puppet 4.0.0 → 4.1.0

data/lib/puppet/util/windows/adsi.rb

@@ -15,7 +15,7 @@ module Puppet::Util::Windows::ADSI
     def connect(uri)
       begin
         WIN32OLE.connect(uri)
-      rescue Exception => e
+      rescue WIN32OLERuntimeError => e
         raise Puppet::Error.new( "ADSI connection error: #{e}", e )
       end
     end
@@ -97,18 +97,19 @@ module Puppet::Util::Windows::ADSI
       [:lpwstr, :lpdword], :win32_bool
   end
 
-  class User
-    extend Enumerable
-    extend FFI::Library
+  module Shared
+    def uri(name, host = '.')
+      if sid_uri = Puppet::Util::Windows::ADSI.sid_uri_safe(name) then return sid_uri end
 
-    attr_accessor :native_user
-    attr_reader :name, :sid
-    def initialize(name, native_user = nil)
-      @name = name
-      @native_user = native_user
+      host = '.' if ['NT AUTHORITY', 'BUILTIN', Socket.gethostname].include?(host)
+
+      # group or user
+      account_type = self.name.split('::').last.downcase
+
+      Puppet::Util::Windows::ADSI.uri(name, account_type, host)
     end
 
-    def self.parse_name(name)
+    def parse_name(name)
       if name =~ /\//
         raise Puppet::Error.new( "Value must be in DOMAIN\\user style syntax" )
       end
@@ -120,20 +121,51 @@ module Puppet::Util::Windows::ADSI
       return account, domain
     end
 
-    def native_user
-      @native_user ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(@name)))
+    def get_sids(adsi_child_collection)
+      sids = []
+      adsi_child_collection.each do |m|
+        sids << Puppet::Util::Windows::SID.octet_string_to_sid_object(m.objectSID)
+      end
+
+      sids
     end
 
-    def sid
-      @sid ||= Puppet::Util::Windows::SID.octet_string_to_sid_object(native_user.objectSID)
+    def name_sid_hash(names)
+      return {} if names.nil? || names.empty?
+
+      sids = names.map do |name|
+        sid = Puppet::Util::Windows::SID.name_to_sid_object(name)
+        raise Puppet::Error.new( "Could not resolve name: #{name}" ) if !sid
+        [sid.to_s, sid]
+      end
+
+      Hash[ sids ]
     end
+  end
 
-    def self.uri(name, host = '.')
-      if sid_uri = Puppet::Util::Windows::ADSI.sid_uri_safe(name) then return sid_uri end
+  class User
+    extend Enumerable
+    extend Puppet::Util::Windows::ADSI::Shared
+    extend FFI::Library
 
-      host = '.' if ['NT AUTHORITY', 'BUILTIN', Socket.gethostname].include?(host)
+    # https://msdn.microsoft.com/en-us/library/aa746340.aspx
+    # IADsUser interface
+
+    require 'puppet/util/windows/sid'
 
-      Puppet::Util::Windows::ADSI.uri(name, 'user', host)
+    attr_accessor :native_user
+    attr_reader :name, :sid
+    def initialize(name, native_user = nil)
+      @name = name
+      @native_user = native_user
+    end
+
+    def native_user
+      @native_user ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(@name)))
+    end
+
+    def sid
+      @sid ||= Puppet::Util::Windows::SID.octet_string_to_sid_object(native_user.objectSID)
     end
 
     def uri
@@ -155,7 +187,15 @@ module Puppet::Util::Windows::ADSI
     def commit
       begin
         native_user.SetInfo unless native_user.nil?
-      rescue Exception => e
+      rescue WIN32OLERuntimeError => e
+        # ERROR_BAD_USERNAME 2202L from winerror.h
+        if e.message =~ /8007089A/m
+          raise Puppet::Error.new(
+           "Puppet is not able to create/delete domain users with the user resource.",
+           e
+          )
+        end
+
         raise Puppet::Error.new( "User update failed: #{e}", e )
       end
       self
@@ -181,6 +221,7 @@ module Puppet::Util::Windows::ADSI
     end
 
     def groups
+      # https://msdn.microsoft.com/en-us/library/aa746342.aspx
       # WIN32OLE objects aren't enumerable, so no map
       groups = []
       native_user.Groups.each {|g| groups << g.Name} rescue nil
@@ -201,21 +242,54 @@ module Puppet::Util::Windows::ADSI
     end
     alias remove_from_group remove_from_groups
 
+
+    def add_group_sids(*sids)
+      group_names = []
+      sids.each do |sid|
+        group_names << Puppet::Util::Windows::SID.sid_to_name(sid)
+      end
+
+      add_to_groups(*group_names)
+    end
+
+    def remove_group_sids(*sids)
+      group_names = []
+      sids.each do |sid|
+        group_names << Puppet::Util::Windows::SID.sid_to_name(sid)
+      end
+
+      remove_from_groups(*group_names)
+    end
+
+    def group_sids
+      self.class.get_sids(native_user.Groups)
+    end
+
     def set_groups(desired_groups, minimum = true)
-      return if desired_groups.nil? or desired_groups.empty?
+      return if desired_groups.nil?
 
       desired_groups = desired_groups.split(',').map(&:strip)
 
-      current_groups = self.groups
+      current_hash = Hash[ self.group_sids.map { |sid| [sid.to_s, sid] } ]
+      desired_hash = self.class.name_sid_hash(desired_groups)
 
       # First we add the user to all the groups it should be in but isn't
-      groups_to_add = desired_groups - current_groups
-      add_to_groups(*groups_to_add)
+      if !desired_groups.empty?
+        groups_to_add = (desired_hash.keys - current_hash.keys).map { |sid| desired_hash[sid] }
+        add_group_sids(*groups_to_add)
+      end
 
       # Then we remove the user from all groups it is in but shouldn't be, if
       # that's been requested
-      groups_to_remove = current_groups - desired_groups
-      remove_from_groups(*groups_to_remove) unless minimum
+      if !minimum
+        if desired_hash.empty?
+          groups_to_remove = current_hash.values
+        else
+          groups_to_remove = (current_hash.keys - desired_hash.keys).map { |sid| current_hash[sid] }
+        end
+
+        remove_group_sids(*groups_to_remove)
+      end
     end
 
     def self.create(name)
@@ -279,7 +353,7 @@ module Puppet::Util::Windows::ADSI
     def self.delete(sid)
       begin
         Puppet::Util::Windows::ADSI.wmi_connection.Delete("Win32_UserProfile.SID='#{sid}'")
-      rescue => e
+      rescue WIN32OLERuntimeError => e
         # http://social.technet.microsoft.com/Forums/en/ITCG/thread/0f190051-ac96-4bf1-a47f-6b864bfacee5
         # Prior to Vista SP1, there's no builtin way to programmatically
         # delete user profiles (except for delprof.exe). So try to delete
@@ -293,6 +367,10 @@ module Puppet::Util::Windows::ADSI
 
   class Group
     extend Enumerable
+    extend Puppet::Util::Windows::ADSI::Shared
+
+    # https://msdn.microsoft.com/en-us/library/aa706021.aspx
+    # IADsGroup interface
 
     attr_accessor :native_group
     attr_reader :name, :sid
@@ -302,17 +380,11 @@ module Puppet::Util::Windows::ADSI
     end
 
     def uri
-      self.class.uri(name)
-    end
-
-    def self.uri(name, host = '.')
-      if sid_uri = Puppet::Util::Windows::ADSI.sid_uri_safe(name) then return sid_uri end
-
-      Puppet::Util::Windows::ADSI.uri(name, 'group', host)
+      self.class.uri(sid.account, sid.domain)
     end
 
     def native_group
-      @native_group ||= Puppet::Util::Windows::ADSI.connect(uri)
+      @native_group ||= Puppet::Util::Windows::ADSI.connect(self.class.uri(*self.class.parse_name(name)))
     end
 
     def sid
@@ -322,24 +394,20 @@ module Puppet::Util::Windows::ADSI
     def commit
       begin
         native_group.SetInfo unless native_group.nil?
-      rescue Exception => e
+      rescue WIN32OLERuntimeError => e
+        # ERROR_BAD_USERNAME 2202L from winerror.h
+        if e.message =~ /8007089A/m
+          raise Puppet::Error.new(
+            "Puppet is not able to create/delete domain groups with the group resource.",
+            e
+          )
+        end
+
         raise Puppet::Error.new( "Group update failed: #{e}", e )
       end
       self
     end
 
-    def self.name_sid_hash(names)
-      return {} if names.nil? or names.empty?
-
-      sids = names.map do |name|
-        sid = Puppet::Util::Windows::SID.name_to_sid_object(name)
-        raise Puppet::Error.new( "Could not resolve username: #{name}" ) if !sid
-        [sid.to_s, sid]
-      end
-
-      Hash[ sids ]
-    end
-
     def add_member_sids(*sids)
       sids.each do |sid|
         native_group.Add(Puppet::Util::Windows::ADSI.sid_uri(sid))
@@ -360,27 +428,31 @@ module Puppet::Util::Windows::ADSI
     end
 
     def member_sids
-      sids = []
-      native_group.Members.each do |m|
-        sids << Puppet::Util::Windows::SID.octet_string_to_sid_object(m.objectSID)
-      end
-      sids
+      self.class.get_sids(native_group.Members)
     end
 
     def set_members(desired_members, inclusive = true)
-      return if desired_members.nil? or desired_members.empty?
+      return if desired_members.nil?
 
       current_hash = Hash[ self.member_sids.map { |sid| [sid.to_s, sid] } ]
       desired_hash = self.class.name_sid_hash(desired_members)
 
       # First we add all missing members
-      members_to_add = (desired_hash.keys - current_hash.keys).map { |sid| desired_hash[sid] }
-      add_member_sids(*members_to_add)
+      if !desired_hash.empty?
+        members_to_add = (desired_hash.keys - current_hash.keys).map { |sid| desired_hash[sid] }
+        add_member_sids(*members_to_add)
+      end
 
-      # Then we remove all extra members
-      members_to_remove = (current_hash.keys - desired_hash.keys).map { |sid| current_hash[sid] }
+      # Then we remove all extra members if inclusive
+      if inclusive
+        if desired_hash.empty?
+          members_to_remove = current_hash.values
+        else
+          members_to_remove = (current_hash.keys - desired_hash.keys).map { |sid| current_hash[sid] }
+        end
 
-      remove_member_sids(*members_to_remove) if inclusive
+        remove_member_sids(*members_to_remove)
+      end
     end
 
     def self.create(name)

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 
 
 module Puppet
-  PUPPETVERSION = '4.0.0'
+  PUPPETVERSION = '4.1.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/man/man5/puppet.conf.5

@@ -1,8 +1,8 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "March 2015" "Puppet Labs, LLC" "Puppet manual"
-\fBThis page is autogenerated; any changes will get overwritten\fR \fI(last generated on 2015\-03\-13 13:47:01 \-0700)\fR
+.TH "PUPPETCONF" "5" "May 2015" "Puppet Labs, LLC" "Puppet manual"
+\fBThis page is autogenerated; any changes will get overwritten\fR \fI(last generated on 2015\-05\-18 10:15:47 \-0700)\fR
 .
 .SH "Configuration Settings"
 .
@@ -586,7 +586,24 @@ The name of a registered environment data provider\. The two built in and regist
 .IP "" 0
 .
 .SS "environment_timeout"
-The time to live for a cached environment\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. This setting can also be set to \fBunlimited\fR, which causes the environment to be cached until the master is restarted\.
+How long the Puppet master should cache data it loads from an environment\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. A value of \fB0\fR will disable caching\. This setting can also be set to \fBunlimited\fR, which will cache environments until the master is restarted or told to refresh the cache\.
+.
+.P
+You should change this setting once your Puppet deployment is doing non\-trivial work\. We chose the default value of \fB0\fR because it lets new users update their code without any extra steps, but it lowers the performance of your Puppet master\.
+.
+.P
+We recommend setting this to \fBunlimited\fR and explicitly refreshing your Puppet master as part of your code deployment process\.
+.
+.IP "\(bu" 4
+With Puppet Server, you should refresh environments by calling the \fBenvironment\-cache\fR API endpoint\. See the docs for the Puppet Server administrative API\.
+.
+.IP "\(bu" 4
+With a Rack Puppet master, you should restart the web server or the application server\. Passenger lets you touch a \fBrestart\.txt\fR file to refresh an application without restarting Apache; see the Passenger docs for details\.
+.
+.IP "" 0
+.
+.P
+We don\'t recommend using any value other than \fB0\fR or \fBunlimited\fR, since most Puppet masters use a pool of Ruby interpreters which all have their own cache timers\. When these timers drift out of sync, agents can be served inconsistent catalogs\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: 0
@@ -687,7 +704,16 @@ Whether to just print a manifest to stdout and exit\. Only makes sense when spec
 .IP "" 0
 .
 .SS "graph"
-Whether to create dot graph files for the different configuration graphs\. These dot files can be interpreted by tools like OmniGraffle or dot (which is part of ImageMagick)\.
+Whether to create \.dot graph files, which let you visualize the dependency and containment relationships in Puppet\'s catalog\. You can load and view these files with tools like OmniGraffle \fIhttp://www\.omnigroup\.com/applications/omnigraffle/\fR (OS X) or graphviz \fIhttp://www\.graphviz\.org/\fR (multi\-platform)\.
+.
+.P
+Graph files are created when \fIapplying\fR a catalog, so this setting should be used on nodes running \fBpuppet agent\fR or \fBpuppet apply\fR\.
+.
+.P
+The \fBgraphdir\fR setting determines where Puppet will save graphs\. Note that we don\'t save graphs for historical runs; Puppet will replace the previous \.dot files with new ones every time it applies a catalog\.
+.
+.P
+See your graphing software\'s documentation for details on opening \.dot files\. If you\'re using GraphViz\'s \fBdot\fR command, you can do a quick PNG render with \fBdot \-Tpng <DOT FILE> \-o <OUTPUT FILE>\fR\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: false
@@ -695,7 +721,7 @@ Whether to create dot graph files for the different configuration graphs\. These
 .IP "" 0
 .
 .SS "graphdir"
-Where to store dot\-outputted graphs\.
+Where to save \.dot\-format graphs (when the \fBgraph\fR setting is enabled)\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: $statedir/graphs
@@ -1293,6 +1319,14 @@ The preferred means of serializing ruby instances for passing over the wire\. Th
 .SS "prerun_command"
 A command to run before every agent run\. If this command returns a non\-zero return code, the entire Puppet run will fail\.
 .
+.SS "preview_outputdir"
+The directory where catalog previews per node are generated\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: $vardir/preview
+.
+.IP "" 0
+.
 .SS "priority"
 The scheduling priority of the process\. Valid values are \'high\', \'normal\', \'low\', or \'idle\', which are mapped to platform\-specific values\. The priority can also be specified as an integer value and will be passed as is, e\.g\. \-5\. Puppet must be running as a privileged user in order to increase scheduling priority\.
 .
@@ -1652,6 +1686,14 @@ File that provides mapping between custom SSL oids and user\-friendly names
 .
 .IP "" 0
 .
+.SS "trusted_server_facts"
+Stores a trusted set of server\-side global variables in a hash called $server_facts, which cannot be cannot be overridden by client_facts or logic in manifests\. Makes it illegal to assign to the variable $server_facts in any scope\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: false
+.
+.IP "" 0
+.
 .SS "use_cached_catalog"
 Whether to only use the cached catalog rather than compiling a new catalog on every run\. Puppet can be run with this enabled by default and then selectively disabled when a recompile is desired\.
 .
@@ -1715,4 +1757,4 @@ The directory in which YAML data is stored, usually in a subdirectory\.
 .IP "" 0
 .
 .P
-\fIThis page autogenerated on 2015\-03\-13 13:47:01 \-0700\fR
+\fIThis page autogenerated on 2015\-05\-18 10:15:47 \-0700\fR

data/man/man8/extlookup2hiera.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "EXTLOOKUP2HIERA" "8" "March 2015" "Puppet Labs, LLC" "Puppet manual"
+.TH "EXTLOOKUP2HIERA" "8" "May 2015" "Puppet Labs, LLC" "Puppet manual"
 .
 .SH "NAME"
 \fBextlookup2hiera\fR

data/man/man8/puppet-agent.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-AGENT" "8" "March 2015" "Puppet Labs, LLC" "Puppet manual"
+.TH "PUPPET\-AGENT" "8" "May 2015" "Puppet Labs, LLC" "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-agent\fR \- The puppet agent daemon
@@ -95,6 +95,9 @@ Print this help message
 \-\-logdest
 Where to send log messages\. Choose between \'syslog\' (the POSIX syslog service), \'eventlog\' (the Windows Event Log), \'console\', or the path to a log file\. If debugging or verbosity is enabled, this defaults to \'console\'\. Otherwise, it defaults to \'syslog\' on POSIX systems and \'eventlog\' on Windows\.
 .
+.IP
+A path ending with \'\.json\' will receive structured output in JSON format\. The log file will not have an ending \']\' automatically written to it due to the appending nature of logging\. It must be appended manually to make the content valid JSON\.
+.
 .TP
 \-\-masterport
 The port on which to contact the puppet master\. (This is a Puppet setting, and can go in puppet\.conf\.)

data/man/man8/puppet-apply.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-APPLY" "8" "March 2015" "Puppet Labs, LLC" "Puppet manual"
+.TH "PUPPET\-APPLY" "8" "May 2015" "Puppet Labs, LLC" "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-apply\fR \- Apply Puppet manifests locally
@@ -42,6 +42,9 @@ See the configuration file documentation at http://docs\.puppetlabs\.com/referen
 .IP "\(bu" 4
 \-\-logdest: Where to send log messages\. Choose between \'syslog\' (the POSIX syslog service), \'eventlog\' (the Windows Event Log), \'console\', or the path to a log file\. Defaults to \'console\'\.
 .
+.IP
+A path ending with \'\.json\' will receive structured output in JSON format\. The log file will not have an ending \']\' automatically written to it due to the appending nature of logging\. It must be appended manually to make the content valid JSON\.
+.
 .IP "\(bu" 4
 \-\-noop: Use \'noop\' mode where Puppet runs in a no\-op or dry\-run mode\. This is useful for seeing what changes Puppet will make without actually executing the changes\.
 .