puppet 5.5.14 → 5.5.16

data/lib/puppet/provider/service/upstart.rb

@@ -27,14 +27,14 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
   # We only want to use upstart as our provider if the upstart daemon is running.
   # This can be checked by running `initctl version --quiet` on a machine that has
   # upstart installed.
-  confine :true => lambda {
-    begin
-      initctl('version', '--quiet')
-      true
-    rescue
-      false
-    end
-  }
+  confine :true => lambda { has_initctl? }
+
+  def self.has_initctl?
+    initctl('version', '--quiet')
+    true
+  rescue
+    false
+  end
 
   # upstart developer haven't implemented initctl enable/disable yet:
   # http://www.linuxplanet.com/linuxplanet/tutorials/7033/2/

data/lib/puppet/provider/user/useradd.rb

@@ -105,11 +105,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     # because by default duplicates are allowed.  This check is
     # to ensure consistent behaviour of the useradd provider when
     # using both useradd and luseradd
-    if not @resource.allowdupe? and @resource.forcelocal?
-       if @resource.should(:uid) and finduser('uid', @resource.should(:uid).to_s)
+    if (!@resource.allowdupe?) && @resource.forcelocal?
+       if @resource.should(:uid) && finduser('uid', @resource.should(:uid).to_s)
            raise(Puppet::Error, "UID #{@resource.should(:uid).to_s} already exists, use allowdupe to force user creation")
        end
-    elsif @resource.allowdupe? and not @resource.forcelocal?
+    elsif @resource.allowdupe? && (!@resource.forcelocal?)
        return ["-o"]
     end
     []
@@ -126,16 +126,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
 
   def check_manage_home
     cmd = []
-    if @resource.managehome? and not @resource.forcelocal?
+    if @resource.managehome? && (!@resource.forcelocal?)
       cmd << "-m"
-    elsif not @resource.managehome? and Facter.value(:osfamily) == 'RedHat'
+    elsif (!@resource.managehome?) && Facter.value(:osfamily) == 'RedHat'
       cmd << "-M"
     end
     cmd
   end
 
   def check_system_users
-    if self.class.system_users? and resource.system?
+    if self.class.system_users? && resource.system?
       ["-r"]
     else
       []
@@ -149,11 +149,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     Puppet::Type.type(:user).validproperties.sort.each do |property|
       next if property == :ensure
       next if property_manages_password_age?(property)
-      next if property == :groups and @resource.forcelocal?
-      next if property == :expiry and @resource.forcelocal?
+      next if (property == :groups) && @resource.forcelocal?
+      next if (property == :expiry) && @resource.forcelocal?
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
-      if value = @resource.should(property) and value != ""
+      if (value = @resource.should(property)) && (value != "")
         cmd << flag(property) << munge(property, value)
       end
     end
@@ -167,7 +167,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     else
       cmd = [command(:add)]
     end
-    if not @resource.should(:gid) and Puppet::Util.gid(@resource[:name])
+    if (!@resource.should(:gid)) && Puppet::Util.gid(@resource[:name])
       cmd += ["-g", @resource[:name]]
     end
     cmd += add_properties
@@ -203,7 +203,10 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     else
       cmd = [command(:delete)]
     end
-    cmd += @resource.managehome? ? ['-r'] : []
+    # Solaris `userdel -r` will fail if the homedir does not exist.
+    if @resource.managehome? && (('Solaris' != Facter.value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
+      cmd << '-r'
+    end
     cmd << @resource[:name]
   end
 
@@ -239,10 +242,10 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       check_valid_shell
     end
      super
-     if @resource.forcelocal? and self.groups?
+     if @resource.forcelocal? && self.groups?
        set(:groups, @resource[:groups])
      end
-     if @resource.forcelocal? and @resource[:expiry]
+     if @resource.forcelocal? && @resource[:expiry]
        set(:expiry, @resource[:expiry])
      end
   end

data/lib/puppet/settings/server_list_setting.rb

@@ -4,6 +4,15 @@ class Puppet::Settings::ServerListSetting < Puppet::Settings::ArraySetting
     :server_list
   end
 
+  def print(value)
+    if value.is_a?(Array)
+      #turn into a string
+      value.map {|item| item.join(":") }.join(",")
+    else
+      value
+    end
+  end
+  
   def munge(value)
     servers = super 
     servers.map! { |server| 

data/lib/puppet/ssl/validator/default_validator.rb

@@ -10,6 +10,7 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   attr_reader :peer_certs
   attr_reader :verify_errors
   attr_reader :ssl_configuration
+  attr_reader :last_error
 
   FIVE_MINUTES_AS_SECONDS = 5 * 60
 
@@ -40,6 +41,8 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   def reset!
     @peer_certs = []
     @verify_errors = []
+    @hostname = nil
+    @last_error = nil
   end
 
   # Performs verification of the SSL connection and collection of the
@@ -85,6 +88,31 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
       error_string = store_context.error_string || "OpenSSL error #{error}"
 
       case error
+      when OpenSSL::X509::V_OK
+        if @hostname
+          # chain is from leaf to root, opposite of the order that `call` is invoked
+          chain_cert = store_context.chain.first
+          peer_cert = @peer_certs.last
+
+          # ruby 2.4 doesn't compare certs based on value, so force to DER byte array
+          if peer_cert && chain_cert && peer_cert.content.to_der == chain_cert.to_der && !OpenSSL::SSL.verify_certificate_identity(peer_cert.content, @hostname)
+            valid_certnames = [peer_cert.name, *peer_cert.subject_alt_names].uniq
+            if valid_certnames.size > 1
+              expected_certnames = _("expected one of %{certnames}") % { certnames: valid_certnames.join(', ') }
+            else
+              expected_certnames = _("expected %{certname}") % { certname: valid_certnames.first }
+            end
+
+            msg = _("Server hostname '%{host}' did not match server certificate; %{expected_certnames}") % { host: @hostname, expected_certnames: expected_certnames }
+            @last_error = Puppet::Error.new(msg)
+            return false
+          else
+            @verify_errors << "#{error_string} for #{current_cert.subject}"
+          end
+        else
+          @verify_errors << "#{error_string} for #{current_cert.subject}"
+        end
+
       when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
         # current_crl can be nil
         # https://github.com/ruby/ruby/blob/ruby_1_9_3/ext/openssl/ossl_x509store.c#L501-L510
@@ -118,6 +146,8 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   # @api private
   #
   def setup_connection(connection)
+    @hostname = connection.address
+
     if ssl_certificates_are_present?
       connection.cert_store = @ssl_host.ssl_store
       connection.ca_file = @ssl_configuration.ca_auth_file

data/lib/puppet/type/package.rb

@@ -20,8 +20,8 @@ module Puppet
       requires in order to function, and you must meet those requirements
       to use a given provider.
 
-      You can declare multiple package resources with the same `name`, as long
-      as they specify different providers and have unique titles.
+      You can declare multiple package resources with the same `name` as long
+      as they have unique titles, and specify different providers and commands.
 
       Note that you must use the _title_ to make a reference to a package
       resource; `Package[<NAME>]` is not a synonym for `Package[<TITLE>]` like
@@ -66,6 +66,8 @@ module Puppet
       :methods => [:package_settings_insync?, :package_settings, :package_settings=]
     feature :virtual_packages, "The provider accepts virtual package names for install and uninstall."
 
+    feature :targetable, "The provider accepts a targeted package management command."
+
     ensurable do
       desc <<-EOT
         What state the package should be in. On packaging systems that can
@@ -271,20 +273,55 @@ module Puppet
     providify
     paramclass(:provider).isnamevar
 
-    # We have more than one namevar, so we need title_patterns. However, we
-    # cheat and set the patterns to map to name only and completely ignore
-    # provider. So far, the logic that determines uniqueness appears to just
-    # "Do The Right Thing™" when the provider is explicitly set by the user.
+    # Specify a targeted package management command.
+    newparam(:command, :required_features => :targetable) do
+      desc <<-EOT
+        The targeted command to use when managing a package:
+
+          package { 'mysql':
+            provider => gem,
+          }
+
+          package { 'mysql-opt':
+            name     => 'mysql',
+            provider => gem,
+            command  => '/opt/ruby/bin/gem',
+          }
+
+        Each provider defines a package management command; and uses the first
+        instance of the command found in the PATH.
+
+        Providers supporting the targetable feature allow you to specify the
+        absolute path of the package management command; useful when multiple
+        instances of the command are installed, or the command is not in the PATH.
+      EOT
+
+      isnamevar
+      defaultto :default
+    end
+
+    # We have more than one namevar, so we need title_patterns.
+    # However, we cheat and set the patterns to map to name only
+    # and completely ignore provider (and command, for targetable providers).
+    # So far, the logic that determines uniqueness appears to just
+    # "Do The Right Thing™" when provider (and command) are explicitly set.
     #
     # The following resources will be seen as unique by puppet:
     #
     #     # Uniqueness Key: ['mysql', nil]
-    #     package{'mysql': }
+    #     package {'mysql': }
+    #
+    #     # Uniqueness Key: ['mysql', 'gem', nil]
+    #     package {'gem-mysql':
+    #       name     => 'mysql,
+    #       provider => gem,
+    #     }
     #
-    #     # Uniqueness Key: ['mysql', 'gem']
-    #     package{'gem-mysql':
+    #     # Uniqueness Key: ['mysql', 'gem', '/opt/ruby/bin/gem']
+    #     package {'gem-mysql-opt':
     #       name     => 'mysql,
     #       provider => gem
+    #       command  => '/opt/ruby/bin/gem',
     #     }
     #
     # This does not handle the case where providers like 'yum' and 'rpm' should

data/lib/puppet/util/pidlock.rb

@@ -54,7 +54,21 @@ class Puppet::Util::Pidlock
     begin
       Process.kill(0, lock_pid)
     rescue *errors
-      @lockfile.unlock
+      return @lockfile.unlock
+    end
+
+    # Ensure the process associated with this pid is our process. If
+    # not, we can unlock the lockfile. For now this is only done on
+    # POSIX and Windows platforms (PUP-9247).
+    if Puppet.features.posix?
+      procname = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "comm="]).strip
+      args     = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "args="]).strip
+      @lockfile.unlock unless procname =~ /ruby/ && args =~ /puppet/ || procname =~ /puppet(-.*)?$/
+    elsif Puppet.features.microsoft_windows?
+      # On Windows, we're checking if the filesystem path name of the running
+      # process is our vendored ruby:
+      exe_path = Puppet::Util::Windows::Process::get_process_image_name_by_pid(lock_pid)
+      @lockfile.unlock unless exe_path =~ /\\bin\\ruby.exe$/
     end
   end
   private :clear_if_stale

data/lib/puppet/util/windows/process.rb

@@ -10,6 +10,10 @@ module Puppet::Util::Windows::Process
   WAIT_INTERVAL = 200
   # https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-creation-flags
   CREATE_NO_WINDOW = 0x08000000
+  #https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights
+  PROCESS_QUERY_INFORMATION = 0x0400
+  # https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file#maximum-path-length-limitation
+  MAX_PATH_LENGTH = 32767
 
   def execute(command, arguments, stdin, stdout, stderr)
     create_args = {
@@ -62,6 +66,26 @@ module Puppet::Util::Windows::Process
   end
   module_function :get_current_process
 
+  def open_process(desired_access, inherit_handle, process_id, &block)
+    phandle = nil
+    inherit = inherit_handle ? FFI::WIN32_TRUE : FFI::WIN32_FALSE
+    begin
+      phandle = OpenProcess(desired_access, inherit, process_id)
+      if phandle == FFI::Pointer::NULL_HANDLE
+        raise Puppet::Util::Windows::Error.new(
+          "OpenProcess(#{desired_access.to_s(8)}, #{inherit}, #{process_id})")
+      end
+
+      yield phandle
+    ensure
+      FFI::WIN32.CloseHandle(phandle) if phandle
+    end
+
+    # phandle has had CloseHandle called against it, so nothing to return
+    nil
+  end
+  module_function :open_process
+
   def open_process_token(handle, desired_access, &block)
     token_handle = nil
     begin
@@ -97,6 +121,32 @@ module Puppet::Util::Windows::Process
   end
   module_function :with_process_token
 
+  def get_process_image_name_by_pid(pid)
+    image_name = ""
+
+     open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
+
+       FFI::MemoryPointer.new(:dword, 1) do |exe_name_length_ptr|
+        # UTF is 2 bytes/char:
+        max_chars = MAX_PATH_LENGTH + 1
+        exe_name_length_ptr.write_dword(max_chars)
+        FFI::MemoryPointer.new(:wchar, max_chars) do |exe_name_ptr|
+          use_win32_path_format = 0
+          result = QueryFullProcessImageNameW(phandle, use_win32_path_format, exe_name_ptr, exe_name_length_ptr)
+          if result == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(
+              "QueryFullProcessImageNameW(phandle, #{use_win32_path_format}, " +
+              "exe_name_ptr, #{max_chars}")
+          end
+          image_name = exe_name_ptr.read_wide_string(exe_name_length_ptr.read_dword)
+        end
+      end
+    end
+
+     image_name
+  end
+  module_function :get_process_image_name_by_pid
+
   def lookup_privilege_value(name, system_name = '', &block)
     FFI::MemoryPointer.new(LUID.size) do |luid_ptr|
       result = LookupPrivilegeValueW(
@@ -366,6 +416,16 @@ module Puppet::Util::Windows::Process
   attach_function_private :SetEnvironmentVariableW,
     [:lpcwstr, :lpcwstr], :win32_bool
 
+  # https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
+  # HANDLE WINAPI OpenProcess(
+  #   _In_   DWORD DesiredAccess,
+  #   _In_   BOOL InheritHandle,
+  #   _In_   DWORD ProcessId
+  # );
+  ffi_lib :kernel32
+  attach_function_private :OpenProcess,
+    [:dword, :win32_bool, :dword], :handle
+
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379295(v=vs.85).aspx
   # BOOL WINAPI OpenProcessToken(
   #   _In_   HANDLE ProcessHandle,
@@ -376,6 +436,16 @@ module Puppet::Util::Windows::Process
   attach_function_private :OpenProcessToken,
     [:handle, :dword, :phandle], :win32_bool
 
+  # https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-queryfullprocessimagenamew
+  # BOOL WINAPI QueryFullProcessImageName(
+  #   _In_   HANDLE hProcess,
+  #   _In_   DWORD dwFlags,
+  #   _Out_  LPWSTR lpExeName,
+  #   _In_   PDWORD lpdwSize,
+  # );
+  ffi_lib :kernel32
+  attach_function_private :QueryFullProcessImageNameW,
+    [:handle, :dword, :lpwstr, :pdword], :win32_bool
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379261(v=vs.85).aspx
   # typedef struct _LUID {

data/lib/puppet/util/windows/registry.rb

@@ -232,7 +232,7 @@ module Puppet::Util::Windows
         begin
           case type
             when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
-              result = [ type, data_ptr.read_wide_string(string_length) ]
+              result = [ type, sanitize(data_ptr.read_wide_string(string_length)) ]
             when Win32::Registry::REG_MULTI_SZ
               result = [ type, data_ptr.read_wide_string(string_length).split(/\0/) ]
             when Win32::Registry::REG_BINARY
@@ -312,6 +312,12 @@ module Puppet::Util::Windows
       result
     end
 
+    def sanitize(value)
+      # Replace null bytes with a space
+      value.gsub!("\x00", ' ')
+      value
+    end
+
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724862(v=vs.85).aspx

data/lib/puppet/util/windows/user.rb

@@ -75,15 +75,18 @@ module Puppet::Util::Windows::User
   module_function :password_is?
 
   def logon_user(name, password, &block)
-    fLOGON32_LOGON_NETWORK = 3
     fLOGON32_PROVIDER_DEFAULT = 0
+    fLOGON32_LOGON_INTERACTIVE = 2
+    fLOGON32_LOGON_NETWORK = 3
 
     token = nil
     begin
       FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
-        if LogonUserW(wide_string(name), wide_string('.'), password.nil? ? FFI::Pointer::NULL : wide_string(password),
-            fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
-          raise Puppet::Util::Windows::Error.new(_("Failed to logon user %{name}") % { name: name.inspect })
+        #try logon using network else try logon using interactive mode
+        if logon_user_by_logon_type(name, password, fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
+          if logon_user_by_logon_type(name, password, fLOGON32_LOGON_INTERACTIVE, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(_("Failed to logon user %{name}") % {name: name.inspect})
+          end
         end
 
         yield token = token_pointer.read_handle
@@ -95,8 +98,15 @@ module Puppet::Util::Windows::User
     # token has been closed by this point
     true
   end
+
   module_function :logon_user
 
+  def self.logon_user_by_logon_type(name, password, logon_type, logon_provider, token)
+    LogonUserW(wide_string(name), wide_string('.'), password.nil? ? FFI::Pointer::NULL : wide_string(password), logon_type, logon_provider, token)
+  end
+
+  private_class_method :logon_user_by_logon_type
+
   def load_profile(user, password)
     logon_user(user, password) do |token|
       FFI::MemoryPointer.from_string_to_wide_string(user) do |lpUserName|