puppet 5.5.6 → 5.5.7

data/lib/puppet/provider/package/windows/exe_package.rb

@@ -42,17 +42,10 @@ class Puppet::Provider::Package::Windows
     end
 
     def self.install_command(resource)
-      ['cmd.exe', '/c', 'start', '"puppet-install"', '/w', munge(resource[:source])]
+      munge(resource[:source])
     end
 
     def uninstall_command
-      # 1. Launch using cmd /c start because if the executable is a console
-      #    application Windows will automatically display its console window
-      # 2. Specify a quoted title, otherwise if uninstall_string is quoted,
-      #    start will interpret that to be the title, and get confused
-      # 3. Specify /w (wait) to wait for uninstall to finish
-      command = ['cmd.exe', '/c', 'start', '"puppet-uninstall"', '/w']
-
       # Only quote bare uninstall strings, e.g.
       #   C:\Program Files (x86)\Notepad++\uninstall.exe
       # Don't quote uninstall strings that are already quoted, e.g.
@@ -60,9 +53,9 @@ class Puppet::Provider::Package::Windows
       # Don't quote uninstall strings that contain arguments:
       #   "C:\Program Files (x86)\Git\unins000.exe" /SILENT
       if uninstall_string =~ /\A[^"]*.exe\Z/i
-        command << "\"#{uninstall_string}\""
+        command = "\"#{uninstall_string}\""
       else
-        command << uninstall_string
+        command = uninstall_string
       end
 
       command

data/lib/puppet/provider/package/zypper.rb

@@ -1,4 +1,4 @@
-Puppet::Type.type(:package).provide :zypper, :parent => :rpm do
+Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
   desc "Support for SuSE `zypper` package manager. Found in SLES10sp2+ and SLES11.
 
     This provider supports the `install_options` attribute, which allows command-line flags to be passed to zypper.

data/lib/puppet/provider/service/launchd.rb

@@ -196,6 +196,22 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     Puppet::Util::Plist.read_plist_file(path)
   end
 
+  # Read overrides plist, retrying if necessary
+  def self.read_overrides
+    i = 1
+    overrides = nil
+    loop do
+      Puppet.debug(_("Reading overrides plist, attempt %{i}") % {i: i}) if i > 1
+      overrides = read_plist(launchd_overrides)
+      break unless overrides.nil?
+      raise Puppet::Error.new(_('Unable to read overrides plist, too many attempts')) if i == 20
+      Puppet.info(_('Overrides file could not be read, trying again.'))
+      Kernel.sleep(0.1)
+      i += 1
+    end
+    overrides
+  end
+
   # Clean out the @property_hash variable containing the cached list of services
   def flush
     @property_hash.clear
@@ -300,7 +316,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     _, job_plist = plist_from_label(resource[:name])
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
-    if FileTest.file?(self.class.launchd_overrides) and overrides = self.class.read_plist(self.class.launchd_overrides)
+    if FileTest.file?(self.class.launchd_overrides) and overrides = self.class.read_overrides
       if overrides.has_key?(resource[:name])
         if self.class.get_os_version < 14
           overrides_disabled = overrides[resource[:name]]["Disabled"] if overrides[resource[:name]].has_key?("Disabled")
@@ -324,7 +340,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   # rather than dealing with launchctl as it is unable to change the Disabled flag
   # without actually loading/unloading the job.
   def enable
-    overrides = self.class.read_plist(self.class.launchd_overrides)
+    overrides = self.class.read_overrides
     if self.class.get_os_version < 14
       overrides[resource[:name]] = { "Disabled" => false }
     else
@@ -334,7 +350,7 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   end
 
   def disable
-    overrides = self.class.read_plist(self.class.launchd_overrides)
+    overrides = self.class.read_overrides
     if self.class.get_os_version < 14
       overrides[resource[:name]] = { "Disabled" => true }
     else

data/lib/puppet/provider/service/windows.rb

@@ -16,54 +16,57 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
 
   has_feature :refreshable
 
-  commands :net => 'net.exe'
-
   def enable
-    w32ss = Win32::Service.configure( 'service_name' => @resource[:name], 'start_type' => Win32::Service::SERVICE_AUTO_START )
-    raise Puppet::Error.new("Win32 service enable of #{@resource[:name]} failed" ) if( w32ss.nil? )
+    Puppet::Util::Windows::Service.set_startup_mode( @resource[:name], :SERVICE_AUTO_START )
   rescue => detail
-    raise Puppet::Error.new("Cannot enable #{@resource[:name]}, error was: #{detail}", detail )
+    raise Puppet::Error.new(_("Cannot enable %{resource_name}, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
   def disable
-    w32ss = Win32::Service.configure( 'service_name' => @resource[:name], 'start_type' => Win32::Service::SERVICE_DISABLED )
-    raise Puppet::Error.new("Win32 service disable of #{@resource[:name]} failed" ) if( w32ss.nil? )
+    Puppet::Util::Windows::Service.set_startup_mode( @resource[:name], :SERVICE_DISABLED )
   rescue => detail
-    raise Puppet::Error.new("Cannot disable #{@resource[:name]}, error was: #{detail}", detail )
+    raise Puppet::Error.new(_("Cannot disable %{resource_name}, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
   def manual_start
-    w32ss = Win32::Service.configure( 'service_name' => @resource[:name], 'start_type' => Win32::Service::SERVICE_DEMAND_START )
-    raise Puppet::Error.new("Win32 service manual enable of #{@resource[:name]} failed" ) if( w32ss.nil? )
+    Puppet::Util::Windows::Service.set_startup_mode( @resource[:name], :SERVICE_DEMAND_START )
   rescue => detail
-    raise Puppet::Error.new("Cannot enable #{@resource[:name]} for manual start, error was: #{detail}", detail )
+    raise Puppet::Error.new(_("Cannot enable %{resource_name} for manual start, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
   def enabled?
-    w32ss = Win32::Service.config_info( @resource[:name] )
-    raise Puppet::Error.new("Win32 service query of #{@resource[:name]} failed" ) unless( !w32ss.nil? && w32ss.instance_of?( Struct::ServiceConfigInfo ) )
-    debug("Service #{@resource[:name]} start type is #{w32ss.start_type}")
-    case w32ss.start_type
-      when Win32::Service.get_start_type(Win32::Service::SERVICE_AUTO_START),
-           Win32::Service.get_start_type(Win32::Service::SERVICE_BOOT_START),
-           Win32::Service.get_start_type(Win32::Service::SERVICE_SYSTEM_START)
+    return :false unless Puppet::Util::Windows::Service.exists?(@resource[:name])
+
+    start_type = Puppet::Util::Windows::Service.service_start_type(@resource[:name])
+    debug("Service #{@resource[:name]} start type is #{start_type}")
+    case start_type
+      when :SERVICE_AUTO_START,
+           :SERVICE_BOOT_START,
+           :SERVICE_SYSTEM_START
         :true
-      when Win32::Service.get_start_type(Win32::Service::SERVICE_DEMAND_START)
+      when :SERVICE_DEMAND_START
         :manual
-      when Win32::Service.get_start_type(Win32::Service::SERVICE_DISABLED)
+      when :SERVICE_DISABLED
         :false
       else
-        raise Puppet::Error.new("Unknown start type: #{w32ss.start_type}")
+        raise Puppet::Error.new(_("Unknown start type: %{start_type}") % { start_type: start_type })
     end
   rescue => detail
-    raise Puppet::Error.new("Cannot get start type for #{@resource[:name]}, error was: #{detail}", detail )
+    raise Puppet::Error.new(_("Cannot get start type %{resource_name}, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
   def start
+    if status == :paused
+      Puppet::Util::Windows::Service.resume(@resource[:name])
+      return
+    end
+
+    # status == :stopped here
+
     if enabled? == :false
       # If disabled and not managing enable, respect disabled and fail.
       if @resource[:enable].nil?
-        raise Puppet::Error, "Will not start disabled service #{@resource[:name]} without managing enable. Specify 'enable => false' to override."
+        raise Puppet::Error.new(_("Will not start disabled service %{resource_name} without managing enable. Specify 'enable => false' to override.") % { resource_name: @resource[:name] })
       # Otherwise start. If enable => false, we will later sync enable and
       # disable the service again.
       elsif @resource[:enable] == :true
@@ -72,35 +75,41 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
         manual_start
       end
     end
-
-    net(:start, @resource[:name])
-  rescue Puppet::ExecutionFailure => detail
-    raise Puppet::Error.new("Cannot start #{@resource[:name]}, error was: #{detail}", detail )
+    Puppet::Util::Windows::Service.start(@resource[:name])
   end
 
   def stop
-    net(:stop, @resource[:name])
-  rescue Puppet::ExecutionFailure => detail
-    raise Puppet::Error.new("Cannot stop #{@resource[:name]}, error was: #{detail}", detail )
+    Puppet::Util::Windows::Service.stop(@resource[:name])
   end
 
   def status
-    w32ss = Win32::Service.status( @resource[:name] )
-    raise Puppet::Error.new("Win32 service query of #{@resource[:name]} failed" ) unless( !w32ss.nil? && w32ss.instance_of?( Struct::ServiceStatus ) )
-    state = case w32ss.current_state
-      when "stopped", "pause pending", "stop pending", "paused" then :stopped
-      when "running", "continue pending", "start pending"       then :running
+    return :stopped unless Puppet::Util::Windows::Service.exists?(@resource[:name])
+
+    current_state = Puppet::Util::Windows::Service.service_state(@resource[:name])
+    state = case current_state
+      when :SERVICE_STOPPED,
+           :SERVICE_STOP_PENDING
+        :stopped
+      when :SERVICE_PAUSED,
+           :SERVICE_PAUSE_PENDING
+        :paused
+      when :SERVICE_RUNNING,
+           :SERVICE_CONTINUE_PENDING,
+           :SERVICE_START_PENDING
+        :running
       else
-        raise Puppet::Error.new("Unknown service state '#{w32ss.current_state}' for service '#{@resource[:name]}'")
+        raise Puppet::Error.new(_("Unknown service state '%{current_state}' for service '%{resource_name}'") % { current_state: current_state, resource_name: @resource[:name] })
     end
-    debug("Service #{@resource[:name]} is #{w32ss.current_state}")
+    debug("Service #{@resource[:name]} is #{current_state}")
     return state
-  rescue => detail
-    raise Puppet::Error.new("Cannot get status of #{@resource[:name]}, error was: #{detail}", detail )
   end
 
   # returns all providers for all existing services and startup state
   def self.instances
-    Win32::Service.services.collect { |s| new(:name => s.service_name) }
+    services = []
+    Puppet::Util::Windows::Service.services.each do |service_name, _|
+      services.push(new(:name => service_name))
+    end
+    services
   end
 end

data/lib/puppet/provider/user/aix.rb

@@ -1,25 +1,22 @@
-#
 # User Puppet provider for AIX. It uses standard commands to manage users:
 #  mkuser, rmuser, lsuser, chuser
 #
 # Notes:
 # - AIX users can have expiry date defined with minute granularity,
-#   but puppet does not allow it. There is a ticket open for that (#5431)
+#   but Puppet does not allow it. There is a ticket open for that (#5431)
+#
 # - AIX maximum password age is in WEEKs, not days
 #
 # See https://puppet.com/docs/puppet/latest/provider_development.html
 # for more information
-#
-# Author::    Hector Rivas Gandara <keymon@gmail.com>
-#
-require 'puppet/provider/aixobject'
+require 'puppet/provider/aix_object'
+require 'puppet/util/posix'
 require 'tempfile'
 require 'date'
 
 Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
   desc "User management for AIX."
 
-  # This will the default provider for this platform
   defaultfor :operatingsystem => :aix
   confine :operatingsystem => :aix
 
@@ -29,7 +26,6 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
   commands :delete    => "/usr/sbin/rmuser"
   commands :modify    => "/usr/bin/chuser"
 
-  commands :lsgroup   => "/usr/sbin/lsgroup"
   commands :chpasswd  => "/bin/chpasswd"
 
   # Provider features
@@ -37,296 +33,234 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
   has_features :manages_homedir, :manages_passwords, :manages_shell
   has_features :manages_expiry,  :manages_password_age
 
-  # Attribute verification (TODO)
-  #verify :gid, "GID must be a string or int of a valid group" do |value|
-  #  value.is_a? String || value.is_a? Integer
-  #end
-  #
-  #verify :groups, "Groups must be comma-separated" do |value|
-  #  value !~ /\s/
-  #end
+  class << self
+    def group_provider
+      @group_provider ||= Puppet::Type.type(:group).provider(:aix)
+    end
 
-  # User attributes to ignore from AIX output.
-  def self.attribute_ignore
-    ["name"]
-  end
+    # Define some Puppet Property => AIX Attribute (and vice versa)
+    # conversion functions here.
 
-  # AIX attributes to properties mapping.
-  #
-  # Valid attributes to be managed by this provider.
-  # It is a list with of hash
-  #  :aix_attr      AIX command attribute name
-  #  :puppet_prop   Puppet property name
-  #  :to            Method to adapt puppet property to aix command value. Optional.
-  #  :from          Method to adapt aix command value to puppet property. Optional
-  self.attribute_mapping = [
-    {:aix_attr => :pgrp,       :puppet_prop => :gid,
-                                :to => :gid_to_attr,
-                                :from => :gid_from_attr },
-    {:aix_attr => :id,         :puppet_prop => :uid},
-    {:aix_attr => :groups,     :puppet_prop => :groups},
-    {:aix_attr => :home,       :puppet_prop => :home},
-    {:aix_attr => :shell,      :puppet_prop => :shell},
-    {:aix_attr => :expires,    :puppet_prop => :expiry,
-                                :to => :expiry_to_attr,
-                                :from => :expiry_from_attr },
-    {:aix_attr => :maxage,     :puppet_prop => :password_max_age},
-    {:aix_attr => :minage,     :puppet_prop => :password_min_age},
-    {:aix_attr => :pwdwarntime, :puppet_prop => :password_warn_days},
-    {:aix_attr => :attributes, :puppet_prop => :attributes},
-    { :aix_attr => :gecos,      :puppet_prop => :comment },
-  ]
-
-  #--------------
-  # Command definition
-
-  # Return the IA module arguments based on the resource param ia_load_module
-  def get_ia_module_args
-    if @resource[:ia_load_module]
-      ["-R", @resource[:ia_load_module].to_s]
-    else
-      []
+    def gid_to_pgrp(provider, gid)
+      group = group_provider.find(gid, provider.ia_module_args)
+
+      group[:name]
     end
-  end
 
-  # List groups and Ids
-  def lsgroupscmd(value=@resource[:name])
-    [command(:lsgroup)] +
-      self.get_ia_module_args +
-      ["-a", "id", value]
-  end
+    def pgrp_to_gid(provider, pgrp)
+      group = group_provider.find(pgrp, provider.ia_module_args)
 
-  def lscmd(value=@resource[:name])
-    [self.class.command(:list), "-c"] + self.get_ia_module_args + [ value]
-  end
+      group[:gid]
+    end
 
-  def lsallcmd()
-    lscmd("ALL")
-  end
+    def expiry_to_expires(expiry)
+      return '0' if expiry == "0000-00-00" || expiry.to_sym == :absent
+      
+      DateTime.parse(expiry, "%Y-%m-%d %H:%M")
+        .strftime("%m%d%H%M%y")
+    end
+
+    def expires_to_expiry(provider, expires)
+      return :absent if expires == '0'
+
+      unless (match_obj = /\A(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)\z/.match(expires))
+        #TRANSLATORS 'AIX' is the name of an operating system and should not be translated
+        Puppet.warning(_("Could not convert AIX expires date '%{expires}' on %{class_name}[%{resource_name}]") % { expires: expires, class_name: provider.resource.class.name, resource_name: provider.resource.name })
+        return :absent
+      end
 
-  def addcmd(extra_attrs = [])
-    # Here we use the @resource.to_hash to get the list of provided parameters
-    # Puppet does not call to self.<parameter>= method if it does not exists.
+      month, day, year = match_obj[1], match_obj[2], match_obj[-1]
+      return "20#{year}-#{month}-#{day}"
+    end
+
+    # We do some validation before-hand to ensure the value's an Array,
+    # a String, etc. in the property. This routine does a final check to
+    # ensure our value doesn't have whitespace before we convert it to
+    # an attribute.
+    def groups_property_to_attribute(groups)
+      if groups =~ /\s/
+        raise ArgumentError, _("Invalid value %{groups}: Groups must be comma separated!") % { groups: groups }
+      end
+
+      groups
+    end
+
+    # We do not directly use the groups attribute value because that will
+    # always include the primary group, even if our user is not one of its
+    # members. Instead, we retrieve our property value by parsing the etc/group file,
+    # which matches what we do on our other POSIX platforms like Linux and Solaris.
     #
-    # It gets an extra list of arguments to add to the user.
-    [self.class.command(:add)] + self.get_ia_module_args +
-      self.hash2args(@resource.to_hash) +
-      extra_attrs + [@resource[:name]]
+    # See https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.files/group_security.htm
+    def groups_attribute_to_property(provider, _groups)
+      Puppet::Util::POSIX.groups_of(provider.resource[:name]).join(',')
+    end
   end
 
-  # Get modify command. Set translate=false if no mapping must be used.
-  # Needed for special properties like "attributes"
-  def modifycmd(hash = property_hash)
-    args = self.hash2args(hash)
-    return nil if args.empty?
+  mapping puppet_property: :comment,
+          aix_attribute: :gecos
 
-    [self.class.command(:modify)] + self.get_ia_module_args +
-      args + [@resource[:name]]
-  end
+  mapping puppet_property: :expiry,
+          aix_attribute: :expires,
+          property_to_attribute: method(:expiry_to_expires),
+          attribute_to_property: method(:expires_to_expiry)
 
-  def deletecmd
-    [self.class.command(:delete)] + self.get_ia_module_args + [@resource[:name]]
-  end
+  mapping puppet_property: :gid,
+          aix_attribute: :pgrp,
+          property_to_attribute: method(:gid_to_pgrp),
+          attribute_to_property: method(:pgrp_to_gid)
 
-  #--------------
-  # We overwrite the create function to change the password after creation.
-  def create
-    super
-    # Reset the password if needed
-    self.password = @resource[:password] if @resource[:password]
-  end
+  mapping puppet_property: :groups, 
+          property_to_attribute: method(:groups_property_to_attribute),
+          attribute_to_property: method(:groups_attribute_to_property)
 
+  mapping puppet_property: :home
+  mapping puppet_property: :shell
 
-  def get_arguments(key, value, mapping, objectinfo)
-    # In the case of attributes, return a list of key=vlaue
-    if key == :attributes
-      unless value and value.is_a? Hash
-        raise Puppet::Error, _("Attributes must be a list of pairs key=value on %{class_name}[%{resource_name}]") %
-            { class_name: @resource.class.name, resource_name: @resource.name }
-      end
-      return value.map { |k,v| k.to_s.strip + "=" + v.to_s.strip}
-    end
+  numeric_mapping puppet_property: :uid,
+                  aix_attribute: :id
 
-    super(key, value, mapping, objectinfo)
-  end
+  numeric_mapping puppet_property: :password_max_age,
+                  aix_attribute: :maxage
 
-  # Get the groupname from its id
-  def groupname_by_id(gid)
-    groupname=nil
-    execute(lsgroupscmd("ALL")).each_line { |entry|
-      attrs = self.parse_attr_list(entry, nil)
-      if attrs and attrs.include? :id and gid == attrs[:id].to_i
-        groupname = entry.split(" ")[0]
-      end
-    }
-    groupname
-  end
+  numeric_mapping puppet_property: :password_min_age,
+                  aix_attribute: :minage
 
-  # Get the groupname from its id
-  def groupid_by_name(groupname)
-    attrs = self.parse_attr_list(execute(lsgroupscmd(groupname)).split("\n")[0], nil)
-    attrs ? attrs[:id].to_i : nil
-  end
+  numeric_mapping puppet_property: :password_warn_days,
+                  aix_attribute: :pwdwarntime
 
-  # Check that a group exists and is valid
-  def verify_group(value)
-    if value.is_a? Integer
-      groupname = groupname_by_id(value)
-      #TRANSLATORS 'AIX' is the name of the operating system and should not be translated
-      raise ArgumentError, _("AIX group must be a valid existing group") unless groupname
-    else
-      #TRANSLATORS 'AIX' is the name of the operating system and should not be translated
-      raise ArgumentError, _("AIX group must be a valid existing group") unless groupid_by_name(value)
-      groupname = value
-    end
-    groupname
-  end
+  # Now that we have all of our mappings, let's go ahead and make
+  # the resource methods (property getters + setters for our mapped
+  # properties + a getter for the attributes property).
+  mk_resource_methods
 
-  # The user's primary group.  Can be specified numerically or by name.
-  def gid_to_attr(value)
-    verify_group(value)
-  end
+  # Setting the primary group (pgrp attribute) on AIX causes both the
+  # current and new primary groups to be included in our user's groups,
+  # which is undesirable behavior. Thus, this custom setter resets the
+  # 'groups' property back to its previous value after setting the primary
+  # group.
+  def gid=(value)
+    old_pgrp = gid
+    cur_groups = groups
 
-  # Get the group gid from its name
-  def gid_from_attr(value)
-    groupid_by_name(value)
-  end
+    set(:gid, value)
 
-  # The expiry date for this user. Must be provided in
-  # a zero padded YYYY-MM-DD HH:MM format
-  def expiry_to_attr(value)
-    # For chuser the expires parameter is a 10-character string in the MMDDhhmmyy format
-    # that is,"%m%d%H%M%y"
-    newdate = '0'
-    if value.is_a? String and value!="0000-00-00"
-      d = DateTime.parse(value, "%Y-%m-%d %H:%M")
-      newdate = d.strftime("%m%d%H%M%y")
+    begin
+      self.groups = cur_groups
+    rescue Puppet::Error => detail
+      raise Puppet::Error, _("Could not reset the groups property back to %{cur_groups} after setting the primary group on %{resource}[%{name}]. This means that the previous primary group of %{old_pgrp} and the new primary group of %{new_pgrp} have been added to %{cur_groups}. You will need to manually reset the groups property if this is undesirable behavior. Detail: %{detail}") % { cur_groups: cur_groups, resource: @resource.class.name, name: @resource.name, old_pgrp: old_pgrp, new_pgrp: value, detail: detail }, detail.backtrace
     end
-    newdate
   end
 
-  def expiry_from_attr(value)
-    if value =~ /(..)(..)(..)(..)(..)/
-      #d= DateTime.parse("20#{$5}-#{$1}-#{$2} #{$3}:#{$4}")
-      #expiry_date = d.strftime("%Y-%m-%d %H:%M")
-      #expiry_date = d.strftime("%Y-%m-%d")
-      expiry_date = "20#{$5}-#{$1}-#{$2}"
-    else
-      unless value == '0'
-        #TRANSLATORS 'AIX' is the name of an operating system and should not be translated
-        Puppet.warn(_("Could not convert AIX expires date '%{value}' on %{class_name}[%{resource_name}]") %
-                        { value: value, class_name: @resource.class.name, resource_name: @resource.name })
-      end
-      expiry_date = :absent
+  # Helper function that parses the password from the given
+  # password filehandle. This is here to make testing easier
+  # for #password since we cannot configure Mocha to mock out
+  # a method and have it return a block's value, meaning we
+  # cannot test #password directly (not in a simple and obvious
+  # way, at least).
+  # @api private
+  def parse_password(f)
+    # From the docs, a user stanza is formatted as (newlines are explicitly
+    # stated here for clarity):
+    #   <user>:\n
+    #     <attribute1>=<value1>\n
+    #     <attribute2>=<value2>\n
+    #
+    # First, find our user stanza
+    stanza = f.each_line.find { |line| line =~ /\A#{@resource[:name]}:/ }
+    return :absent unless stanza
+
+    # Now find the password line, if it exists. Note our call to each_line here
+    # will pick up right where we left off.
+    match_obj = nil
+    f.each_line.find do |line|
+      # Break if we find another user stanza. This means our user
+      # does not have a password.
+      break if line =~ /^\S+:$/
+
+      match_obj = /password = (\S+)/.match(line)
     end
-    expiry_date
-  end
+    return :absent unless match_obj
 
-  def open_security_passwd
-    # helper method for tests
-    # AIX reference indicates this file is ASCII
-    # https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.files/passwd_security.htm
-    Puppet::FileSystem.open("/etc/security/passwd", nil, "r:ASCII")
+    match_obj[1]
   end
 
-  #--------------------------------
-  # Getter and Setter
-  # When the provider is initialized, create getter/setter methods for each
-  # property our resource type supports.
-  # If setter or getter already defined it will not be overwritten
-
   #- **password**
   #    The user's password, in whatever encrypted format the local machine
   #    requires. Be sure to enclose any value that includes a dollar sign ($)
   #    in single quotes (').  Requires features manages_passwords.
   #
-  # Retrieve the password parsing directly the /etc/security/passwd
+  # Retrieve the password parsing the /etc/security/passwd file.
   def password
-    password = :absent
-    user = @resource[:name]
-    f = open_security_passwd
-    # Skip to the user
-    f.each_line { |l| break if l  =~ /^#{user}:\s*$/ }
-    if ! f.eof?
-      f.each_line { |l|
-        # If there is a new user stanza, stop
-        break if l  =~ /^\S*:\s*$/
-        # If the password= entry is found, return it, stripping trailing space
-        if l  =~ /^\s*password\s*=\s*(\S*)\s*$/
-          password = $1; break;
-        end
-      }
+    # AIX reference indicates this file is ASCII
+    # https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.files/passwd_security.htm
+    Puppet::FileSystem.open("/etc/security/passwd", nil, "r:ASCII") do |f|
+      parse_password(f)
     end
-    f.close()
-    return password
   end
 
   def password=(value)
     user = @resource[:name]
 
-    # Puppet execute does not support strings as input, only files.
-    # The password is expected to be in an encrypted format given -e is specified:
-    # https://www.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/chpasswd.htm
-    # /etc/security/passwd is specified as an ASCII file per the AIX documentation
-    tmpfile = Tempfile.new("puppet_#{user}_pw", :encoding => Encoding::ASCII)
-    tmpfile << "#{user}:#{value}\n"
-    tmpfile.close()
-
-    # Options '-e', '-c', use encrypted password and clear flags
-    # Must receive "user:enc_password" as input
-    # command, arguments = {:failonfail => true, :combine => true}
-    # Fix for bugs #11200 and #10915
-    cmd = [self.class.command(:chpasswd), get_ia_module_args, '-e', '-c'].flatten
     begin
-      output = execute(cmd, {:failonfail => false, :combine => true, :stdinfile => tmpfile.path })
-      # chpasswd can return 1, even on success (at least on AIX 6.1); empty output indicates success
+      # Puppet execute does not support strings as input, only files.
+      # The password is expected to be in an encrypted format given -e is specified:
+      # https://www.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/chpasswd.htm
+      # /etc/security/passwd is specified as an ASCII file per the AIX documentation
+      tempfile = nil
+      tempfile = Tempfile.new("puppet_#{user}_pw", :encoding => Encoding::ASCII)
+      tempfile << "#{user}:#{value}\n"
+      tempfile.close()
+  
+      # Options '-e', '-c', use encrypted password and clear flags
+      # Must receive "user:enc_password" as input
+      # command, arguments = {:failonfail => true, :combine => true}
+      # Fix for bugs #11200 and #10915
+      cmd = [self.class.command(:chpasswd), *ia_module_args, '-e', '-c']
+      execute_options = {
+        :failonfail => false,
+        :combine => true,
+        :stdinfile => tempfile.path
+      }
+      output = execute(cmd, execute_options)
+
+      # chpasswd can return 1, even on success (at least on AIX 6.1); empty output
+      # indicates success
       if output != ""
         raise Puppet::ExecutionFailure, "chpasswd said #{output}"
       end
     rescue Puppet::ExecutionFailure  => detail
-      raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
+      raise Puppet::Error, "Could not set password on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
     ensure
-      tmpfile.delete()
+      if tempfile
+        # Extra close will noop. This is in case the write to our tempfile
+        # fails.
+        tempfile.close()
+        tempfile.delete()
+      end
     end
   end
 
-  def managed_attribute_keys(hash)
-    managed_attributes ||= @resource.original_parameters[:attributes] || hash.keys.map{|k| k.to_s}
-    managed_attributes = [managed_attributes] unless managed_attributes.is_a?(Array)
-    managed_attributes.map {|attr| key, _ = attr.split("="); key.strip.to_sym}
-  end
-
-  def should_include?(key, managed_keys)
-    !self.class.attribute_mapping_from.include?(key) and
-            !self.class.attribute_ignore.include?(key) and
-            managed_keys.include?(key)
-  end
-
-  def filter_attributes(hash)
-    # Return only managed attributes.
-    managed_keys = managed_attribute_keys(hash)
-    results = hash.select {
-        |k,v| should_include?(k, managed_keys)
-      }.inject({}) {
-        |h, array| h[array[0]] = array[1]; h
-      }
-    results
-  end
+  def create
+    super
 
-  def attributes
-    filter_attributes(getosinfo(false))
-  end
+    # We specify the 'groups' AIX attribute in AixObject's create method
+    # when creating our user. However, this does not always guarantee that
+    # our 'groups' property is set to the right value. For example, the
+    # primary group will always be included in the 'groups' property. This is
+    # bad if we're explicitly managing the 'groups' property under inclusive
+    # membership, and we are not specifying the primary group in the 'groups'
+    # property value.
+    #
+    # Setting the groups property here a second time will ensure that our user is
+    # created and in the right state. Note that this is an idempotent operation,
+    # so if AixObject's create method already set it to the right value, then this
+    # will noop.
+    if (groups = @resource.should(:groups))
+      self.groups = groups
+    end
 
-  def attributes=(attr_hash)
-    #self.class.validate(param, value)
-    param = :attributes
-    cmd = modifycmd({param => filter_attributes(attr_hash)})
-    if cmd
-      begin
-        execute(cmd)
-      rescue Puppet::ExecutionFailure  => detail
-        raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
-      end
+    if (password = @resource.should(:password))
+      self.password = password
     end
   end