puppet 5.3.5 → 5.3.6

data/lib/puppet/parser/functions/return.rb

@@ -4,7 +4,8 @@ Puppet::Parser::Functions::newfunction(
   :doc => <<-DOC
 Immediately returns the given optional value from a function, class body or user defined type body.
 If a value is not given, an `undef` value is returned. This function does not return to the immediate caller.
-If called from within a lambda the return will return from the function evaluating the lambda.
+If this function is called from within a lambda, the return action is from the scope of the
+function containing the lambda (top scope), not the function accepting the lambda (local scope).
 
 The signal produced to return a value bubbles up through
 the call stack until reaching a function, class definition or
@@ -63,6 +64,26 @@ The code would notice `'bar'` but not `'foo'`
 
 Note that the returned value is ignored if used in a class or user defined type.
 
+**Example:** Using `return` in a lambda
+
+```puppet
+# Concatenate three strings into a single string formatted as a list.
+function getFruit() {
+  with("apples", "oranges", "bananas") |$x, $y, $z| {
+    return("${x}, ${y}, and ${z}")
+  }
+  notice "not reached"
+}
+$fruit = getFruit()
+notice $fruit
+
+# The output contains "apples, oranges, and bananas".
+# "not reached" is not output because the function returns its value within the
+# calling function's scope, which stops processing the calling function before
+# the `notice "not reached"` statement.
+# Using `return()` outside of a calling function results in an error.
+```
+
 * Also see functions `return` and `break`
 * Since 4.8.0
 DOC

data/lib/puppet/provider/group/windows_adsi.rb

@@ -23,12 +23,9 @@ Puppet::Type.type(:group).provide :windows_adsi do
     # Cannot use munge of the group property to canonicalize @should
     # since the default array_matching comparison is not commutative
 
+    current_sids = current.map(&:sid)
     # dupes automatically weeded out when hashes built
-    current_users = Puppet::Util::Windows::ADSI::Group.name_sid_hash(current)
-    specified_users = Puppet::Util::Windows::ADSI::Group.name_sid_hash(should)
-
-    current_sids = current_users.keys.to_a
-    specified_sids = specified_users.keys.to_a
+    specified_sids = Puppet::Util::Windows::ADSI::Group.name_sid_hash(should).keys.to_a
 
     if @resource[:auth_membership]
       current_sids.sort == specified_sids.sort
@@ -40,7 +37,7 @@ Puppet::Type.type(:group).provide :windows_adsi do
   def members_to_s(users)
     return '' if users.nil? or !users.kind_of?(Array)
     users = users.map do |user_name|
-      sid = Puppet::Util::Windows::SID.name_to_sid_object(user_name)
+      sid = Puppet::Util::Windows::SID.name_to_principal(user_name)
       if !sid
         resource.debug("#{user_name} (unresolvable to SID)")
         next user_name
@@ -58,7 +55,7 @@ Puppet::Type.type(:group).provide :windows_adsi do
   end
 
   def member_valid?(user_name)
-    ! Puppet::Util::Windows::SID.name_to_sid_object(user_name).nil?
+    ! Puppet::Util::Windows::SID.name_to_principal(user_name).nil?
   end
 
   def group

data/lib/puppet/provider/service/systemd.rb

@@ -25,7 +25,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2"]
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid"]
-  defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["15.04","15.10","16.04","16.10"]
+  defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["15.04","15.10","16.04","16.10","17.04","17.10","18.04"]
   defaultfor :operatingsystem => :cumuluslinux, :operatingsystemmajrelease => ["3"]
 
   def self.instances

data/lib/puppet/provider/user/aix.rb

@@ -275,7 +275,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
     # Must receive "user:enc_password" as input
     # command, arguments = {:failonfail => true, :combine => true}
     # Fix for bugs #11200 and #10915
-    cmd = [self.class.command(:chpasswd), get_ia_module_args, '-e', '-c', user].flatten
+    cmd = [self.class.command(:chpasswd), get_ia_module_args, '-e', '-c'].flatten
     begin
       output = execute(cmd, {:failonfail => false, :combine => true, :stdinfile => tmpfile.path })
       # chpasswd can return 1, even on success (at least on AIX 6.1); empty output indicates success

data/lib/puppet/provider/user/windows_adsi.rb

@@ -52,7 +52,7 @@ Puppet::Type.type(:user).provide :windows_adsi do
   def groups_to_s(groups)
     return '' if groups.nil? || !groups.kind_of?(Array)
     groups = groups.map do |group_name|
-      sid = Puppet::Util::Windows::SID.name_to_sid_object(group_name)
+      sid = Puppet::Util::Windows::SID.name_to_principal(group_name)
       if sid.account =~ /\\/
         account, _ = Puppet::Util::Windows::ADSI::Group.parse_name(sid.account)
       else

data/lib/puppet/reference/configuration.rb

@@ -34,6 +34,8 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
       val = 'Unix/Linux: /var/log/puppetlabs/puppet -- Windows: C:\ProgramData\PuppetLabs\puppet\var\log -- Non-root user: ~/.puppetlabs/var/log'
     elsif name.to_s == 'hiera_config'
       val = '$confdir/hiera.yaml. However, if a file exists at $codedir/hiera.yaml, Puppet uses that instead.'
+    elsif name.to_s == 'certname'
+      val = "the Host's fully qualified domain name, as determined by facter"
     end
 
     # Leave out the section information; it was apparently confusing people.

data/lib/puppet/resource/catalog.rb

@@ -595,7 +595,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     transaction = Puppet::Transaction.new(self, options[:report], prioritizer)
     transaction.tags = options[:tags] if options[:tags]
     transaction.ignoreschedules = true if options[:ignoreschedules]
-    transaction.for_network_device = options[:network_device]
+    transaction.for_network_device = Puppet.lookup(:network_device) { nil } || options[:network_device]
 
     transaction
   end

data/lib/puppet/type/user.rb

@@ -212,13 +212,44 @@ module Puppet
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
-        * Windows passwords can only be managed in cleartext, as there is no Windows API
-          for setting the password hash.
+        * Windows passwords can be managed only in cleartext, because there is no Windows
+          API for setting the password hash.
 
         [stdlib]: https://github.com/puppetlabs/puppetlabs-stdlib/
 
         Enclose any value that includes a dollar sign ($) in single quotes (') to avoid
-        accidental variable interpolation.}
+        accidental variable interpolation.
+
+        To redact passwords from reports to PuppetDB, use the `Sensitive` data type. For
+        example, this resource protects the password:
+
+        ```puppet
+        user { 'foo':
+          ensure   => present,
+          password => Sensitive("my secret password")
+        }
+        ```
+
+        This results in the password being redacted from the report, as in the
+        `previous_value`, `desired_value`, and `message` fields below.
+
+        ```yaml
+            events:
+            - !ruby/object:Puppet::Transaction::Event
+              audited: false
+              property: password
+              previous_value: "[redacted]"
+              desired_value: "[redacted]"
+              historical_value:
+              message: changed [redacted] to [redacted]
+              name: :password_changed
+              status: success
+              time: 2017-05-17 16:06:02.934398293 -07:00
+              redacted: true
+              corrective_change: false
+            corrective_change: false
+        ```
+        }
 
       validate do |value|
         raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")

data/lib/puppet/util/plist.rb

@@ -41,7 +41,7 @@ module Puppet::Util::Plist
 
         Puppet.debug "Plist #{file_path} ill-formatted, converting with plutil"
         begin
-          plist = Puppet::Util::Execution.execute(['/usr/bin/plutil', '-convert', 'xml1', '-o', '/dev/stdout', file_path],
+          plist = Puppet::Util::Execution.execute(['/usr/bin/plutil', '-convert', 'xml1', '-o', '-', file_path],
                                                   {:failonfail => true, :combine => true})
           return parse_plist(plist)
         rescue Puppet::ExecutionFailure => detail

data/lib/puppet/util/reference.rb

@@ -12,10 +12,6 @@ class Puppet::Util::Reference
 
   instance_load(:reference, 'puppet/reference')
 
-  def self.footer
-    "\n\n----------------\n\n" + _("*This page autogenerated on %{current_time}*\n") % { current_time: Time.now.to_s }
-  end
-
   def self.modes
     %w{pdf text}
   end
@@ -111,15 +107,12 @@ class Puppet::Util::Reference
   def to_markdown(withcontents = true)
     # First the header
     text = markdown_header(@title, 1)
-    #TRANSLATORS message accompanied by date of generation
-    text << _("\n\n**This page is autogenerated; any changes will get overwritten** *(last generated on %{current_time})*\n\n") % { current_time: Time.now.to_s }
+    text << _("\n\n**This page is autogenerated; any changes will get overwritten**\n\n")
 
     text << @header
 
     text << generate
 
-    text << self.class.footer if withcontents
-
     text
   end
 end

data/lib/puppet/util/windows/adsi.rb

@@ -66,7 +66,7 @@ module Puppet::Util::Windows::ADSI
       return sid_uri(sid) if sid.kind_of?(Puppet::Util::Windows::SID::Principal)
 
       begin
-        sid = Puppet::Util::Windows::SID.name_to_sid_object(sid)
+        sid = Puppet::Util::Windows::SID.name_to_principal(sid)
         sid_uri(sid)
       rescue Puppet::Util::Windows::Error, Puppet::Error
         nil
@@ -114,7 +114,7 @@ module Puppet::Util::Windows::ADSI
         Puppet::Util::Windows::SID.sid_to_name('S-1-5-32').upcase,
         # localized version of NT AUTHORITY (can't use S-1-5)
         # for instance AUTORITE NT on French Windows
-        Puppet::Util::Windows::SID.name_to_sid_object('SYSTEM').domain.upcase
+        Puppet::Util::Windows::SID.name_to_principal('SYSTEM').domain.upcase
       ]
     end
 
@@ -139,10 +139,12 @@ module Puppet::Util::Windows::ADSI
       return account, domain
     end
 
+    # returns Puppet::Util::Windows::SID::Principal[]
+    # may contain objects that represent unresolvable SIDs
     def get_sids(adsi_child_collection)
       sids = []
       adsi_child_collection.each do |m|
-        sids << Puppet::Util::Windows::SID.octet_string_to_sid_object(m.objectSID)
+        sids << Puppet::Util::Windows::SID.ads_to_principal(m)
       end
 
       sids
@@ -152,7 +154,7 @@ module Puppet::Util::Windows::ADSI
       return {} if names.nil? || names.empty?
 
       sids = names.map do |name|
-        sid = Puppet::Util::Windows::SID.name_to_sid_object(name)
+        sid = Puppet::Util::Windows::SID.name_to_principal(name)
         raise Puppet::Error.new( _("Could not resolve name: %{name}") % { name: name } ) if !sid
         [sid.sid, sid]
       end
@@ -183,7 +185,7 @@ module Puppet::Util::Windows::ADSI
     end
 
     def sid
-      @sid ||= Puppet::Util::Windows::SID.octet_string_to_sid_object(native_user.objectSID)
+      @sid ||= Puppet::Util::Windows::SID.octet_string_to_principal(native_user.objectSID)
     end
 
     def uri
@@ -336,12 +338,12 @@ module Puppet::Util::Windows::ADSI
     end
 
     def self.current_user_sid
-      Puppet::Util::Windows::SID.name_to_sid_object(current_user_name)
+      Puppet::Util::Windows::SID.name_to_principal(current_user_name)
     end
 
     def self.exists?(name_or_sid)
       well_known = false
-      if (sid = Puppet::Util::Windows::SID.name_to_sid_object(name_or_sid))
+      if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
         return true if sid.account_type == :SidTypeUser
 
         # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
@@ -431,7 +433,7 @@ module Puppet::Util::Windows::ADSI
     end
 
     def sid
-      @sid ||= Puppet::Util::Windows::SID.octet_string_to_sid_object(native_group.objectSID)
+      @sid ||= Puppet::Util::Windows::SID.octet_string_to_principal(native_group.objectSID)
     end
 
     def commit
@@ -463,18 +465,13 @@ module Puppet::Util::Windows::ADSI
       end
     end
 
+    # returns Puppet::Util::Windows::SID::Principal[]
+    # may contain objects that represent unresolvable SIDs
+    # qualified account names are returned by calling #domain_account
     def members
-      # WIN32OLE objects aren't enumerable, so no map
-      members = []
-      # Setting WIN32OLE.codepage in the microsoft_windows feature ensures
-      # values are returned as UTF-8
-      native_group.Members.each {|m| members << m.Name}
-      members
-    end
-
-    def member_sids
       self.class.get_sids(native_group.Members)
     end
+    alias member_sids members
 
     def set_members(desired_members, inclusive = true)
       return if desired_members.nil?
@@ -508,7 +505,7 @@ module Puppet::Util::Windows::ADSI
 
     def self.exists?(name_or_sid)
       well_known = false
-      if (sid = Puppet::Util::Windows::SID.name_to_sid_object(name_or_sid))
+      if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
         return true if sid.account_type == :SidTypeGroup
 
         # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM

data/lib/puppet/util/windows/principal.rb

@@ -32,9 +32,10 @@ module Puppet::Util::Windows::SID
         @sid_bytes == compare.sid_bytes
     end
 
-    # added for backward compatibility
+    # returns authority qualified account name
+    # prefer to compare Principal instances with == operator or by #sid
     def to_s
-      @sid
+      @domain_account
     end
 
     # = 8 + max sub identifiers (15) * 4
@@ -64,14 +65,14 @@ module Puppet::Util::Windows::SID
                 last_error = FFI.errno
 
                 if (success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER)
-                  raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountNameW'), last_error)
+                  raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountNameW with account: %{account_name}') % { account_name: account_name}, last_error)
                 end
 
                 FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
                   if LookupAccountNameW(system_name_ptr, account_name_ptr,
                       sid_ptr, sid_length_ptr,
                       domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
-                   raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountNameW'))
+                  raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountNameW with account: %{account_name}') % { account_name: account_name} )
                   end
 
                   # with a SID returned, loop back through lookup_account_sid to retrieve official name
@@ -116,14 +117,14 @@ module Puppet::Util::Windows::SID
                 last_error = FFI.errno
 
                 if (success == FFI::WIN32_FALSE && last_error != ERROR_INSUFFICIENT_BUFFER)
-                  raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountSidW'), last_error)
+                  raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountSidW with bytes: %{sid_bytes}') % { sid_bytes: sid_bytes}, last_error)
                 end
 
                 FFI::MemoryPointer.new(:lpwstr, name_length_ptr.read_dword) do |name_ptr|
                   FFI::MemoryPointer.new(:lpwstr, domain_length_ptr.read_dword) do |domain_ptr|
                     if LookupAccountSidW(system_name_ptr, sid_ptr, name_ptr, name_length_ptr,
                         domain_ptr, domain_length_ptr, name_use_enum_ptr) == FFI::WIN32_FALSE
-                     raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountSidW'))
+                     raise Puppet::Util::Windows::Error.new(_('Failed to call LookupAccountSidW with bytes: %{sid_bytes}') % { sid_bytes: sid_bytes} )
                     end
 
                     return new(

data/lib/puppet/util/windows/sid.rb

@@ -52,18 +52,18 @@ module Puppet::Util::Windows
     # 'BUILTIN\Administrators', or 'S-1-5-32-544', and will return the
     # SID. Returns nil if the account doesn't exist.
     def name_to_sid(name)
-      sid = name_to_sid_object(name)
+      sid = name_to_principal(name)
 
       sid ? sid.sid : nil
     end
     module_function :name_to_sid
 
-    # Convert an account name, e.g. 'Administrators' into a SID object,
+    # Convert an account name, e.g. 'Administrators' into a Principal::SID object,
     # e.g. 'S-1-5-32-544'. The name can be specified as 'Administrators',
     # 'BUILTIN\Administrators', or 'S-1-5-32-544', and will return the
     # SID object. Returns nil if the account doesn't exist.
     # This method returns a SID::Principal with the account, domain, SID, etc
-    def name_to_sid_object(name)
+    def name_to_principal(name)
       # Apparently, we accept a symbol..
       name = name.to_s.strip if name
 
@@ -81,21 +81,50 @@ module Puppet::Util::Windows
     rescue
       nil
     end
-    module_function :name_to_sid_object
+    module_function :name_to_principal
+    class << self; alias name_to_sid_object name_to_principal; end
 
-    # Converts an octet string array of bytes to a SID object,
+    # Converts an octet string array of bytes to a SID::Principal object,
     # e.g. [1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0] is the representation for
     # S-1-5-18, the local 'SYSTEM' account.
     # Raises an Error for nil or non-array input.
     # This method returns a SID::Principal with the account, domain, SID, etc
-    def octet_string_to_sid_object(bytes)
+    def octet_string_to_principal(bytes)
       if !bytes || !bytes.respond_to?('pack') || bytes.empty?
         raise Puppet::Util::Windows::Error.new(_("Octet string must be an array of bytes"))
       end
 
       Principal.lookup_account_sid(bytes)
     end
-    module_function :octet_string_to_sid_object
+    module_function :octet_string_to_principal
+    class << self; alias octet_string_to_sid_object octet_string_to_principal; end
+
+    # Converts a COM instance of IAdsUser or IAdsGroup to a SID::Principal object,
+    # Raises an Error for nil or an object without an objectSID / Name property.
+    # This method returns a SID::Principal with the account, domain, SID, etc
+    # This method will return instances even when the SID is unresolvable, as
+    # may be the case when domain users have been added to local groups, but
+    # removed from the domain
+    def ads_to_principal(ads_object)
+      if !ads_object || !ads_object.respond_to?(:ole_respond_to?) ||
+        !ads_object.ole_respond_to?(:objectSID) || !ads_object.ole_respond_to?(:Name)
+        raise Puppet::Error.new("ads_object must be an IAdsUser or IAdsGroup instance")
+      end
+      octet_string_to_principal(ads_object.objectSID)
+    rescue Puppet::Util::Windows::Error => e
+      # if the error is not a lookup / mapping problem, immediately re-raise
+      raise if e.code != ERROR_NONE_MAPPED
+
+      # if the Name property isn't formatted like a SID, OR
+      if !valid_sid?(ads_object.Name) ||
+        # if the objectSID doesn't match the Name property, also raise
+        ((converted = octet_string_to_sid_string(ads_object.objectSID)) != ads_object.Name)
+        raise Puppet::Error.new("ads_object Name: #{ads_object.Name} invalid or does not match objectSID: #{ads_object.objectSID} (#{converted})", e)
+      end
+
+      unresolved_principal(ads_object.Name, ads_object.objectSID)
+    end
+    module_function :ads_to_principal
 
     # Convert a SID string, e.g. "S-1-5-32-544" to a name,
     # e.g. 'BUILTIN\Administrators'. Returns nil if an account
@@ -193,6 +222,30 @@ module Puppet::Util::Windows
     end
     module_function :get_length_sid
 
+    def octet_string_to_sid_string(sid_bytes)
+      sid_string = nil
+
+      FFI::MemoryPointer.new(:byte, sid_bytes.length) do |sid_ptr|
+        sid_ptr.write_array_of_uchar(sid_bytes)
+        sid_string = Puppet::Util::Windows::SID.sid_ptr_to_string(sid_ptr)
+      end
+
+      sid_string
+    end
+    module_function :octet_string_to_sid_string
+
+    # @api private
+    def self.unresolved_principal(name, sid_bytes)
+      Principal.new(
+        name + " (unresolvable)", # account
+        sid_bytes, # sid_bytes
+        name, # sid string
+        nil, #domain
+        # https://msdn.microsoft.com/en-us/library/cc245534.aspx?f=255&MSPPError=-2147217396
+        # Indicates that the type of object could not be determined. For example, no object with that SID exists.
+        :SidTypeUnknown)
+    end
+
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379151(v=vs.85).aspx