end
+    it "changes the sid for all aces that were assigned to the old owner" do
+      sd = winsec.get_security_descriptor(path)
+      sd.owner.should_not == sids[:guest]
+      sd.dacl.allow(sd.owner, read_execute)
+      sd.dacl.allow(sd.owner, synchronize)
+      sd.owner = sids[:guest]
+      winsec.set_security_descriptor(path, sd)
+      dacl = winsec.get_security_descriptor(path).dacl
+      aces = dacl.find_all { |ace| ace.sid == sids[:guest] }
+      # only non-inherited aces will be reassigned to guest, so
+      # make sure we find at least the two we added
+      aces.size.should >= 2
+    end
+    it "preserves INHERIT_ONLY_ACEs" do
+      # inherit only aces can only be set on directories
+      dir = tmpdir('inheritonlyace')
+      inherit_flags = Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE |
+        Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE |
+        Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
+      sd = winsec.get_security_descriptor(dir)
+      sd.dacl.allow(sd.owner, Windows::File::FILE_ALL_ACCESS, inherit_flags)
+      winsec.set_security_descriptor(dir, sd)
+      sd = winsec.get_security_descriptor(dir)
+      winsec.set_owner(sids[:guest], dir)
+      sd = winsec.get_security_descriptor(dir)
+      sd.dacl.find do |ace|
+        ace.sid == sids[:guest] && ace.inherit_only?
+      end.should_not be_nil
+    end
+    context "when managing mode" do
+      it "removes aces for sids that are neither the owner nor group" do
+        # add a guest ace, it's never owner or group
+        sd = winsec.get_security_descriptor(path)
+        sd.dacl.allow(sids[:guest], read_execute)
+        winsec.set_security_descriptor(path, sd)
+        # setting the mode, it should remove extra aces
+        winsec.set_mode(0770, path)
+        # make sure it's gone
+        dacl = winsec.get_security_descriptor(path).dacl
+        aces = dacl.find_all { |ace| ace.sid == sids[:guest] }
+        aces.should be_empty
+      end
+    end
+  end
 end