puppet 4.9.4 → 4.10.0

data/lib/puppet/util/execution.rb

@@ -153,15 +153,18 @@ module Puppet::Util::Execution
         :squelch => false,
         :override_locale => true,
         :custom_environment => {},
+        :sensitive => false,
     }
 
     options = default_options.merge(options)
 
-    if command.is_a?(Array)
+    if options[:sensitive]
+      command_str = '[redacted]'
+    elsif command.is_a?(Array)
       command = command.flatten.map(&:to_s)
-      str = command.join(" ")
+      command_str = command.join(" ")
     elsif command.is_a?(String)
-      str = command
+      command_str = command
     end
 
     user_log_s = ''
@@ -176,9 +179,9 @@ module Puppet::Util::Execution
     end
 
     if respond_to? :debug
-      debug "Executing#{user_log_s}: '#{str}'"
+      debug "Executing#{user_log_s}: '#{command_str}'"
     else
-      Puppet.debug "Executing#{user_log_s}: '#{str}'"
+      Puppet.debug "Executing#{user_log_s}: '#{command_str}'"
     end
 
     null_file = Puppet.features.microsoft_windows? ? 'NUL' : '/dev/null'
@@ -229,7 +232,7 @@ module Puppet::Util::Execution
       end
 
       if options[:failonfail] and exit_status != 0
-        raise Puppet::ExecutionFailure, "Execution of '#{str}' returned #{exit_status}: #{output.strip}"
+        raise Puppet::ExecutionFailure, "Execution of '#{command_str}' returned #{exit_status}: #{output.strip}"
       end
     ensure
       if !options[:squelch] && stdout

data/lib/puppet/util/reference.rb

@@ -13,7 +13,8 @@ class Puppet::Util::Reference
   instance_load(:reference, 'puppet/reference')
 
   def self.footer
-    "\n\n----------------\n\n*This page autogenerated on #{Time.now}*\n"
+    #TRANSLATORS message accompanied by date of generation
+    "\n\n----------------\n\n*" + _("This page autogenerated on ") + "#{Time.now}*\n"
   end
 
   def self.modes
@@ -111,7 +112,8 @@ class Puppet::Util::Reference
   def to_markdown(withcontents = true)
     # First the header
     text = markdown_header(@title, 1)
-    text << "\n\n**This page is autogenerated; any changes will get overwritten** *(last generated on #{Time.now.to_s})*\n\n"
+    #TRANSLATORS message accompanied by date of generation
+    text << _("\n\n**This page is autogenerated; any changes will get overwritten** *(last generated on ") + "#{Time.now.to_s})*\n\n"
 
     text << @header
 

data/lib/puppet/util/windows/file.rb

@@ -48,11 +48,15 @@ module Puppet::Util::Windows::File
      FILE_EXECUTE |
      SYNCHRONIZE
 
+  REPLACEFILE_WRITE_THROUGH         = 0x1
+  REPLACEFILE_IGNORE_MERGE_ERRORS   = 0x2
+  REPLACEFILE_IGNORE_ACL_ERRORS     = 0x3
+
   def replace_file(target, source)
     target_encoded = wide_string(target.to_s)
     source_encoded = wide_string(source.to_s)
 
-    flags = 0x1
+    flags = REPLACEFILE_IGNORE_MERGE_ERRORS
     backup_file = nil
     result = ReplaceFileW(
       target_encoded,

data/lib/puppet/version.rb

@@ -5,9 +5,8 @@
 # The version can be set programmatically because we want to allow the
 # Raketasks and such to set the version based on the output of `git describe`
 
-
 module Puppet
-  PUPPETVERSION = '4.9.4'
+  PUPPETVERSION = '4.10.0'
 
   ##
   # version is a public API method intended to always provide a fast and
@@ -68,6 +67,11 @@ module Puppet
     @puppet_version ||= PUPPETVERSION
   end
 
+  # @return [String] containing the puppet version to minor specificity, e.g. "3.0"
+  def self.minor_version
+    self.version.split('.')[0..1].join('.')
+  end
+
   def self.version=(version)
     @puppet_version = version
   end

data/locales/config.yaml

@@ -26,4 +26,4 @@ gettext:
     - 'lib/puppet/pops/types/type_formatter.rb'
     # The semantic_puppet gem is temporarily vendored (PUP-7114), and it
     # handles its own translation.
-    - 'lib/semantic_puppet/**/*.rb'
+    - 'lib/puppet/vendor/**/*.rb'

data/locales/puppet.pot

@@ -6,11 +6,11 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: Puppet automation framework 4.8.2-338-g562b302\n"
+"Project-Id-Version: Puppet automation framework 4.9.4-162-g7637326\n"
 "\n"
 "Report-Msgid-Bugs-To: https://tickets.puppetlabs.com\n"
-"POT-Creation-Date: 2017-01-25 09:32-0800\n"
-"PO-Revision-Date: 2017-01-25 09:32-0800\n"
+"POT-Creation-Date: 2017-03-22 13:57-0700\n"
+"PO-Revision-Date: 2017-03-22 13:57-0700\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -40,7 +40,7 @@ msgid ""
 "      $ puppet help\n"
 msgstr ""
 
-msgid "--version VERSION"
+msgid "VERSION"
 msgstr ""
 
 msgid "The version of the subcommand for which to show help."
@@ -77,3 +77,17 @@ msgstr ""
 
 msgid "! Subcommand unavailable due to error. Check error logs."
 msgstr ""
+
+msgid "%{error}: %{value} is not valid UTF-8 and cannot be transcoded by Puppet."
+msgstr ""
+
+#. TRANSLATORS message accompanied by date of generation
+msgid "This page autogenerated on "
+msgstr ""
+
+#. TRANSLATORS message accompanied by date of generation
+msgid ""
+"\n"
+"\n"
+"**This page is autogenerated; any changes will get overwritten** *(last generated on "
+msgstr ""

data/spec/integration/ssl/autosign_spec.rb

@@ -4,6 +4,8 @@ describe "autosigning" do
   include PuppetSpec::Files
 
   let(:puppet_dir) { tmpdir("ca_autosigning") }
+  let(:utf8_value) { "utf8_\u06FF\u16A0\u{2070E}" }
+  let(:utf8_value_binary_string) { utf8_value.force_encoding(Encoding::BINARY) }
   let(:csr_attributes_content) do
     {
       'custom_attributes' => {
@@ -12,10 +14,16 @@ describe "autosigning" do
         '1.3.6.1.4.1.34380.2.2' => # system IPs in hex
           [ 0xC0A80001, # 192.168.0.1
             0xC0A80101 ], # 192.168.1.1
+        # different UTF-8 widths
+        # 1-byte A
+        # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+        # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+        # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+        '1.2.840.113549.1.9.7' => utf8_value,
       },
       'extension_requests' => {
         'pp_uuid' => 'abcdef',
-        '1.3.6.1.4.1.34380.1.1.2' => '1234', # pp_instance_id
+        '1.3.6.1.4.1.34380.1.1.2' => utf8_value, # pp_instance_id
         '1.3.6.1.4.1.34380.1.2.1' => 'some-value', # private extension
       },
     }
@@ -107,14 +115,20 @@ describe "autosigning" do
         csr = Puppet::SSL::CertificateRequest.indirection.find(host.name)
         expect(csr.request_extensions).to have(3).items
         expect(csr.request_extensions).to include('oid' => 'pp_uuid', 'value' => 'abcdef')
-        expect(csr.request_extensions).to include('oid' => 'pp_instance_id', 'value' => '1234')
+        expect(csr.request_extensions).to include('oid' => 'pp_instance_id', 'value' => utf8_value_binary_string)
         expect(csr.request_extensions).to include('oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'some-value')
       end
 
+      it "pulls custom attributes from the csr_attributes file into the certificate" do
+        csr = Puppet::SSL::CertificateRequest.indirection.find(host.name)
+        expect(csr.custom_attributes).to have(4).items
+        expect(csr.custom_attributes).to include('oid' => 'challengePassword', 'value' => utf8_value_binary_string)
+      end
+
       it "copies extension requests to certificate" do
         cert = ca.sign(host.name)
         expect(cert.custom_extensions).to include('oid' => 'pp_uuid', 'value' => 'abcdef')
-        expect(cert.custom_extensions).to include('oid' => 'pp_instance_id', 'value' => '1234')
+        expect(cert.custom_extensions).to include('oid' => 'pp_instance_id', 'value' => utf8_value_binary_string)
         expect(cert.custom_extensions).to include('oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'some-value')
       end
 
@@ -122,6 +136,7 @@ describe "autosigning" do
         cert = ca.sign(host.name)
         cert.custom_extensions.each do |ext|
           expect(Puppet::SSL::Oids.subtree_of?('1.3.6.1.4.1.34380.2', ext['oid'])).to be_falsey
+          expect(ext['oid']).to_not eq('1.2.840.113549.1.9.7')
         end
       end
     end

data/spec/integration/ssl/key_spec.rb

@@ -0,0 +1,104 @@
+#! /usr/bin/env ruby
+require 'spec_helper'
+
+require 'puppet/ssl/key'
+
+describe Puppet::SSL::Key do
+  include PuppetSpec::Files
+
+  # different UTF-8 widths
+  # 1-byte A
+  # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+  # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+  # 4-byte ܎ - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+  let (:mixed_utf8) { "A\u06FF\u16A0\u{2070E}" } # Aۿᚠ܎
+
+  before do
+    # Get a safe temporary file
+    dir = tmpdir('key_integration_testing')
+
+    Puppet.settings[:confdir] = dir
+    Puppet.settings[:vardir] = dir
+
+    # This is necessary so the terminus instances don't lie around.
+    # and so that Puppet::SSL::Key.indirection.save may be used
+    Puppet::SSL::Key.indirection.termini.clear
+  end
+
+  describe 'with a custom user-specified passfile' do
+
+    before do
+      # write custom password file to where Puppet expects
+      password_file = tmpfile('passfile')
+      Puppet[:passfile] = password_file
+      Puppet::FileSystem.open(password_file, nil, 'w:UTF-8') { |f| f.print(mixed_utf8) }
+    end
+
+    it 'should use the configured password file if it is not the CA key' do
+      key = Puppet::SSL::Key.new('test')
+      expect(key.password_file).to eq(Puppet[:passfile])
+      expect(key.password).to eq(mixed_utf8.force_encoding(Encoding::BINARY))
+    end
+
+    it "should be able to read an existing private key given the correct password" do
+      Puppet[:keylength] = '50'
+
+      key_name = 'test'
+      # use OpenSSL APIs to generate a private key
+      private_key = OpenSSL::PKey::RSA.generate(512)
+
+      # stash it in Puppets private key directory
+      FileUtils.mkdir_p(Puppet[:privatekeydir])
+      pem_path = File.join(Puppet[:privatekeydir], "#{key_name}.pem")
+      Puppet::FileSystem.open(pem_path, nil, 'w:UTF-8') do |f|
+        # with password protection enabled
+        pem = private_key.to_pem(OpenSSL::Cipher::DES.new(:EDE3, :CBC), mixed_utf8)
+        f.print(pem)
+      end
+
+      # indirector loads existing .pem off disk instead of replacing it
+      host = Puppet::SSL::Host.new(key_name)
+      host.generate
+
+      # newly loaded host private key matches the manually created key
+      # Private-Key: (512 bit) style data
+      expect(host.key.content.to_text).to eq(private_key.to_text)
+      # -----BEGIN RSA PRIVATE KEY-----
+      expect(host.key.content.to_s).to eq(private_key.to_s)
+      expect(host.key.password).to eq(mixed_utf8.force_encoding(Encoding::BINARY))
+    end
+
+    it 'should export the private key to PEM using the password' do
+      Puppet[:keylength] = '50'
+
+      key_name = 'test'
+
+      # uses specified :passfile when writing the private key
+      key = Puppet::SSL::Key.new(key_name)
+      key.generate
+      Puppet::SSL::Key.indirection.save(key)
+
+      # indirector writes file here
+      pem_path = File.join(Puppet[:privatekeydir], "#{key_name}.pem")
+
+      # note incorrect password is an error
+      expect do
+        Puppet::FileSystem.open(pem_path, nil, 'r:ASCII') do |f|
+          reloaded_key = OpenSSL::PKey::RSA.new(f.read, 'invalid_password')
+        end
+      end.to raise_error(OpenSSL::PKey::RSAError)
+
+      # but when specifying the correct password
+      reloaded_key = nil
+      Puppet::FileSystem.open(pem_path, nil, 'r:ASCII') do |f|
+        reloaded_key = OpenSSL::PKey::RSA.new(f.read, mixed_utf8)
+      end
+
+      # the original key matches the manually reloaded key
+      # Private-Key: (512 bit) style data
+      expect(key.content.to_text).to eq(reloaded_key.to_text)
+      # -----BEGIN RSA PRIVATE KEY-----
+      expect(key.content.to_s).to eq(reloaded_key.to_s)
+    end
+  end
+end

data/spec/integration/type/user_spec.rb

@@ -8,9 +8,16 @@ describe Puppet::Type.type(:user), '(integration)', :unless => Puppet.features.m
   include PuppetSpec::Compiler
 
   context "when set to purge ssh keys from a file" do
+    # different UTF-8 widths
+    # 1-byte A
+    # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+    # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+    # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+    let (:mixed_utf8) { "A\u06FF\u16A0\u{2070E}" } # Aۿᚠ𠜎
+
     let(:tempfile) do
       file_containing('user_spec', <<-EOF)
-        # comment
+        # comment #{mixed_utf8}
         ssh-rsa KEY-DATA key-name
         ssh-rsa KEY-DATA key name
         EOF
@@ -22,12 +29,12 @@ describe Puppet::Type.type(:user), '(integration)', :unless => Puppet.features.m
 
     it "should purge authorized ssh keys" do
       apply_compiled_manifest(manifest)
-      expect(File.read(tempfile)).not_to match(/key-name/)
+      expect(File.read(tempfile, :encoding => Encoding::UTF_8)).not_to match(/key-name/)
     end
 
     it "should purge keys with spaces in the comment string" do
       apply_compiled_manifest(manifest)
-      expect(File.read(tempfile)).not_to match(/key name/)
+      expect(File.read(tempfile, :encoding => Encoding::UTF_8)).not_to match(/key name/)
     end
 
     context "with other prefetching resources evaluated first" do
@@ -35,14 +42,14 @@ describe Puppet::Type.type(:user), '(integration)', :unless => Puppet.features.m
 
       it "should purge authorized ssh keys" do
         apply_compiled_manifest(manifest)
-        expect(File.read(tempfile)).not_to match(/key-name/)
+        expect(File.read(tempfile, :encoding => Encoding::UTF_8)).not_to match(/key-name/)
       end
     end
 
     context "with multiple unnamed keys" do
       let(:tempfile) do
         file_containing('user_spec', <<-EOF)
-          # comment
+          # comment #{mixed_utf8}
           ssh-rsa KEY-DATA1
           ssh-rsa KEY-DATA2
           EOF
@@ -50,7 +57,7 @@ describe Puppet::Type.type(:user), '(integration)', :unless => Puppet.features.m
 
       it "should purge authorized ssh keys" do
         apply_compiled_manifest(manifest)
-        expect(File.read(tempfile)).not_to match(/KEY-DATA/)
+        expect(File.read(tempfile, :encoding => Encoding::UTF_8)).not_to match(/KEY-DATA/)
       end
     end
   end

data/spec/spec_helper.rb

@@ -8,6 +8,13 @@ $LOAD_PATH.unshift File.join(dir, 'lib')
 # Don't want puppet getting the command line arguments for rake or autotest
 ARGV.clear
 
+# Stub out gettext's `_` method, which attempts to load translations.
+# Several of our mocks (mostly around file system interaction) are broken by
+# FastGettext's implementation of this method.
+def _(msg)
+  msg
+end
+
 begin
   require 'rubygems'
 rescue LoadError

data/spec/unit/application/inspect_spec.rb

@@ -42,6 +42,11 @@ describe Puppet::Application::Inspect do
       Puppet::Resource::Catalog.indirection.expects(:terminus_class=).with(:yaml)
       expect { @inspect.setup }.not_to raise_error
     end
+
+    it "should be marked as deprecated" do
+      @inspect.setup
+      expect(@inspect.deprecated?).to be true
+    end
   end
 
   describe "when executing", :uses_checksums => true do
@@ -193,8 +198,10 @@ describe Puppet::Application::Inspect do
 
           @inspect.run_command
 
-          expect(@report.logs.first).not_to eq(nil)
-          expect(@report.logs.first.message).to match(/Could not back up/)
+          # First several errors are deprecation warnings, find correct log message
+          expect(@report.logs).to be_any { |l|
+            /Could not back up/.match(l.message)
+          }
         end
       end
 

data/spec/unit/data_providers/function_data_provider_spec.rb

@@ -90,7 +90,7 @@ describe "when using function data provider" do
     env_loader.add_entry(:function, 'environment::data', f.new(compiler.topscope, env_loader), nil)
     expect do
       compiler.compile()
-    end.to raise_error(/Value returned from deprecated API function "environment::data" has wrong type/)
+    end.to raise_error(/Value returned from deprecated API function 'environment::data' has wrong type/)
   end
 
   it 'raises an error if the module data function does not return a hash' do
@@ -109,7 +109,7 @@ describe "when using function data provider" do
     module_loader.add_entry(:function, 'abc::data', f.new(compiler.topscope, module_loader), nil)
     expect do
       compiler.compile()
-    end.to raise_error(/Value returned from deprecated API function "abc::data" has wrong type/)
+    end.to raise_error(/Value returned from deprecated API function 'abc::data' has wrong type/)
   end
 
   def parent_fixture(dir_name)

data/spec/unit/etc_spec.rb

@@ -0,0 +1,234 @@
+require 'puppet'
+require 'spec_helper'
+
+# The Ruby::Etc module is largely non-functional on Windows - many methods
+# simply return nil regardless of input, the Etc::Group struct is not defined,
+# and Etc::Passwd is missing fields
+describe Puppet::Etc, :if => !Puppet.features.microsoft_windows? do
+  let(:bin) { 'bin'.force_encoding(Encoding::ISO_8859_1) }
+  let(:root) { 'root'.force_encoding(Encoding::ISO_8859_1) }
+  let(:x) { 'x'.force_encoding(Encoding::ISO_8859_1) }
+  let(:daemon) { 'daemon'.force_encoding(Encoding::ISO_8859_1) }
+  let(:root_comment) { 'i am the root user'.force_encoding(Encoding::ISO_8859_1) }
+  let(:user_struct_iso_8859_1) { Etc::Passwd.new(root, x, 0, 0, root_comment) }
+  let(:group_struct_iso_8859_1) { Etc::Group.new(bin, x, 1, [root, bin, daemon]) }
+
+  # http://www.fileformat.info/info/unicode/char/5e0c/index.htm
+  # 希 Han Character 'rare; hope, expect, strive for'
+  # In EUC_KR: \xfd \xf1 - 253 241
+  # Not convertible to UTF-8, likely to be read in as BINARY by Ruby unless system is in EUC_KR
+  let(:not_convertible) { [254, 241].pack('C*') }
+
+  # characters representing different UTF-8 widths
+  # 1-byte A
+  # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+  # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+  # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+  #
+  # Should all convert cleanly to UTF-8
+  # Unless the system is in UTF-8, these will likely be read in as BINARY by Ruby
+  let(:convertible_utf8) { "A\u06FF\u16A0\u{2070E}" } # Aۿᚠ𠜎
+  let(:convertible_binary) { "A\u06FF\u16A0\u{2070E}".force_encoding(Encoding::BINARY) }
+
+  # For the methods described which actually expect an encoding conversion, we
+  # only superficially test via #force_encoding - the deeper level testing is in
+  # character_encoding_spec.rb which handles testing transcoding etc.
+
+  describe "getgrent" do
+    context "given an original system Etc Group struct with ISO-8850-1 string values" do
+      before { Etc.expects(:getgrent).returns(group_struct_iso_8859_1) }
+      let(:converted) { Puppet::Etc.getgrent }
+
+      it "should return a struct with :name and :passwd field values converted to UTF-8" do
+        [converted.name, converted.passwd].each do |value|
+          expect(value.encoding).to eq(Encoding::UTF_8)
+        end
+      end
+
+      it "should return a struct with a :mem array with all field values converted to UTF-8" do
+        converted.mem.each { |elem| expect(elem.encoding).to eq(Encoding::UTF_8) }
+      end
+    end
+
+    context "given an original Etc::Group struct with field values that cannot be converted to UTF-8" do
+      let(:group) { Etc::Group.new }
+      before do
+        # group membership contains valid and invalid UTF-8
+        group.mem = [convertible_binary, not_convertible]
+        # group name contains a value that is invalid UTF-8
+        group.name = not_convertible
+        # group passwd field is valid UTF-8
+        group.passwd = convertible_binary
+
+        Etc.expects(:getgrent).returns(group)
+      end
+
+      let(:converted) { Puppet::Etc.getgrent }
+
+      it "should convert convertible values in arrays to UTF-8" do
+        expect(converted.mem[0]).to eq("A\u06FF\u16A0\u{2070E}")
+        expect(converted.mem[0].encoding).to eq(Encoding::UTF_8) # just being explicit
+      end
+
+      it "should leave the unconvertible values unmodified" do
+        expect(converted.name).to eq([254, 241].pack('C*'))
+        expect(converted.name.encoding).to eq(Encoding::BINARY) # just being explicit
+      end
+
+      it "should leave unconvertible values in arrays unmodifed" do
+        expect(converted.mem[1]).to eq([254, 241].pack('C*'))
+        expect(converted.mem[1].encoding).to eq(Encoding::BINARY) # just being explicit
+      end
+
+      it "should convert values that can be converted to UTf-8" do
+        expect(converted.passwd).to eq("A\u06FF\u16A0\u{2070E}")
+        expect(converted.passwd.encoding).to eq(Encoding::UTF_8) # just being explicit
+      end
+    end
+  end
+
+  describe "endgrent" do
+    it "should call Etc.getgrent" do
+      Etc.expects(:getgrent)
+      Puppet::Etc.getgrent
+    end
+  end
+
+  describe "setgrent" do
+    it "should call Etc.setgrent" do
+      Etc.expects(:setgrent)
+      Puppet::Etc.setgrent
+    end
+  end
+
+  describe "getpwent" do
+    context "given an original system Etc Passwd struct with ISO-8859-1 string values" do
+      before { Etc.expects(:getpwent).returns(user_struct_iso_8859_1) }
+      let(:converted) { Puppet::Etc.getpwent }
+
+      it "should return an Etc Passwd struct with field values converted to UTF-8" do
+        [converted.name, converted.passwd, converted.gecos].each do |value|
+          expect(value.encoding).to eq(Encoding::UTF_8)
+        end
+      end
+    end
+
+    context "given an original Etc::Passwd struct with field values that cannot be converted to UTF-8" do
+      let(:user) { Etc::Passwd.new }
+      before do
+        # user comment field cannot be converted to UTF-8
+        user.gecos =  not_convertible
+        # user passwd field is valid UTF-8
+        user.passwd = convertible_binary
+
+        Etc.expects(:getpwent).returns(user)
+      end
+
+      let(:converted) { Puppet::Etc.getpwent }
+
+      it "should leave the unconvertible values unmodified" do
+        expect(converted.gecos).to eq([254, 241].pack('C*'))
+        expect(converted.gecos.encoding).to eq(Encoding::BINARY) # just being explicit
+      end
+
+      it "should convert values that can be converted to UTf-8" do
+        expect(converted.passwd).to eq("A\u06FF\u16A0\u{2070E}")
+        expect(converted.passwd.encoding).to eq(Encoding::UTF_8) # just being explicit
+      end
+    end
+  end
+
+  describe "endpwent" do
+    it "should call Etc.endpwent" do
+      Etc.expects(:endpwent)
+      Puppet::Etc.endpwent
+    end
+  end
+
+  describe "setpwent" do
+    it "should call Etc.setpwent" do
+      Etc.expects(:setpwent)
+      Puppet::Etc.setpwent
+    end
+  end
+
+  describe "getpwnam" do
+    context "given a username to query" do
+      it "should call Etc.getpwnam with that username" do
+        Etc.expects(:getpwnam).with('foo')
+        Puppet::Etc.getpwnam('foo')
+      end
+    end
+
+    context "given an original system Etc Passwd struct with ISO-8859-1 string values" do
+      it "should return an Etc Passwd struct with field values converted to UTF-8" do
+        Etc.expects(:getpwnam).with('root').returns(user_struct_iso_8859_1)
+        converted = Puppet::Etc.getpwnam('root')
+        [converted.name, converted.passwd, converted.gecos].each do |value|
+          expect(value.encoding).to eq(Encoding::UTF_8)
+        end
+      end
+    end
+  end
+
+  describe "getgrnam" do
+    context "given a group name to query" do
+      it "should call Etc.getgrnam with that group name" do
+        Etc.expects(:getgrnam).with('foo')
+        Puppet::Etc.getgrnam('foo')
+      end
+    end
+
+    context "given an original system Etc Group struct with ISO-8859-1 string values" do
+      it "should return an Etc Group struct with field values converted to UTF-8" do
+        Etc.expects(:getgrnam).with('bin').returns(group_struct_iso_8859_1)
+        converted = Puppet::Etc.getgrnam('bin')
+        [converted.name, converted.passwd].each do |value|
+          expect(value.encoding).to eq(Encoding::UTF_8)
+        end
+        converted.mem.each { |elem| expect(elem.encoding).to eq(Encoding::UTF_8) }
+      end
+    end
+  end
+
+  describe "getgrgid" do
+    context "given a group ID to query" do
+      it "should call Etc.getgrgid with the id" do
+        Etc.expects(:getgrgid).with(0)
+        Puppet::Etc.getgrgid(0)
+      end
+    end
+
+    context "given an original Etc Group struct with field values in ISO-8859-1" do
+      it "should return an Etc Group struct with field values converted to UTF-8" do
+        Etc.expects(:getgrgid).with(1).returns(group_struct_iso_8859_1)
+        converted = Puppet::Etc.getgrgid(1)
+        [converted.name, converted.passwd].each do |value|
+          expect(value.encoding).to eq(Encoding::UTF_8)
+        end
+        converted.mem.each { |elem| expect(elem.encoding).to eq(Encoding::UTF_8) }
+      end
+    end
+  end
+
+  describe "getpwid" do
+    context "given a UID to query" do
+      it "should call Etc.getpwuid with the id" do
+        Etc.expects(:getpwuid).with(2)
+        Puppet::Etc.getpwuid(2)
+      end
+    end
+  end
+
+  context "given an orginal Etc Passwd struct with field values in ISO-8859-1" do
+    it "should return an Etc Passwd struct with field values converted to UTF-8" do
+      Etc.expects(:getpwuid).with(0).returns(user_struct_iso_8859_1)
+      converted = Puppet::Etc.getpwuid(0)
+      [converted.name, converted.passwd, converted.gecos].each do |value|
+        expect(value.encoding).to eq(Encoding::UTF_8)
+      end
+    end
+  end
+
+
+end