puppet 5.5.6 → 5.5.7

data/lib/puppet/pops/loader/module_loaders.rb

@@ -31,7 +31,7 @@ module ModuleLoaders
                                                        nil,
                                                        puppet_lib,   # may or may not have a 'lib' above 'puppet'
                                                        'puppet_system',
-                                                        [:func_4x, :datatype]   # only load ruby functions and types from "puppet"
+                                                        [:func_4x, :func_3x, :datatype]   # only load ruby functions and types from "puppet"
                                                        )
   end
 

data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb

@@ -0,0 +1,62 @@
+# The RubyLegacyFunctionInstantiator instantiates a Puppet::Functions::Function given the ruby source
+# that calls Puppet::Functions.create_function.
+#
+class Puppet::Pops::Loader::RubyLegacyFunctionInstantiator
+  # Produces an instance of the Function class with the given typed_name, or fails with an error if the
+  # given ruby source does not produce this instance when evaluated.
+  #
+  # @param loader [Puppet::Pops::Loader::Loader] The loader the function is associated with
+  # @param typed_name [Puppet::Pops::Loader::TypedName] the type / name of the function to load
+  # @param source_ref [URI, String] a reference to the source / origin of the ruby code to evaluate
+  # @param ruby_code_string [String] ruby code in a string
+  #
+  # @return [Puppet::Pops::Functions.Function] - an instantiated function with global scope closure associated with the given loader
+  #
+  def self.create(loader, typed_name, source_ref, ruby_code_string)
+    unless ruby_code_string.is_a?(String) && ruby_code_string =~ /Puppet\:\:Parser\:\:Functions.*newfunction/m
+      raise ArgumentError, _("The code loaded from %{source_ref} does not seem to be a Puppet 3x API function - no 'newfunction' call.") % { source_ref: source_ref }
+    end
+    # make the private loader available in a binding to allow it to be passed on
+    loader_for_function = loader.private_loader
+    here = get_binding(loader_for_function)
+
+    # Avoid reloading the function if already loaded via one of the APIs that trigger 3x function loading
+    # Check if function is already loaded the 3x way (and obviously not the 4x way since we would not be here in the
+    # first place.
+    environment = Puppet.lookup(:current_environment)
+    func_info = Puppet::Parser::Functions.environment_module(environment).get_function_info(typed_name.name.to_sym)
+    if func_info.nil?
+      # This will to do the 3x loading and define the "function_<name>" and "real_function_<name>" methods
+      # in the anonymous module used to hold function definitions.
+      #
+      func_info = eval(ruby_code_string, here, source_ref, 1)
+
+      # Validate what was loaded
+      unless func_info.is_a?(Hash)
+        raise ArgumentError, _("The code loaded from %{source_ref} did not produce the expected 3x function info Hash when evaluated. Got '%{klass}'") % { source_ref: source_ref, klass: created.class }
+      end
+      unless func_info[:name] == "function_#{typed_name.name()}"
+        raise ArgumentError, _("The code loaded from %{source_ref} produced mis-matched name, expected 'function_%{type_name}', got %{created_name}") % { 
+          source_ref: source_ref, type_name: typed_name.name, created_name: func_info[:name] }
+      end
+    end
+
+    created = Puppet::Functions::Function3x.create_function(typed_name.name(), func_info, loader_for_function)
+
+    # create the function instance - it needs closure (scope), and loader (i.e. where it should start searching for things
+    # when calling functions etc.
+    # It should be bound to global scope
+
+    # Sets closure scope to nil, to let it be picked up at runtime from Puppet.lookup(:global_scope)
+    # If function definition used the loader from the binding to create a new loader, that loader wins
+    created.new(nil, loader_for_function)
+  end
+
+  # Produces a binding where the given loader is bound as a local variable (loader_injected_arg). This variable can be used in loaded
+  # ruby code - e.g. to call Puppet::Function.create_loaded_function(:name, loader,...)
+  #
+  def self.get_binding(loader_injected_arg)
+    binding
+  end
+  private_class_method :get_binding
+end

data/lib/puppet/pops/loaders.rb

@@ -505,8 +505,8 @@ class Loaders
         nil
       else
         module_data.private_loader =
-          if module_data.restrict_to_dependencies? && !Puppet[:tasks]
-            create_loader_with_only_dependencies_visible(module_data)
+          if module_data.restrict_to_dependencies?
+            create_loader_with_dependencies_first(module_data)
           else
             create_loader_with_all_modules_visible(module_data)
           end
@@ -516,29 +516,13 @@ class Loaders
     private
 
     def create_loader_with_all_modules_visible(from_module_data)
-      Puppet.debug{"ModuleLoader: module '#{from_module_data.name}' has unknown dependencies - it will have all other modules visible"}
-
       @loaders.add_loader_by_name(Loader::DependencyLoader.new(from_module_data.public_loader, "#{from_module_data.name} private", all_module_loaders()))
     end
 
-    def create_loader_with_only_dependencies_visible(from_module_data)
-      if from_module_data.unmet_dependencies?
-        if Puppet[:strict] != :off
-          msg = "ModuleLoader: module '#{from_module_data.name}' has unresolved dependencies" \
-              " - it will only see those that are resolved." \
-              " Use 'puppet module list --tree' to see information about modules"
-          case Puppet[:strict]
-          when :error
-              raise LoaderError.new(msg)
-          when :warning
-            Puppet.warn_once(:unresolved_module_dependencies,
-                             "unresolved_dependencies_for_module_#{from_module_data.name}",
-                             msg)
-          end
-        end
-      end
+    def create_loader_with_dependencies_first(from_module_data)
       dependency_loaders = from_module_data.dependency_names.collect { |name| @index[name].public_loader }
-      @loaders.add_loader_by_name(Loader::DependencyLoader.new(from_module_data.public_loader, "#{from_module_data.name} private", dependency_loaders))
+      visible_loaders = dependency_loaders + (all_module_loaders() - dependency_loaders)
+      @loaders.add_loader_by_name(Loader::DependencyLoader.new(from_module_data.public_loader, "#{from_module_data.name} private", visible_loaders))
     end
   end
 end

data/lib/puppet/pops/parser/heredoc_support.rb

@@ -98,8 +98,7 @@ module HeredocSupport
 
         # Use a new lexer instance configured with a sub-locator to enable correct positioning
         sublexer = self.class.new()
-        locator = Locator::SubLocator.sub_locator(str,
-          locator.file, heredoc_line, heredoc_offset, leading.length())
+        locator = Locator::SubLocator.new(locator, heredoc_line, heredoc_offset, leading.length())
 
         # Emit a token that provides the grammar with location information about the lines on which the heredoc
         # content is based.

data/lib/puppet/pops/parser/lexer2.rb

@@ -189,7 +189,7 @@ class Lexer2
       ',' => lambda {  emit(TOKEN_COMMA, @scanner.pos) },
       '[' => lambda do
         before = @scanner.pos
-        if (before == 0 || @scanner.string[locator.char_offset(before)-1,1] =~ /[[:blank:]\r\n]+/)
+        if (before == 0 || locator.string[locator.char_offset(before)-1,1] =~ /[[:blank:]\r\n]+/)
           emit(TOKEN_LISTSTART, before)
         else
           emit(TOKEN_LBRACK, before)

data/lib/puppet/pops/validation/checker4_0.rb

@@ -48,6 +48,7 @@ class Checker4_0 < Evaluator::LiteralEvaluator
     # tree iterate the model, and call check for each element
     @path = []
     check(model)
+    internal_check_top_construct_in_module(model)
     model._pcore_all_contents(@path) { |element| check(element) }
   end
 
@@ -396,7 +397,7 @@ class Checker4_0 < Evaluator::LiteralEvaluator
       acceptor.accept(Issues::ILLEGAL_DEFINITION_NAME, o, {:name=>o.name})
     end
 
-    internal_check_file_namespace(o, o.name, o.locator.file)
+    internal_check_file_namespace(o)
     internal_check_reserved_type_name(o, o.name)
     internal_check_future_reserved_word(o, o.name)
   end
@@ -535,18 +536,42 @@ class Checker4_0 < Evaluator::LiteralEvaluator
   NO_NAMESPACE = :no_namespace
   NO_PATH = :no_path
   BAD_MODULE_FILE = :bad_module_file
-  def internal_check_file_namespace(o, name, file)
+
+  def internal_check_file_namespace(o)
+    file = o.locator.file
     return if file.nil? || file == '' #e.g. puppet apply -e '...'
 
     file_namespace = namespace_for_file(file)
     return if file_namespace == NO_NAMESPACE
 
     # Downcasing here because check is case-insensitive
-    if file_namespace == BAD_MODULE_FILE || !name.downcase.start_with?(file_namespace)
-      acceptor.accept(Issues::ILLEGAL_DEFINITION_LOCATION, o, {:name => name, :file => file})
+    if file_namespace == BAD_MODULE_FILE || !o.name.downcase.start_with?(file_namespace)
+      acceptor.accept(Issues::ILLEGAL_DEFINITION_LOCATION, o, {:name => o.name, :file => file})
+    end
+  end
+
+  def internal_check_top_construct_in_module(prog)
+    return unless prog.is_a?(Model::Program) && !prog.body.nil?
+
+    #Check that this is a module autoloaded file
+    file = prog.locator.file
+    return if file.nil?
+    return if namespace_for_file(file) == NO_NAMESPACE
+
+    body = prog.body
+    return if prog.body.is_a?(Model::Nop) #Ignore empty or comment-only files
+
+    if(body.is_a?(Model::BlockExpression))
+      body.statements.each { |s| acceptor.accept(Issues::ILLEGAL_TOP_CONSTRUCT_LOCATION, s) unless valid_top_construct?(s) }
+    else
+      acceptor.accept(Issues::ILLEGAL_TOP_CONSTRUCT_LOCATION, body) unless valid_top_construct?(body)
     end
   end
 
+  def valid_top_construct?(o)
+    o.is_a?(Model::Definition) && !o.is_a?(Model::NodeDefinition)
+  end
+
   # @api private
   class Puppet::Util::FileNamespaceAdapter < Puppet::Pops::Adaptable::Adapter
     attr_accessor :file_to_namespace
@@ -600,9 +625,9 @@ class Checker4_0 < Evaluator::LiteralEvaluator
 
   def is_parent_dir_of(parent_dir, child_dir)
     parent_dir_path = Pathname.new(parent_dir)
-    clean_parent = parent_dir_path.cleanpath
+    clean_parent = parent_dir_path.cleanpath.to_s + File::SEPARATOR
 
-    return child_dir.to_s.start_with?(clean_parent.to_s)
+    return child_dir.to_s.start_with?(clean_parent)
   end
 
   def dir_to_names(relative_path)

data/lib/puppet/pops/validation/validator_factory_4_0.rb

@@ -37,6 +37,7 @@ class ValidatorFactory_4_0 < Factory
     p[Issues::EMPTY_RESOURCE_SPECIALIZATION] = :ignore
     p[Issues::CLASS_NOT_VIRTUALIZABLE]       = Puppet[:strict] == :off ? :warning : Puppet[:strict]
     p[Issues::ILLEGAL_DEFINITION_LOCATION]   = :deprecation
+    p[Issues::ILLEGAL_TOP_CONSTRUCT_LOCATION]   = :deprecation
     p
   end
 end

data/lib/puppet/property/keyvalue.rb

@@ -12,9 +12,20 @@ module Puppet
     # @todo The node with an important message is not very clear.
     #
     class KeyValue < Property
+      class << self
+        # This is a class-level variable that child properties can override
+        # if they wish.
+        attr_accessor :log_only_changed_or_new_keys
+      end
+
+      self.log_only_changed_or_new_keys = false
 
       def hash_to_key_value_s(hash)
-        hash.select { |k,v| true }.map { |pair| pair.join(separator) }.join(delimiter)
+        if self.class.log_only_changed_or_new_keys
+          hash = hash.select { |k, _| @changed_or_new_keys.include?(k) }
+        end
+
+        hash.map { |*pair| pair.join(separator) }.join(delimiter)
       end
 
       def should_to_s(should_value)
@@ -33,11 +44,19 @@ module Puppet
         @resource[membership] == :inclusive
       end
 
-      def hashify(key_value_array)
-        #turns string array into a hash
-        key_value_array.inject({}) do |hash, key_value|
+      def hashify_should
+        # Puppet casts all should values to arrays. Thus, if the user
+        # passed in a hash for our property's should value, the should_value
+        # parameter will be a single element array so we just extract our value
+        # directly.
+        if ! @should.empty? && @should.first.is_a?(Hash)
+          return @should.first
+        end
+
+        # Here, should is an array of key/value pairs.
+        @should.inject({}) do |hash, key_value|
           tmp = key_value.split(separator)
-          hash[tmp[0].intern] = tmp[1]
+          hash[tmp[0].strip.intern] = tmp[1]
           hash
         end
       end
@@ -53,11 +72,24 @@ module Puppet
       def should
         return nil unless @should
 
-        members = hashify(@should)
+        members = hashify_should
         current = process_current_hash(retrieve)
 
         #shared keys will get overwritten by members
-        current.merge(members)
+        should_value = current.merge(members)
+
+        # Figure out the keys that will actually change in our Puppet run.
+        # This lets us reduce the verbosity of Puppet's logging for instances
+        # of this class when we want to.
+        #
+        # NOTE: We use ||= here because we only need to compute the
+        # changed_or_new_keys once (since this property will only be synced once).
+        #
+        @changed_or_new_keys ||= should_value.keys.select do |key|
+          ! current.key?(key) || current[key] != should_value[key]
+        end
+
+        should_value
       end
 
       # @return [String] Returns a default separator of "="
@@ -84,12 +116,42 @@ module Puppet
 
       # Returns true if there is no _is_ value, else returns if _is_ is equal to _should_ using == as comparison.
       # @return [Boolean] whether the property is in sync or not.
-      #
       def insync?(is)
         return true unless is
 
         (is == self.should)
       end
+
+      # We only accept an array of key/value pairs (strings), a single
+      # key/value pair (string) or a Hash as valid values for our property.
+      # Note that for an array property value, the 'value' passed into the
+      # block corresponds to the array element.
+      validate do |value|
+        unless value.is_a?(String) || value.is_a?(Hash)
+          raise ArgumentError, _("The %{name} property must be specified as a hash or an array of key/value pairs (strings)!") % { name: name }
+        end
+
+        next if value.is_a?(Hash)
+
+        unless value.include?("#{separator}")
+          raise ArgumentError, _("Key/value pairs must be separated by '%{separator}'") % {separator: separator}
+        end
+      end
+
+      # The validate step ensures that our passed-in value is
+      # either a String or a Hash. If our value's a string,
+      # then nothing else needs to be done. Otherwise, we need
+      # to stringify the hash's keys and values to match our
+      # internal representation of the property's value.
+      munge do |value|
+        next value if value.is_a?(String)
+
+        munged_value = value.to_a.map! do |hash_key, hash_value|
+          [hash_key.to_s.strip.to_sym, hash_value.to_s]
+        end
+
+        Hash[munged_value]
+      end
     end
   end
 end

data/lib/puppet/provider/aix_object.rb

@@ -0,0 +1,483 @@
+# Common code for AIX user/group providers.
+class Puppet::Provider::AixObject < Puppet::Provider
+  desc "Generic AIX resource provider"
+
+  # Class representing a MappedObject, which can either be an
+  # AIX attribute or a Puppet property. This class lets us
+  # write something like:
+  #
+  #   attribute = mappings[:aix_attribute][:uid]
+  #   attribute.name
+  #   attribute.convert_property_value(uid)
+  #
+  #   property = mappings[:puppet_property][:id]
+  #   property.name
+  #   property.convert_attribute_value(id)
+  #
+  # NOTE: This is an internal class specific to AixObject. It is
+  # not meant to be used anywhere else. That's why we do not have
+  # any validation code in here.
+  #
+  # NOTE: See the comments in the class-level mappings method to
+  # understand what we mean by pure and impure conversion functions.
+  #
+  # NOTE: The 'mapping' code, including this class, could possibly
+  # be moved to a separate module so that it can be re-used in some
+  # of our other providers. See PUP-9082.
+  class MappedObject
+    attr_reader :name
+
+    def initialize(name, conversion_fn, conversion_fn_code)
+      @name = name
+      @conversion_fn = conversion_fn
+      @conversion_fn_code = conversion_fn_code
+
+      return unless pure_conversion_fn?
+
+      # Our conversion function is pure, so we can go ahead
+      # and define it. This way, we can use this MappedObject
+      # at the class-level as well as at the instance-level.
+      define_singleton_method(@conversion_fn) do |value|
+        @conversion_fn_code.call(value)
+      end
+    end
+
+    def pure_conversion_fn?
+      @conversion_fn_code.arity == 1
+    end
+
+    # Sets our MappedObject's provider. This only makes sense
+    # if it has an impure conversion function. We will call this
+    # in the instance-level mappings method after the provider
+    # instance has been created to define our conversion function.
+    # Note that a MappedObject with an impure conversion function
+    # cannot be used at the class level.
+    def set_provider(provider)
+      define_singleton_method(@conversion_fn) do |value|
+        @conversion_fn_code.call(provider, value)
+      end
+    end
+  end
+
+  class << self
+    #-------------
+    # Mappings
+    # ------------
+
+    def mappings
+      return @mappings if @mappings
+
+      @mappings = {}
+      @mappings[:aix_attribute] = {}
+      @mappings[:puppet_property] = {}
+
+      @mappings
+    end
+
+    # Add a mapping from a Puppet property to an AIX attribute. The info must include:
+    #
+    #   * :puppet_property       -- The puppet property corresponding to this attribute
+    #   * :aix_attribute         -- The AIX attribute corresponding to this attribute. Defaults
+    #                            to puppet_property if this is not provided.
+    #   * :property_to_attribute -- A lambda that converts a Puppet Property to an AIX attribute
+    #                            value. Defaults to the identity function if not provided.
+    #   * :attribute_to_property -- A lambda that converts an AIX attribute to a Puppet property.
+    #                            Defaults to the identity function if not provided.
+    #
+    # NOTE: The lambdas for :property_to_attribute or :attribute_to_property can be 'pure'
+    # or 'impure'. A 'pure' lambda is one that needs only the value to do the conversion,
+    # while an 'impure' lambda is one that requires the provider instance along with the
+    # value. 'Pure' lambdas have the interface 'do |value| ...' while 'impure' lambdas have
+    # the interface 'do |provider, value| ...'.
+    #
+    # NOTE: 'Impure' lambdas are useful in case we need to generate more specific error
+    # messages or pass-in instance-specific command-line arguments.
+    def mapping(info = {})
+      identity_fn = lambda { |x| x }
+      info[:aix_attribute] ||= info[:puppet_property]
+      info[:property_to_attribute] ||= identity_fn
+      info[:attribute_to_property] ||= identity_fn
+
+      mappings[:aix_attribute][info[:puppet_property]] = MappedObject.new(
+        info[:aix_attribute],
+        :convert_property_value,
+        info[:property_to_attribute]
+      )
+      mappings[:puppet_property][info[:aix_attribute]] = MappedObject.new(
+        info[:puppet_property],
+        :convert_attribute_value,
+        info[:attribute_to_property]
+      )
+    end
+
+    # Creates a mapping from a purely numeric Puppet property to
+    # an attribute
+    def numeric_mapping(info = {})
+      property = info[:puppet_property]
+
+      # We have this validation here b/c not all numeric properties
+      # handle this at the property level (e.g. like the UID). Given
+      # that, we might as well go ahead and do this validation for all
+      # of our numeric properties. Doesn't hurt.
+      info[:property_to_attribute] = lambda do |value|
+        unless value.is_a?(Integer)
+          raise ArgumentError, _("Invalid value %{value}: %{property} must be an Integer!") % { value: value, property: property }
+        end
+
+        value.to_s
+      end
+
+      # AIX will do the right validation to ensure numeric attributes
+      # can't be set to non-numeric values, so no need for the extra clutter.
+      info[:attribute_to_property] = lambda do |value|
+        value.to_i
+      end
+
+      mapping(info)
+    end
+
+    #-------------
+    # Useful Class Methods
+    # ------------
+
+    # Defines the getter and setter methods for each Puppet property that's mapped
+    # to an AIX attribute. We define only a getter for the :attributes property.
+    #
+    # Provider subclasses should call this method after they've defined all of
+    # their <puppet_property> => <aix_attribute> mappings.
+    def mk_resource_methods
+      # Define the Getter methods for each of our properties + the attributes
+      # property
+      properties = [:attributes]
+      properties += mappings[:aix_attribute].keys
+      properties.each do |property|
+        # Define the getter
+        define_method(property) do
+          get(property)
+        end
+
+        # We have a custom setter for the :attributes property,
+        # so no need to define it.
+        next if property == :attributes
+
+        # Define the setter
+        define_method("#{property}=".to_sym) do |value|
+          set(property, value)
+        end
+      end
+    end
+
+    # This helper splits a list separated by sep into its corresponding
+    # items. Note that a key precondition here is that none of the items
+    # in the list contain sep. 
+    #
+    # Let A be the return value. Then one of our postconditions is:
+    #   A.join(sep) == list
+    #
+    # NOTE: This function is only used by the parse_colon_separated_list
+    # function below. It is meant to be an inner lambda. The reason it isn't
+    # here is so we avoid having to create a proc. object for the split_list
+    # lambda each time parse_colon_separated_list is invoked. This will happen
+    # quite often since it is used at the class level and at the instance level.
+    # Since this function is meant to be an inner lambda and thus not exposed
+    # anywhere else, we do not have any unit tests for it. These test cases are
+    # instead covered by the unit tests for parse_colon_separated_list
+    def split_list(list, sep)
+      return [""] if list.empty?
+
+      list.split(sep, -1)
+    end
+
+    # Parses a colon-separated list. Example includes something like:
+    #   <item1>:<item2>:<item3>:<item4>
+    #
+    # Returns an array of the parsed items, e.g.
+    #   [ <item1>, <item2>, <item3>, <item4> ]
+    #
+    # Note that colons inside items are escaped by #!
+    def parse_colon_separated_list(colon_list)
+      # ALGORITHM:
+      # Treat the colon_list as a list separated by '#!:' We will get
+      # something like:
+      #     [ <chunk1>, <chunk2>, ... <chunkn> ]
+      #
+      # Each chunk is now a list separated by ':' and none of the items
+      # in each chunk contains an escaped ':'. Now, split each chunk on
+      # ':' to get:
+      #     [ [<piece11>, ..., <piece1n>], [<piece21>, ..., <piece2n], ... ]
+      #
+      # Now note that <item1> = <piece11>, <item2> = <piece12> in our original
+      # list, and that <itemn> = <piece1n>#!:<piece21>. This is the main idea
+      # behind what our inject method is trying to do at the end, except that
+      # we replace '#!:' with ':' since the colons are no longer escaped.
+      chunks = split_list(colon_list, '#!:')
+      chunks.map! { |chunk| split_list(chunk, ':') }
+
+      chunks.inject do |accum, chunk|
+        left = accum.pop
+        right = chunk.shift
+
+        accum.push("#{left}:#{right}")
+        accum += chunk
+
+        accum
+      end
+    end
+
+    # Parses the AIX objects from the command output, returning an array of
+    # hashes with each hash having the following schema:
+    #   {
+    #     :name       => <object_name>
+    #     :attributes => <object_attributes>
+    #   }
+    #
+    # Output should be of the form
+    #   #name:<attr1>:<attr2> ...
+    #   <name>:<value1>:<value2> ...
+    #   #name:<attr1>:<attr2> ...
+    #   <name>:<value1>:<value2> ...
+    #
+    # NOTE: We need to parse the colon-formatted output in case we have
+    # space-separated attributes (e.g. 'gecos'). ":" characters are escaped
+    # with a "#!".
+    def parse_aix_objects(output)
+      # Object names cannot begin with '#', so we are safe to
+      # split individual users this way. We do not have to worry
+      # about an empty list either since there is guaranteed to be
+      # at least one instance of an AIX object (e.g. at least one
+      # user or one group on the system).
+      _, *objects = output.chomp.split(/^#/)
+
+      objects.map! do |object|
+        attributes_line, values_line = object.chomp.split("\n")
+
+        attributes = parse_colon_separated_list(attributes_line.chomp)
+        attributes.map!(&:to_sym)
+
+        values = parse_colon_separated_list(values_line.chomp)
+
+        attributes_hash = Hash[attributes.zip(values)]
+
+        object_name = attributes_hash.delete(:name)
+
+        Hash[[[:name, object_name.to_s], [:attributes, attributes_hash]]]
+      end
+
+      objects
+    end
+
+    # Lists all instances of the given object, taking in an optional set
+    # of ia_module arguments. Returns an array of hashes, each hash
+    # having the schema
+    #   {
+    #     :name => <object_name>
+    #     :id   => <object_id>
+    #   }
+    def list_all(ia_module_args = [])
+      cmd = [command(:list), '-c', *ia_module_args, '-a', 'id', 'ALL']
+      parse_aix_objects(execute(cmd)).to_a.map do |object|
+        name = object[:name]
+        id = object[:attributes].delete(:id)
+
+        Hash[[[:name, name,],[:id, id]]]
+      end
+    end
+
+    #-------------
+    # Provider API
+    # ------------
+
+    def instances
+      list_all.to_a.map! do |object|
+        new({ :name => object[:name] })
+      end
+    end
+  end
+
+  # Instantiate our mappings. These need to be at the instance-level
+  # since some of our mapped objects may have impure conversion functions
+  # that need our provider instance.
+  def mappings
+    return @mappings if @mappings
+    
+    @mappings = {}
+    self.class.mappings.each do |type, mapped_objects|
+      @mappings[type] = {}
+      mapped_objects.each do |input, mapped_object|
+        if mapped_object.pure_conversion_fn?
+          # Our mapped_object has a pure conversion function so we
+          # can go ahead and use it as-is.
+          @mappings[type][input] = mapped_object
+          next
+        end
+
+        # Otherwise, we need to dup it and set its provider to our
+        # provider instance. The dup is necessary so that we do not
+        # touch the class-level mapped object.
+        @mappings[type][input] = mapped_object.dup
+        @mappings[type][input].set_provider(self)
+      end
+    end
+
+    @mappings
+  end
+
+  # Converts the given attributes hash to CLI args.
+  def attributes_to_args(attributes)
+    attributes.map do |attribute, value|
+      "#{attribute}=#{value}"
+    end
+  end
+
+  def ia_module_args
+    return [] unless @resource[:ia_load_module]
+    ["-R", @resource[:ia_load_module].to_s]
+  end
+
+  def lscmd
+    [self.class.command(:list), '-c'] + ia_module_args + [@resource[:name]]
+  end
+
+  def addcmd(attributes)
+    attribute_args = attributes_to_args(attributes)
+    [self.class.command(:add)] + ia_module_args + attribute_args + [@resource[:name]]
+  end
+
+  def deletecmd
+    [self.class.command(:delete)] + ia_module_args + [@resource[:name]]
+  end
+
+  def modifycmd(new_attributes)
+    attribute_args = attributes_to_args(new_attributes)
+    [self.class.command(:modify)] + ia_module_args + attribute_args + [@resource[:name]]
+  end
+
+  # Modifies the AIX object by setting its new attributes.
+  def modify_object(new_attributes)
+    execute(modifycmd(new_attributes))
+    object_info(true) 
+  end
+
+  # Gets a Puppet property's value from object_info
+  def get(property)
+    return :absent unless exists?
+    object_info[property] || :absent
+  end
+
+  # Sets a mapped Puppet property's value.
+  def set(property, value)
+    aix_attribute = mappings[:aix_attribute][property]
+    modify_object(
+      { aix_attribute.name => aix_attribute.convert_property_value(value) }
+    )
+  rescue Puppet::ExecutionFailure => detail
+    raise Puppet::Error, _("Could not set %{property} on %{resource}[%{name}]: %{detail}") % { property: property, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
+  end
+
+  # This routine validates our new attributes property value to ensure
+  # that it does not contain any Puppet properties.
+  def validate_new_attributes(new_attributes)
+    # Gather all of the <puppet property>, <aix attribute> conflicts to print
+    # them all out when we create our error message. This makes it easy for the
+    # user to update their manifest based on our error message.
+    conflicts = {}
+    mappings[:aix_attribute].each do |property, aix_attribute|
+      next unless new_attributes.key?(aix_attribute.name)
+
+      conflicts[:properties] ||= []
+      conflicts[:properties].push(property)
+
+      conflicts[:attributes] ||= []
+      conflicts[:attributes].push(aix_attribute.name)
+    end
+
+    return if conflicts.empty?
+
+    properties, attributes = conflicts.keys.map do |key|
+      conflicts[key].map! { |name| "'#{name}'" }.join(', ')
+    end
+      
+    detail = _("attributes is setting the %{properties} properties via. the %{attributes} attributes, respectively! Please specify these property values in the resource declaration instead.") % { properties: properties, attributes: attributes }
+
+    raise Puppet::Error, _("Could not set attributes on %{resource}[%{name}]: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }
+  end
+
+  # Modifies the attribute property. Note we raise an error if the user specified
+  # an AIX attribute corresponding to a Puppet property.
+  def attributes=(new_attributes)
+    validate_new_attributes(new_attributes)
+    modify_object(new_attributes)
+  rescue Puppet::ExecutionFailure => detail
+    raise Puppet::Error, _("Could not set attributes on %{resource}[%{name}]: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
+  end
+
+  # Collects the current property values of all mapped properties +
+  # the attributes property.
+  def object_info(refresh = false)
+    return @object_info if @object_info && ! refresh
+    @object_info = nil
+
+    begin
+      output = execute(lscmd)
+    rescue Puppet::ExecutionFailure
+      Puppet.debug(_("aix.object_info(): Could not find %{resource}[%{name}]") % { resource: @resource.class.name, name: @resource.name })
+
+      return @object_info
+    end
+
+    # If lscmd succeeds, then output will contain our object's information.
+    # Thus, .parse_aix_objects will always return a single element array.
+    aix_attributes = self.class.parse_aix_objects(output).first[:attributes]
+    aix_attributes.each do |attribute, value|
+      @object_info ||= {}
+
+      # If our attribute has a Puppet property, then we store that. Else, we store it as part
+      # of our :attributes property hash
+      if (property = mappings[:puppet_property][attribute])
+        @object_info[property.name] = property.convert_attribute_value(value)
+      else
+        @object_info[:attributes] ||= {}
+        @object_info[:attributes][attribute] = value
+      end
+    end
+
+    @object_info
+  end
+
+  #-------------
+  # Methods that manage the ensure property
+  # ------------
+
+  # Check that the AIX object exists
+  def exists?
+    ! object_info.nil?
+  end
+
+  # Creates a new instance of the resource
+  def create
+    attributes = @resource.should(:attributes) || {}
+    validate_new_attributes(attributes)
+
+    mappings[:aix_attribute].each do |property, aix_attribute|
+      property_should = @resource.should(property)
+      next if property_should.nil?
+      attributes[aix_attribute.name] = aix_attribute.convert_property_value(property_should)
+    end
+
+    execute(addcmd(attributes))
+  rescue Puppet::ExecutionFailure => detail
+    raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
+  end
+
+  # Deletes this instance resource
+  def delete
+    execute(deletecmd)
+
+    # Recollect the object info so that our current properties reflect
+    # the actual state of the system. Otherwise, puppet resource reports
+    # the wrong info. at the end. Note that this should return nil.
+    object_info(true)
+  rescue Puppet::ExecutionFailure => detail
+    raise Puppet::Error, _("Could not delete %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
+  end
+end