puppet 4.3.1 → 4.3.2

data/lib/puppet/pops/parser/slurp_support.rb

@@ -67,6 +67,10 @@ module Puppet::Pops::Parser::SlurpSupport
   def slurp(scanner, pattern, escapes, ignore_invalid_escapes)
     str = scanner.scan_until(pattern) || return
 
+    return str unless str.include?('\\')
+
+    return str.gsub!(/\\(\\|')/m, '\1') || str if escapes.equal?(SQ_ESCAPES)
+
     # Process unicode escapes first as they require getting 4 hex digits
     # If later a \u is found it is warned not to be a unicode escape
     if escapes.include?('u')
@@ -83,7 +87,7 @@ module Puppet::Pops::Parser::SlurpSupport
         when 'r'   ; "\r"
         when 'n'   ; "\n"
         when 't'   ; "\t"
-        when 's'   ; " "
+        when 's'   ; ' '
         when 'u'
           lex_warning(Puppet::Pops::Issues::ILLEGAL_UNICODE_ESCAPE)
           "\\u"

data/lib/puppet/pops/types/type_calculator.rb

@@ -708,12 +708,8 @@ class Puppet::Pops::Types::TypeCalculator
     from = range.from
     to = range.to
     x = from.nil? ? 1 : from
-    y = to.nil? ? Float::INFINITY : to
-    if x < y
-      [x, y]
-    else
-      [y, x]
-    end
+    y = to.nil? ? TheInfinity : to
+    [x, y]
   end
 
   # @api private

data/lib/puppet/pops/types/types.rb

@@ -423,15 +423,9 @@ module Puppet::Pops
       def initialize(from, to = Float::INFINITY)
         from = -Float::INFINITY if from.nil? || from == :default
         to = Float::INFINITY if to.nil? || to == :default
-
-        # Always create in right order
-        if from <= to
-          @from = from
-          @to = to
-        else
-          @to = from
-          @from = to
-        end
+        raise ArgumentError, "'from' must be less or equal to 'to'. Got (#{from}, #{to}" if from.is_a?(Numeric) && to.is_a?(Numeric) && from > to
+        @from = from
+        @to = to
       end
 
       # Returns the lower bound of the numeric range or `nil` if no lower bound is set.

data/lib/puppet/pops/validation/checker4_0.rb

@@ -213,11 +213,24 @@ class Puppet::Pops::Validation::Checker4_0
     rvalue(o.right_expr)
   end
 
+  def resource_without_title?(o)
+    if o.instance_of?(Puppet::Pops::Model::BlockExpression)
+      statements = o.statements
+      statements.length == 2 && statements[0].instance_of?(Puppet::Pops::Model::QualifiedName) && statements[1].instance_of?(Puppet::Pops::Model::LiteralHash)
+    else
+      false
+    end
+  end
+
   def check_BlockExpression(o)
-    o.statements[0..-2].each do |statement|
-      if idem(statement)
-        acceptor.accept(Issues::IDEM_EXPRESSION_NOT_LAST, statement)
-        break # only flag the first
+    if resource_without_title?(o)
+      acceptor.accept(Issues::RESOURCE_WITHOUT_TITLE, o, :name => o.statements[0].value)
+    else
+      o.statements[0..-2].each do |statement|
+        if idem(statement)
+          acceptor.accept(Issues::IDEM_EXPRESSION_NOT_LAST, statement)
+          break # only flag the first
+        end
       end
     end
   end
@@ -264,6 +277,7 @@ class Puppet::Pops::Validation::Checker4_0
   def check_EppExpression(o)
     if o.eContainer.is_a?(Puppet::Pops::Model::LambdaExpression)
       internal_check_no_capture(o.eContainer, o)
+      internal_check_parameter_name_uniqueness(o.eContainer)
     end
   end
 
@@ -352,16 +366,13 @@ class Puppet::Pops::Validation::Checker4_0
   end
 
   def check_FunctionDefinition(o)
-    # TODO PUP-2080: more strict rule for top - can only be contained in Program (for now)
-    #  sticking functions in classes would create functions in the class name space
-    #  but not be special in any other way
-    #
     check_NamedDefinition(o)
   end
 
   def check_HostClassDefinition(o)
     check_NamedDefinition(o)
     internal_check_no_capture(o)
+    internal_check_parameter_name_uniqueness(o)
     internal_check_reserved_params(o)
     internal_check_no_idem_last(o)
   end
@@ -369,13 +380,14 @@ class Puppet::Pops::Validation::Checker4_0
   def check_ResourceTypeDefinition(o)
     check_NamedDefinition(o)
     internal_check_no_capture(o)
+    internal_check_parameter_name_uniqueness(o)
     internal_check_reserved_params(o)
     internal_check_no_idem_last(o)
   end
 
   def internal_check_no_idem_last(o)
     if violator = ends_with_idem(o.body)
-      acceptor.accept(Issues::IDEM_NOT_ALLOWED_LAST, violator, {:container => o})
+      acceptor.accept(Issues::IDEM_NOT_ALLOWED_LAST, violator, {:container => o}) unless resource_without_title?(violator)
     end
   end
 
@@ -409,6 +421,13 @@ class Puppet::Pops::Validation::Checker4_0
     end
   end
 
+  def internal_check_parameter_name_uniqueness(o)
+    unique = Set.new
+    o.parameters.each do |p|
+      acceptor.accept(Issues::DUPLICATE_PARAMETER, p, {:param_name => p.name}) unless unique.add?(p.name)
+    end
+  end
+
   def check_IfExpression(o)
     rvalue(o.test)
   end
@@ -433,7 +452,7 @@ class Puppet::Pops::Validation::Checker4_0
     hostname(o.host_matches, o)
     top(o.eContainer, o)
     if violator = ends_with_idem(o.body)
-      acceptor.accept(Issues::IDEM_NOT_ALLOWED_LAST, violator, {:container => o})
+      acceptor.accept(Issues::IDEM_NOT_ALLOWED_LAST, violator, {:container => o}) unless resource_without_title?(violator)
     end
     unless o.parent.nil?
       acceptor.accept(Issues::ILLEGAL_NODE_INHERITANCE, o.parent)
@@ -700,8 +719,13 @@ class Puppet::Pops::Validation::Checker4_0
   end
 
   def top_BlockExpression(o, definition)
-    # ok, if this is a block representing the body of a class, or is top level
-    top o.eContainer, definition
+    if definition.is_a?(Model::FunctionDefinition) && !o.eContainer.is_a?(Model::Program)
+      # not ok if the definition is a FunctionDefinition. It can never be nested in a block
+      acceptor.accept(Issues::NOT_ABSOLUTE_TOP_LEVEL, definition)
+    else
+      # ok, if this is a block representing the body of a class, or is top level
+      top o.eContainer, definition
+    end
   end
 
   def top_HostClassDefinition(o, definition)

data/lib/puppet/provider/group/windows_adsi.rb

@@ -28,7 +28,7 @@ Puppet::Type.type(:group).provide :windows_adsi do
     specified_users = Puppet::Util::Windows::ADSI::Group.name_sid_hash(should)
 
     if @resource[:auth_membership]
-      current_users == specified_users
+      current_users.keys.to_a == specified_users.keys.to_a
     else
       (specified_users.keys.to_a & current_users.keys.to_a) == specified_users.keys.to_a
     end
@@ -48,7 +48,7 @@ Puppet::Type.type(:group).provide :windows_adsi do
       else
         account = sid.account
       end
-      resource.debug("#{sid.domain}\\#{account} (#{sid.to_s})")
+      resource.debug("#{sid.domain}\\#{account} (#{sid.sid})")
       "#{sid.domain}\\#{account}"
     end
     return users.join(',')

data/lib/puppet/provider/package/pip.rb

@@ -3,6 +3,7 @@
 
 require 'puppet/provider/package'
 require 'xmlrpc/client'
+require 'puppet/util/http_proxy'
 
 Puppet::Type.type(:package).provide :pip,
   :parent => ::Puppet::Provider::Package do
@@ -60,7 +61,16 @@ Puppet::Type.type(:package).provide :pip,
   # cache of PyPI's package list so this operation will always have to
   # ask the web service.
   def latest
-    client = XMLRPC::Client.new2("http://pypi.python.org/pypi")
+    http_proxy_host = Puppet::Util::HttpProxy.http_proxy_host
+    http_proxy_port = Puppet::Util::HttpProxy.http_proxy_port
+    if http_proxy_host && http_proxy_port
+      proxy = "#{http_proxy_host}:#{http_proxy_port}"
+    else
+      # nil is acceptable
+      proxy = http_proxy_host
+    end
+
+    client = XMLRPC::Client.new2("http://pypi.python.org/pypi", proxy)
     client.http_header_extra = {"Content-Type" => "text/xml"}
     client.timeout = 10
     result = client.call("package_releases", @resource[:name])

data/lib/puppet/provider/package/rpm.rb

@@ -281,7 +281,6 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
       self::NEVRA_FIELDS.zip(match.captures) { |f, v| hash[f] = v }
       hash[:provider] = self.name
       hash[:ensure] = "#{hash[:version]}-#{hash[:release]}"
-      hash[:ensure].prepend("#{hash[:epoch]}:") if hash[:epoch] != '0'
     else
       Puppet.debug("Failed to match rpm line #{line}")
     end

data/lib/puppet/provider/package/yum.rb

@@ -80,7 +80,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
     elsif output.exitstatus == 0
       self.debug "#{command(:cmd)} check-update exited with 0; no package updates available."
     else
-      self.warn "Could not check for updates, '#{command(:cmd)} check-update' exited with #{output.exitstatus}"
+      self.warning "Could not check for updates, '#{command(:cmd)} check-update' exited with #{output.exitstatus}"
     end
     updates
   end

data/lib/puppet/provider/service/debian.rb

@@ -15,6 +15,7 @@ Puppet::Type.type(:service).provide :debian, :parent => :init do
   # http://projects.reductivelabs.com/issues/2538
   # is resolved.
   commands :invoke_rc => "/usr/sbin/invoke-rc.d"
+  commands :service => "/usr/sbin/service"
 
   defaultfor :operatingsystem => :cumuluslinux
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ['5','6','7']
@@ -65,23 +66,9 @@ Puppet::Type.type(:service).provide :debian, :parent => :init do
   end
 
   def statuscmd
-    os = Facter.value(:operatingsystem).downcase
-
-    if os == 'debian'
-      majversion = Facter.value(:operatingsystemmajrelease).to_i
-    else
-      majversion = Facter.value(:operatingsystemmajrelease).split('.')[0].to_i
-    end
-
-
-    if ((os == 'debian' && majversion >= 8) || (os == 'ubuntu' && majversion >= 15))
-      # SysVInit scripts will always return '0' for status when the service is masked,
-      # even if the service is actually stopped. Use the SysVInit-Systemd compatibility
-      # layer to determine the actual status. This is only necessary when the SysVInit
-      # version of a service is queried. I.e, 'ntp' instead of 'ntp.service'.
-      (@resource[:hasstatus] == :true) && ["systemctl", "is-active", @resource[:name]]
-    else
-      super
-    end
+      # /usr/sbin/service provides an abstraction layer which is able to query services
+      # independent of the init system used.
+      # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775795
+    (@resource[:hasstatus] == :true) && [command(:service), @resource[:name], "status"]
   end
 end

data/lib/puppet/provider/service/init.rb

@@ -49,6 +49,13 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
     excludes += %w{wait-for-state portmap-wait}
     # these excludes were found with grep -r -L start /etc/init.d
     excludes += %w{rcS module-init-tools}
+    # Prevent puppet failing on unsafe scripts from Yocto Linux
+    if Facter.value(:osfamily) == "cisco-wrlinux"
+      excludes += %w{banner.sh bootmisc.sh checkroot.sh devpts.sh dmesg.sh
+                   hostname.sh mountall.sh mountnfs.sh populate-volatile.sh
+                   rmnologin.sh save-rtc.sh sendsigs sysfs.sh umountfs
+                   umountnfs.sh}
+    end
     # Prevent puppet failing to get status of the new service introduced
     # by the fix for this (bug https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/982889)
     # due to puppet's inability to deal with upstart services with instances.

data/lib/puppet/provider/service/launchd.rb

@@ -193,6 +193,12 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   # Read a plist, whether its format is XML or in Apple's "binary1"
   # format.
   def self.read_plist(path)
+    begin
+      return Plist::parse_xml(path)
+    rescue ArgumentError => detail
+      Puppet.debug("Error reading #{path}: #{detail}. Retrying with plutil.")
+    end
+
     begin
       Plist::parse_xml(plutil('-convert', 'xml1', '-o', '/dev/stdout', path))
     rescue Puppet::ExecutionFailure => detail

data/lib/puppet/provider/service/systemd.rb

@@ -12,7 +12,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :redhat, :operatingsystem => :fedora
   defaultfor :osfamily => :suse
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => "8"
-  defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => "15.04"
+  defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["15.04","15.10"]
 
   def self.instances
     i = []

data/lib/puppet/provider/user/windows_adsi.rb

@@ -40,7 +40,7 @@ Puppet::Type.type(:user).provide :windows_adsi do
     specified_users = Puppet::Util::Windows::ADSI::Group.name_sid_hash(should)
 
     if @resource[:membership] == :inclusive
-      current_users == specified_users
+      current_users.keys.to_a == specified_users.keys.to_a
     else
       (specified_users.keys.to_a & current_users.keys.to_a) == specified_users.keys.to_a
     end
@@ -55,7 +55,7 @@ Puppet::Type.type(:user).provide :windows_adsi do
       else
         account = sid.account
       end
-      resource.debug("#{sid.domain}\\#{account} (#{sid.to_s})")
+      resource.debug("#{sid.domain}\\#{account} (#{sid.sid})")
       "#{sid.domain}\\#{account}"
     end
     return groups.join(',')

data/lib/puppet/provider/yumrepo/inifile.rb

@@ -74,9 +74,12 @@ Puppet::Type.type(:yumrepo).provide(:inifile) do
   def self.reposdir(conf='/etc/yum.conf', dirs=['/etc/yum.repos.d', '/etc/yum/repos.d'])
     reposdir = find_conf_value('reposdir', conf)
     # Use directories in reposdir if they are set instead of default
-    dirs = reposdir.split(",").map(&:strip) if reposdir
-    
-
+    if reposdir
+      # Follow the code from the yum/config.py
+      dirs = reposdir.gsub!("\n", ' ')
+      dirs = reposdir.gsub!(',', ' ')
+      dirs = reposdir.split
+    end
     dirs.select! { |dir| Puppet::FileSystem.exist?(dir) }
     if dirs.empty?
       Puppet.debug('No yum directories were found on the local filesystem')

data/lib/puppet/resource/type.rb

@@ -387,7 +387,8 @@ class Puppet::Resource::Type
     parameters = resource.parameters
     arguments.each do |param_name, _|
       name = param_name.to_sym
-      next if parameters.include?(name)
+      param = parameters[name]
+      next unless param.nil? || param.value.nil?
       value = lookup_external_default_for(param_name, scope)
       resource[name] = value unless value.nil?
     end

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -138,10 +138,10 @@ class Puppet::Transaction::AdditionalResourceGenerator
   def add_generated_directed_dependency(parent, child, label=nil)
     if parent.depthfirst?
       source = child
-      target = parent.to_resource
+      target = parent
     else
       source = parent
-      target = child.to_resource
+      target = child
     end
 
     # For each potential relationship metaparam, check if parent or
@@ -170,8 +170,22 @@ class Puppet::Transaction::AdditionalResourceGenerator
     }
 
     if not edge_exists
+      # We *cannot* use target.to_resource here!
+      #
+      # For reasons that are beyond my (and, perhaps, human)
+      # comprehension, to_resource will call retrieve. This is
+      # problematic if a generated resource needs the system to be
+      # changed by a previous resource (think a file on a path
+      # controlled by a mount resource).
+      #
+      # Instead of using to_resource, we just construct a resource as
+      # if the arguments to the Type instance had been passed to a
+      # Resource instead.
+      resource = ::Puppet::Resource.new(target.class, target.title,
+                                        :parameters => target.original_parameters)
+
       source[:before] ||= []
-      source[:before] << target
+      source[:before] << resource
     end
   end
 

data/lib/puppet/type/group.rb

@@ -80,7 +80,9 @@ module Puppet
 
     newproperty(:members, :array_matching => :all, :required_features => :manages_members) do
       desc "The members of the group. For directory services where group
-      membership is stored in the group objects, not the users."
+      membership is stored in the group objects, not the users. Use
+      with auth_membership to determine whether the specified members
+      are inclusive or the minimum."
 
       def change_to_s(currentvalue, newvalue)
         currentvalue = currentvalue.join(",") if currentvalue != :absent
@@ -116,7 +118,9 @@ module Puppet
     end
 
     newparam(:auth_membership, :boolean => true, :parent => Puppet::Parameter::Boolean) do
-      desc "whether the provider is authoritative for group membership."
+      desc "Whether the provider is authoritative for group membership. This
+        must be set to true to allow setting the group to no members with
+        `members => [],`."
       defaultto false
     end
 

data/lib/puppet/util/windows.rb

@@ -6,6 +6,9 @@ module Puppet::Util::Windows
   end
   module Registry
   end
+  module SID
+    class Principal; end
+  end
 
   if Puppet::Util::Platform.windows?
     # these reference platform specific gems
@@ -14,6 +17,7 @@ module Puppet::Util::Windows
     require 'puppet/util/windows/error'
     require 'puppet/util/windows/com'
     require 'puppet/util/windows/sid'
+    require 'puppet/util/windows/principal'
     require 'puppet/util/windows/file'
     require 'puppet/util/windows/security'
     require 'puppet/util/windows/user'

data/lib/puppet/util/windows/adsi.rb

@@ -56,21 +56,30 @@ module Puppet::Util::Windows::ADSI
       "winmgmts:{impersonationLevel=impersonate}!//#{host}/root/cimv2"
     end
 
+    # This method should *only* be used to generate WinNT://<SID> style monikers
+    # used for IAdsGroup::Add / IAdsGroup::Remove.  These URIs are not useable
+    # to resolve an account with WIN32OLE.connect
+    # Valid input is a SID::Principal, S-X-X style SID string or any valid
+    # account name with or without domain prefix
     # @api private
     def sid_uri_safe(sid)
-      return sid_uri(sid) if sid.kind_of?(Win32::Security::SID)
+      return sid_uri(sid) if sid.kind_of?(Puppet::Util::Windows::SID::Principal)
 
       begin
-        sid = Win32::Security::SID.new(Win32::Security::SID.string_to_sid(sid))
+        sid = Puppet::Util::Windows::SID.name_to_sid_object(sid)
         sid_uri(sid)
-      rescue SystemCallError
+      rescue Puppet::Util::Windows::Error, Puppet::Error
         nil
       end
     end
 
+    # This method should *only* be used to generate WinNT://<SID> style monikers
+    # used for IAdsGroup::Add / IAdsGroup::Remove.  These URIs are not useable
+    # to resolve an account with WIN32OLE.connect
     def sid_uri(sid)
-      raise Puppet::Error.new( "Must use a valid SID object" ) if !sid.kind_of?(Win32::Security::SID)
-      "WinNT://#{sid.to_s}"
+      raise Puppet::Error.new( "Must use a valid SID::Principal" ) if !sid.kind_of?(Puppet::Util::Windows::SID::Principal)
+
+      "WinNT://#{sid.sid}"
     end
 
     def uri(resource_name, resource_type, host = '.')
@@ -99,8 +108,6 @@ module Puppet::Util::Windows::ADSI
 
   module Shared
     def uri(name, host = '.')
-      if sid_uri = Puppet::Util::Windows::ADSI.sid_uri_safe(name) then return sid_uri end
-
       host = '.' if ['NT AUTHORITY', 'BUILTIN', Socket.gethostname].include?(host)
 
       # group or user
@@ -136,7 +143,7 @@ module Puppet::Util::Windows::ADSI
       sids = names.map do |name|
         sid = Puppet::Util::Windows::SID.name_to_sid_object(name)
         raise Puppet::Error.new( "Could not resolve name: #{name}" ) if !sid
-        [sid.to_s, sid]
+        [sid.sid, sid]
       end
 
       Hash[ sids ]
@@ -247,20 +254,12 @@ module Puppet::Util::Windows::ADSI
 
 
     def add_group_sids(*sids)
-      group_names = []
-      sids.each do |sid|
-        group_names << Puppet::Util::Windows::SID.sid_to_name(sid)
-      end
-
+      group_names = sids.map { |s| s.domain_account }
       add_to_groups(*group_names)
     end
 
     def remove_group_sids(*sids)
-      group_names = []
-      sids.each do |sid|
-        group_names << Puppet::Util::Windows::SID.sid_to_name(sid)
-      end
-
+      group_names = sids.map { |s| s.domain_account }
       remove_from_groups(*group_names)
     end
 
@@ -273,7 +272,7 @@ module Puppet::Util::Windows::ADSI
 
       desired_groups = desired_groups.split(',').map(&:strip)
 
-      current_hash = Hash[ self.group_sids.map { |sid| [sid.to_s, sid] } ]
+      current_hash = Hash[ self.group_sids.map { |sid| [sid.sid, sid] } ]
       desired_hash = self.class.name_sid_hash(desired_groups)
 
       # First we add the user to all the groups it should be in but isn't
@@ -321,10 +320,30 @@ module Puppet::Util::Windows::ADSI
       user_name
     end
 
-    def self.exists?(name)
-      Puppet::Util::Windows::ADSI::connectable?(User.uri(*User.parse_name(name)))
+    def self.exists?(name_or_sid)
+      well_known = false
+      if (sid = Puppet::Util::Windows::SID.name_to_sid_object(name_or_sid))
+        return true if sid.account_type == :SidTypeUser
+
+        # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
+        # so try to resolve it
+        # https://msdn.microsoft.com/en-us/library/cc234477.aspx
+        well_known = sid.account_type == :SidTypeWellKnownGroup
+        return false if sid.account_type != :SidTypeAlias && !well_known
+        name_or_sid = "#{sid.domain}\\#{sid.account}"
+      end
+
+      user = Puppet::Util::Windows::ADSI.connect(User.uri(*User.parse_name(name_or_sid)))
+      # otherwise, verify that the account is actually a User account
+      user.Class == 'User'
+    rescue
+      # special accounts like SYSTEM cannot resolve via moniker like WinNT://./SYSTEM,user
+      # and thus fail to connect - so given a validly resolved SID, this failure is ambiguous as it
+      # may indicate either a group like Service or an account like SYSTEM
+      well_known
     end
 
+
     def self.delete(name)
       Puppet::Util::Windows::ADSI.delete(name, 'user')
     end
@@ -437,7 +456,7 @@ module Puppet::Util::Windows::ADSI
     def set_members(desired_members, inclusive = true)
       return if desired_members.nil?
 
-      current_hash = Hash[ self.member_sids.map { |sid| [sid.to_s, sid] } ]
+      current_hash = Hash[ self.member_sids.map { |sid| [sid.sid, sid] } ]
       desired_hash = self.class.name_sid_hash(desired_members)
 
       # First we add all missing members
@@ -464,8 +483,26 @@ module Puppet::Util::Windows::ADSI
       new(name, Puppet::Util::Windows::ADSI.create(name, 'group'))
     end
 
-    def self.exists?(name)
-      Puppet::Util::Windows::ADSI.connectable?(Group.uri(name))
+    def self.exists?(name_or_sid)
+      well_known = false
+      if (sid = Puppet::Util::Windows::SID.name_to_sid_object(name_or_sid))
+        return true if sid.account_type == :SidTypeGroup
+
+        # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
+        # so try to resolve it
+        # https://msdn.microsoft.com/en-us/library/cc234477.aspx
+        well_known = sid.account_type == :SidTypeWellKnownGroup
+        return false if sid.account_type != :SidTypeAlias && !well_known
+        name_or_sid = "#{sid.domain}\\#{sid.account}"
+      end
+
+      user = Puppet::Util::Windows::ADSI.connect(Group.uri(*Group.parse_name(name_or_sid)))
+      user.Class == 'Group'
+    rescue
+      # special groups like Authenticated Users cannot resolve via moniker like WinNT://./Authenticated Users,group
+      # and thus fail to connect - so given a validly resolved SID, this failure is ambiguous as it
+      # may indicate either a group like Service or an account like SYSTEM
+      well_known
     end
 
     def self.delete(name)