puppet 5.5.16-universal-darwin → 5.5.17-universal-darwin

data/lib/puppet/provider/nameservice.rb

@@ -172,9 +172,10 @@ class Puppet::Provider::NameService < Puppet::Provider
     end
 
     begin
-      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      sensitive = has_sensitive_data?
+      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       if feature?(:manages_password_age) && (cmd = passcmd)
-        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       end
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
@@ -276,13 +277,19 @@ class Puppet::Provider::NameService < Puppet::Provider
     self.class.validate(param, value)
     cmd = modifycmd(param, munge(param, value))
     raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
+    sensitive = has_sensitive_data?(param)
     begin
-      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
     end
   end
 
+  #Derived classes can override to declare sensitive data so a flag can be passed to execute
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
   # returns a struct with binary encoded string values, and >= 2.1.0 will return
   # binary encoded strings for values incompatible with current locale charset,

data/lib/puppet/provider/package/dnf.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   These options should be specified as a string (e.g. '--flag'), a hash (e.g. {'--flag' => 'value'}),
   or an array where each element is either a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages
+  has_feature :install_options, :versionable, :virtual_packages, :install_only
 
   commands :cmd => "dnf", :rpm => "rpm"
 

data/lib/puppet/provider/package/rpm.rb

@@ -14,6 +14,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
   has_feature :install_options
   has_feature :uninstall_options
   has_feature :virtual_packages
+  has_feature :install_only
 
   # Note: self:: is required here to keep these constants in the context of what will
   # eventually become this Puppet::Type::Package::ProviderRpm class.
@@ -21,6 +22,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
   self::NEVRA_FORMAT = %Q{%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\\n}
   self::NEVRA_REGEX  = %r{^'?(\S+) (\S+) (\S+) (\S+) (\S+)$}
   self::NEVRA_FIELDS = [:name, :epoch, :version, :release, :arch]
+  self::MULTIVERSION_SEPARATOR = "; "
 
   ARCH_LIST = [
     'noarch',
@@ -80,12 +82,9 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
 
     # list out all of the packages
     begin
-      execpipe("#{command(:rpm)} -qa #{nosignature} #{nodigest} --qf '#{self::NEVRA_FORMAT}'") { |process|
+      execpipe("#{command(:rpm)} -qa #{nosignature} #{nodigest} --qf '#{self::NEVRA_FORMAT}' | sort") { |process|
         # now turn each returned line into a package object
-        process.each_line { |line|
-          hash = nevra_to_hash(line)
-          packages << new(hash) unless hash.empty?
-        }
+        nevra_to_multiversion_hash(process).each { |hash| packages << new(hash) }
       }
     rescue Puppet::ExecutionFailure
       raise Puppet::Error, _("Failed to list packages"), $!.backtrace
@@ -101,7 +100,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
     #NOTE: Prior to a fix for issue 1243, this method potentially returned a cached value
     #IF YOU CALL THIS METHOD, IT WILL CALL RPM
     #Use get(:property) to check if cached values are available
-    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", "'#{self.class::NEVRA_FORMAT}'"]
+    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", "#{self.class::NEVRA_FORMAT}"]
 
     begin
       output = rpm(*cmd)
@@ -118,9 +117,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
         return nil
       end
     end
-    # FIXME: We could actually be getting back multiple packages
-    # for multilib and this will only return the first such package
-    @property_hash.update(self.class.nevra_to_hash(output))
+    @property_hash.update(self.class.nevra_to_multiversion_hash(output))
 
     @property_hash.dup
   end
@@ -131,8 +128,8 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
       @resource.fail _("RPMs must specify a package source")
     end
 
-    cmd = [command(:rpm), "-q", "--qf", "'#{self.class::NEVRA_FORMAT}'", "-p", source]
-    h = self.class.nevra_to_hash(execute(cmd))
+    cmd = [command(:rpm), "-q", "--qf", "#{self.class::NEVRA_FORMAT}", "-p", source]
+    h = self.class.nevra_to_multiversion_hash(execute(cmd))
     h[:ensure]
   rescue Puppet::ExecutionFailure => e
     raise Puppet::Error, e.message, e.backtrace
@@ -169,7 +166,11 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
       if @resource[:name].start_with? nav
         identifier = nav
       else
-        identifier = name
+        if @resource[:install_only]
+          identifier = get(:ensure).split(self.class::MULTIVERSION_SEPARATOR).map { |ver| "#{name}-#{ver}" }
+        else
+          identifier = name
+        end
       end
     end
     # If an arch is specified in the resource, uninstall that arch,
@@ -309,8 +310,12 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
 
   def insync?(is)
     return false if [:purged, :absent].include?(is)
+    return false if is.include?(self.class::MULTIVERSION_SEPARATOR) && !@resource[:install_only]
+
     should = resource[:ensure]
-    0 == rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(is))
+    is.split(self.class::MULTIVERSION_SEPARATOR).any? do |version|
+      0 == self.rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(version))
+    end
   end
 
   # parse a rpm "version" specification
@@ -413,4 +418,37 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
 
     return hash
   end
+
+  # @param line [String] multiple lines of rpm package query information
+  # @return list of [Hash] of NEVRA_FIELDS strings parsed from package info
+  # or an empty list if we failed to parse
+  # @api private
+  def self.nevra_to_multiversion_hash(multiline)
+    list = []
+    multiversion_hash = {}
+    multiline.each_line do |line|
+      hash = self.nevra_to_hash(line)
+      if !hash.empty?
+        if multiversion_hash.empty?
+          multiversion_hash = hash.dup
+          next
+        end
+
+        if multiversion_hash[:name] != hash[:name]
+          list << multiversion_hash
+          multiversion_hash = hash.dup
+          next
+        end
+
+        if !multiversion_hash[:ensure].include?(hash[:ensure])
+          multiversion_hash[:ensure].concat("#{self::MULTIVERSION_SEPARATOR}#{hash[:ensure]}")
+        end
+      end
+    end
+    list << multiversion_hash if multiversion_hash
+    if list.size == 1
+      return list[0]
+    end
+    return list
+  end
 end

data/lib/puppet/provider/package/yum.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
   These options should be specified as a string (e.g. '--flag'), a hash (e.g. {'--flag' => 'value'}),
   or an array where each element is either a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages
+  has_feature :install_options, :versionable, :virtual_packages, :install_only
 
   commands :cmd => "yum", :rpm => "rpm"
 
@@ -203,7 +203,10 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
       end
       current_package = self.query
       if current_package
-        if rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) < 0
+        if @resource[:install_only]
+          self.debug "Updating package #{@resource[:name]} from version #{current_package[:ensure]} to #{should} as install_only packages are never downgraded"
+          operation = update_command
+        elsif rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) < 0
           self.debug "Downgrading package #{@resource[:name]} from version #{current_package[:ensure]} to #{should}"
           operation = :downgrade
         elsif rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) > 0
@@ -228,10 +231,11 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
       is = self.query
       raise Puppet::Error, _("Could not find package %{name}") % { name: self.name } unless is
 
+      version = is[:ensure]
       # FIXME: Should we raise an exception even if should == :latest
       # and yum updated us to a version other than @param_hash[:ensure] ?
-      vercmp_result = rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(is[:ensure]))
-      raise Puppet::Error, _("Failed to update to version %{should}, got version %{version} instead") % { should: should, version: is[:ensure] } if vercmp_result != 0
+      raise Puppet::Error, _("Failed to update to version %{should}, got version %{version} instead") % { should: should, version: version } unless
+        insync?(version)
     end
   end
 

data/lib/puppet/provider/service/launchd.rb

@@ -240,12 +240,20 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def status
     if @resource && ((@resource[:hasstatus] == :false) || (@resource[:status]))
       return super
-    else
-      if @property_hash[:status].nil?
-        :absent
+    elsif @property_hash[:status].nil?
+      # property_hash was flushed so the service changed status
+      service_name = @resource[:name]
+      # Updating services with new statuses
+      job_list = self.class.job_list
+      # if job is present in job_list, return its status
+      if job_list.key?(service_name)
+        job_list[service_name]
+      # if job is no longer present in job_list, it was stopped
       else
-        @property_hash[:status]
+        :stopped
       end
+    else
+      @property_hash[:status]
     end
   end
 
@@ -313,7 +321,14 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = nil
     overrides_disabled = nil
 
-    _, job_plist = plist_from_label(resource[:name])
+    begin
+      _, job_plist = plist_from_label(resource[:name])
+    rescue Puppet::Error => err
+      # if job does not exist, log the error and return false as on other platforms
+      Puppet.log_exception(err)
+      return :false
+    end
+
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     if FileTest.file?(self.class.launchd_overrides) and overrides = self.class.read_overrides

data/lib/puppet/provider/service/systemd.rb

@@ -1,5 +1,7 @@
 # Manage systemd services using systemctl
 
+require 'puppet/file_system'
+
 Puppet::Type.type(:service).provide :systemd, :parent => :base do
   desc "Manages `systemd` services using `systemctl`.
 
@@ -9,14 +11,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
 
   commands :systemctl => "systemctl"
 
-  if Facter.value(:osfamily).downcase == 'debian'
-    # With multiple init systems on Debian, it is possible to have
-    # pieces of systemd around (e.g. systemctl) but not really be
-    # using systemd.  We do not do this on other platforms as it can
-    # cause issues when running in a chroot without /run mounted
-    # (PUP-5577)
-    confine :exists => "/run/systemd/system"
-  end
+  confine :true => Puppet::FileSystem.exist?('/proc/1/comm') && Puppet::FileSystem.read('/proc/1/comm').include?('systemd')
 
   defaultfor :osfamily => [:archlinux]
   defaultfor :osfamily => :redhat, :operatingsystemmajrelease => ["7", "8"]
@@ -24,7 +19,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :suse
   defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2"]
-  defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid"]
+  defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid", "10", "bullseye/sid"]
   defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["15.04","15.10","16.04","16.10","17.04","17.10","18.04"]
   defaultfor :operatingsystem => :cumuluslinux, :operatingsystemmajrelease => ["3"]
 

data/lib/puppet/provider/service/windows.rb

@@ -34,6 +34,12 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     raise Puppet::Error.new(_("Cannot enable %{resource_name} for manual start, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
+  def delayed_start
+    Puppet::Util::Windows::Service.set_startup_mode( @resource[:name], :SERVICE_AUTO_START, true )
+  rescue => detail
+    raise Puppet::Error.new(_("Cannot enable %{resource_name} for delayed start, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
+  end
+  
   def enabled?
     return :false unless Puppet::Util::Windows::Service.exists?(@resource[:name])
 
@@ -46,6 +52,8 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
         :true
       when :SERVICE_DEMAND_START
         :manual
+      when :SERVICE_DELAYED_AUTO_START
+        :delayed
       when :SERVICE_DISABLED
         :false
       else

data/lib/puppet/provider/user/pw.rb

@@ -66,11 +66,11 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
 
   # use pw to update password hash
   def password=(cryptopw)
-    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash [redacted]"
     stdin, _, _ = Open3.popen3("pw user mod #{@resource[:name]} -H 0")
     stdin.puts(cryptopw)
     stdin.close
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash [redacted]"
   end
 
   # get password from /etc/master.passwd
@@ -78,10 +78,19 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
     Puppet.debug "checking password for user '#{@resource[:name]}' method called"
     current_passline = `getent passwd #{@resource[:name]}`
     current_password = current_passline.chomp.split(':')[1] if current_passline
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called : '#{current_password}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called : [redacted]"
     current_password
   end
 
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   # Get expiry from system and convert to Puppet-style date
   def expiry
     expiry = self.get(:expiry)

data/lib/puppet/provider/user/user_role_add.rb

@@ -202,6 +202,10 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     shadow_entry[5].empty? ? -1 : shadow_entry[5]
   end
 
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # Read in /etc/shadow, find the line for our used and rewrite it with the
   # new pw.  Smooth like 80 grit sandpaper.
   #

data/lib/puppet/provider/user/useradd.rb

@@ -147,19 +147,35 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     # validproperties is a list of properties in undefined order
     # sort them to have a predictable command line in tests
     Puppet::Type.type(:user).validproperties.sort.each do |property|
-      next if property == :ensure
-      next if property_manages_password_age?(property)
-      next if (property == :groups) && @resource.forcelocal?
-      next if (property == :expiry) && @resource.forcelocal?
+      value = get_value_for_property(property)
+      next if value.nil?
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
-      if (value = @resource.should(property)) && (value != "")
-        cmd << flag(property) << munge(property, value)
-      end
+      cmd << flag(property) << munge(property, value)
     end
     cmd
   end
 
+  def get_value_for_property(property)
+    return nil if property == :ensure
+    return nil if property_manages_password_age?(property)
+    return nil if property == :groups and @resource.forcelocal?
+    return nil if property == :expiry and @resource.forcelocal?
+    value = @resource.should(property)
+    return nil if !value || value == ""
+
+    value
+  end
+
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   def addcmd
     if @resource.forcelocal?
       cmd = [command(:localadd)]

data/lib/puppet/resource.rb

@@ -410,6 +410,8 @@ class Puppet::Resource
   end
 
   # Convert our resource to yaml for Hiera purposes.
+  #
+  # @deprecated Use {to_hiera_hash} instead.
   def to_hierayaml
     # Collect list of attributes to align => and move ensure first
     attr = parameters.keys
@@ -429,6 +431,21 @@ class Puppet::Resource
     "  %s:\n%s" % [self.title, attributes]
   end
 
+  # Convert our resource to a hiera hash suitable for serialization.
+  def to_hiera_hash
+    # to_data_hash converts to safe Data types, e.g. no symbols, unicode replacement character
+    h = to_data_hash
+
+    params = h['parameters'] || {}
+    value = params.delete('ensure')
+
+    res = {}
+    res['ensure'] = value if value
+    res.merge!(Hash[params.sort])
+
+    return { h['title'] => res }
+  end
+
   # Convert our resource to Puppet code.
   def to_manifest
     # Collect list of attributes to align => and move ensure first

data/lib/puppet/settings.rb

@@ -84,6 +84,46 @@ class Puppet::Settings
     "puppet.conf"
   end
 
+  def stringify_settings(section, settings = :all)
+    values_from_the_selected_section =
+      values(nil, section.to_sym)
+
+    loader_settings = {
+      :environmentpath => values_from_the_selected_section.interpolate(:environmentpath),
+      :basemodulepath => values_from_the_selected_section.interpolate(:basemodulepath),
+    }
+
+    Puppet.override(Puppet.base_context(loader_settings),
+                    _("New environment loaders generated from the requested section.")) do
+      # And now we can lookup values that include those from environments configured from
+      # the requested section
+      values = values(Puppet[:environment].to_sym, section.to_sym)
+
+      to_be_rendered = {}
+      settings = Puppet.settings.to_a.collect(&:first) if settings == :all
+      settings.sort.each do |setting_name|
+        to_be_rendered[setting_name] = values.print(setting_name.to_sym)
+      end
+
+      stringifyhash(to_be_rendered)
+    end
+  end
+
+  def stringifyhash(hash)
+    newhash = {}
+    hash.each do |key, val|
+      key = key.to_s
+      if val.is_a? Hash
+        newhash[key] = stringifyhash(val)
+      elsif val.is_a? Symbol
+        newhash[key] = val.to_s
+      else
+        newhash[key] = val
+      end
+    end
+    newhash
+  end
+
   # Create a new collection of config settings.
   def initialize
     @config = {}