puppet 5.5.6 → 5.5.7

data/lib/puppet/provider/user/windows_adsi.rb

@@ -124,7 +124,15 @@ Puppet::Type.type(:user).provide :windows_adsi do
   end
 
   def password=(value)
-    user.password = value
+    if user.disabled?
+      warning _("The user account '%s' is disabled; puppet will not reset the password" % @resource[:name])
+    elsif user.locked_out?
+      warning _("The user account '%s' is locked out; puppet will not reset the password" % @resource[:name])
+    elsif user.expired?
+      warning _("The user account '%s' is expired; puppet will not reset the password" % @resource[:name])
+    else
+      user.password = value
+    end
   end
 
   def uid

data/lib/puppet/resource/catalog.rb

@@ -559,11 +559,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     Puppet::FileSystem.open(resourcefile.value, resourcefile.mode.to_i(8), "w:UTF-8") do |f|
       to_print = resources.map do |resource|
         next unless resource.managed?
-        if resource.name_var
-          "#{resource.type}[#{resource[resource.name_var]}]"
-        else
-          "#{resource.ref.downcase}"
-        end
+        "#{resource.ref.downcase}"
       end.compact
       f.puts to_print.join("\n")
     end

data/lib/puppet/type/augeas.rb

@@ -143,7 +143,7 @@ Puppet::Type.newtype(:augeas) do
   end
 
   newparam(:type_check) do
-    desc "Whether augeas should perform typechecking. Defaults to false."
+    desc "Whether augeas should perform typechecking."
     newvalues(:true, :false)
 
     defaultto :false

data/lib/puppet/type/exec.rb

@@ -78,8 +78,8 @@ module Puppet
 
       attr_reader :output
       desc "The expected exit code(s).  An error will be returned if the
-        executed command has some other exit code.  Defaults to 0. Can be
-        specified as an array of acceptable exit codes or a single value.
+        executed command has some other exit code. Can be specified as an array
+        of acceptable exit codes or a single value.
 
         On POSIX systems, exit codes are always integers between 0 and 255.
 
@@ -197,14 +197,17 @@ module Puppet
     end
 
     newparam(:user) do
-      desc "The user to run the command as.  Note that if you
-        use this then any error output is not currently captured.  This
-        is because of a bug within Ruby.  If you are using Puppet to
-        create this user, the exec will automatically require the user,
-        as long as it is specified by name.
+      desc "The user to run the command as.
+      
+        > **Note:** Puppet cannot execute commands as other users on Windows.
 
-        Please note that the $HOME environment variable is not automatically set
-        when using this attribute."
+        Note that if you use this attribute, any error output is not captured
+        due to a bug within Ruby. If you use Puppet to create this user, the
+        exec automatically requires the user, as long as it is specified by
+        name.
+
+        The $HOME environment variable is not automatically set when using
+        this attribute."
 
       validate do |user|
         if Puppet.features.microsoft_windows?
@@ -230,7 +233,7 @@ module Puppet
 
     newparam(:logoutput) do
       desc "Whether to log command output in addition to logging the
-        exit code.  Defaults to `on_failure`, which only logs the output
+        exit code. Defaults to `on_failure`, which only logs the output
         when the command has an exit code that does not match any value
         specified by the `returns` attribute. As with any resource type,
         the log level can be controlled with the `loglevel` metaparameter."
@@ -305,10 +308,9 @@ module Puppet
 
     newparam(:tries) do
       desc "The number of times execution of the command should be tried.
-        Defaults to '1'. This many attempts will be made to execute
-        the command until an acceptable return code is returned.
-        Note that the timeout parameter applies to each try rather than
-        to the complete set of tries."
+        This many attempts will be made to execute the command until an
+        acceptable return code is returned. Note that the timeout parameter
+        applies to each try rather than to the complete set of tries."
 
       munge do |value|
         if value.is_a?(String)

data/lib/puppet/type/file.rb

@@ -207,7 +207,7 @@ Puppet::Type.newtype(:file) do
       whose content doesn't match what the `source` or `content` attribute
       specifies.  Setting this to false allows file resources to initialize files
       without overwriting future changes.  Note that this only affects content;
-      Puppet will still manage ownership and permissions. Defaults to `true`."
+      Puppet will still manage ownership and permissions."
     defaultto :true
   end
 
@@ -320,7 +320,7 @@ Puppet::Type.newtype(:file) do
 
   newparam(:validate_replacement) do
     desc "The replacement string in a `validate_cmd` that will be replaced
-      with an input file name. Defaults to: `%`"
+      with an input file name."
 
     defaultto '%'
   end

data/lib/puppet/type/file/source.rb

@@ -31,7 +31,7 @@ module Puppet
       * Fully qualified paths to locally available files (including files on NFS
       shares or Windows mapped drives).
       * `file:` URIs, which behave the same as local file paths.
-      * `http:` URIs, which point to files served by common web servers
+      * `http:` URIs, which point to files served by common web servers.
 
       The normal form of a `puppet:` URI is:
 
@@ -47,10 +47,14 @@ module Puppet
       a source directory contains symlinks, use the `links` attribute to
       specify whether to recreate links or follow them.
 
-      *HTTP* URIs cannot be used to recursively synchronize whole directory
-      trees. It is also not possible to use `source_permissions` values other
-      than `ignore`. That's because HTTP servers do not transfer any metadata
-      that translates to ownership or permission details.
+      _HTTP_ URIs cannot be used to recursively synchronize whole directory
+      trees. You cannot use `source_permissions` values other than `ignore`
+      because HTTP servers do not transfer any metadata that translates to
+      ownership or permission details.
+
+      The `http` source uses the server `Content-MD5` header as a checksum to
+      determine if the remote file has changed. If the server response does not
+      include that header, Puppet defaults to using the `Last-Modified` header.
 
       Multiple `source` values can be specified as an array, and Puppet will
       use the first source that exists. This can be used to serve different

data/lib/puppet/type/group.rb

@@ -1,6 +1,7 @@
 require 'etc'
 require 'facter'
 require 'puppet/property/keyvalue'
+require 'puppet/property/list'
 require 'puppet/parameter/boolean'
 
 module Puppet
@@ -81,41 +82,84 @@ module Puppet
       end
     end
 
-    newproperty(:members, :array_matching => :all, :required_features => :manages_members) do
+    newproperty(:members, :parent => Puppet::Property::List, :required_features => :manages_members) do
       desc "The members of the group. For platforms or directory services where group
         membership is stored in the group objects, not the users. This parameter's
         behavior can be configured with `auth_membership`."
 
-      def change_to_s(currentvalue, newvalue)
-        currentvalue = currentvalue.join(",") if currentvalue != :absent
-        newvalue = newvalue.join(",")
-        super(currentvalue, newvalue)
+      validate do |value|
+        unless value.is_a?(String)
+          raise ArgumentError, _("The members property must be specified as either an array of strings, or as a single string consisting of a comma-separated list of members")
+        end
+
+        if value.is_a?(Integer) || value =~ /^\d+$/
+          raise ArgumentError, _("User names must be provided, not UID numbers.")
+        end
+
+        if value.empty?
+          raise ArgumentError, _("User names must not be empty. If you want to specify \"no users\" pass an empty array")
+        end
+
+        if provider.respond_to?(:member_valid?)
+          return provider.member_valid?(value)
+        end
       end
 
-      def insync?(current)
-        if provider.respond_to?(:members_insync?)
-          return provider.members_insync?(current, @should)
+      def inclusive?
+        @resource[:auth_membership]
+      end
+
+      def change_to_s(currentvalue, newvalue)
+        newvalue = newvalue.split(",") if newvalue != :absent
+
+        if provider.respond_to?(:members_to_s)
+          # for Windows ADSI
+          # de-dupe the "newvalue" when the sync event message is generated,
+          # due to final retrieve called after the resource has been modified
+          newvalue = provider.members_to_s(newvalue).split(',').uniq
         end
 
-        super(current)
+        super(currentvalue, newvalue)
       end
 
-      def is_to_s(currentvalue)
+      # override Puppet::Property::List#retrieve
+      def retrieve
         if provider.respond_to?(:members_to_s)
-          currentvalue = '' if currentvalue.nil?
-          currentvalue = currentvalue.is_a?(Array) ? currentvalue : currentvalue.split(',')
+          # Windows ADSI members returns SIDs, but retrieve needs names
+          # must return qualified names for SIDs for "is" value and puppet resource
+          return provider.members_to_s(provider.members).split(',')
+        end
 
-          return provider.members_to_s(currentvalue)
+        super
+      end
+
+      # The members property should also accept a comma separated
+      # list of members (a String parameter) for backwards
+      # compatibility. Unfortunately, the List property would treat
+      # our comma separated list of members as a single-element Array.
+      # This override of should= ensures that a comma separated list of
+      # members is munged to an array of members, which is what we want.
+      # Note that we cannot use `munge` because that will pass in each
+      # array element instead of the entire array if the members property
+      # is specified as an array of members, which would cause each member
+      # to be munged into an array for that case. This is undesirable
+      # behavior.
+      def should=(values)
+        super(values)
+
+        if @should.length == 1 && @should.first.include?(delimiter)
+          @should = @should.first.split(delimiter)
         end
 
-        super(currentvalue)
+        @should
       end
-      alias :should_to_s :is_to_s
 
-      validate do |value|
-        if provider.respond_to?(:member_valid?)
-          return provider.member_valid?(value)
+      def insync?(current)
+        if provider.respond_to?(:members_insync?)
+          return provider.members_insync?(current, @should)
         end
+
+        super(current)
       end
     end
 
@@ -141,7 +185,7 @@ module Puppet
     end
 
     newparam(:allowdupe, :boolean => true, :parent => Puppet::Parameter::Boolean) do
-      desc "Whether to allow duplicate GIDs. Defaults to `false`."
+      desc "Whether to allow duplicate GIDs."
 
       defaultto false
     end
@@ -154,6 +198,8 @@ module Puppet
       desc "Specify group AIX attributes, as an array of `'key=value'` strings. This
         parameter's behavior can be configured with `attribute_membership`."
 
+      self.log_only_changed_or_new_keys = true
+
       def membership
         :attribute_membership
       end
@@ -161,10 +207,6 @@ module Puppet
       def delimiter
         " "
       end
-
-      validate do |value|
-        raise ArgumentError, _("Attributes value pairs must be separated by an =") unless value.include?("=")
-      end
     end
 
     newparam(:attribute_membership) do

data/lib/puppet/type/k5login.rb

@@ -29,7 +29,7 @@ Puppet::Type.newtype(:k5login) do
 
   # To manage the mode of the file
   newproperty(:mode) do
-    desc "The desired permissions mode of the `.k5login` file. Defaults to `644`."
+    desc "The desired permissions mode of the `.k5login` file."
     defaultto { "644" }
   end
 
@@ -104,7 +104,7 @@ Puppet::Type.newtype(:k5login) do
     super
   end
 
-  # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+  # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 
   provide(:k5login) do
     desc "The k5login provider is the only provider for the k5login

data/lib/puppet/type/notify.rb

@@ -32,7 +32,7 @@ module Puppet
     end
 
     newparam(:withpath) do
-      desc "Whether to show the full object path. Defaults to false."
+      desc "Whether to show the full object path."
       defaultto :false
 
       newvalues(:true, :false)

data/lib/puppet/type/package.rb

@@ -172,7 +172,7 @@ module Puppet
               when is == @latest
                 return true
               when is == :present
-                # This will only happen on retarded packaging systems
+                # This will only happen on packaging systems
                 # that can't query versions.
                 return true
               else
@@ -411,8 +411,7 @@ module Puppet
 
     newparam(:configfiles) do
       desc "Whether to keep or replace modified config files when installing or
-        upgrading a package. This only affects the `apt` and `dpkg` providers.
-        Defaults to `keep`."
+        upgrading a package. This only affects the `apt` and `dpkg` providers."
 
       defaultto :keep
 
@@ -547,9 +546,7 @@ module Puppet
 
         If you use this, be careful of notifying classes when you want to restart
         services. If the class also contains a refreshable package, doing so could
-        cause unnecessary re-installs.
-
-        Defaults to `false`."
+        cause unnecessary re-installs."
       newvalues(:true, :false)
 
       defaultto :false

data/lib/puppet/type/resources.rb

@@ -87,6 +87,12 @@ Puppet::Type.newtype(:resources) do
     end
   end
 
+  WINDOWS_SYSTEM_SID_REGEXES =
+      # Administrator, Guest, Domain Admins, Schema Admins, Enterprise Admins.
+      # https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
+      [/S-1-5-21.+-500/, /S-1-5-21.+-501/, /S-1-5-21.+-512/, /S-1-5-21.+-518/,
+       /S-1-5-21.+-519/]
+
   def check(resource)
     @checkmethod ||= "#{self[:name]}_check"
     @hascheck ||= respond_to?(@checkmethod)
@@ -145,8 +151,12 @@ Puppet::Type.newtype(:resources) do
 
     return false if system_users.include?(resource[:name])
     return false if unless_uids && unless_uids.include?(current_uid)
-
-    current_uid > self[:unless_system_user]
+    if current_uid.is_a?(String)
+      # Windows user; is a system user if any regex matches.
+      WINDOWS_SYSTEM_SID_REGEXES.none? { |regex| current_uid =~ regex }
+    else
+      current_uid > self[:unless_system_user]
+    end
   end
 
   def system_users

data/lib/puppet/type/schedule.rb

@@ -46,6 +46,13 @@ module Puppet
           }
 
       This will cause resources to be applied every 30 minutes by default.
+
+      The `statettl` setting on the agent affects the ability of a schedule to
+      determine if a resource has already been checked. If the `statettl` is
+      set lower than the span of the associated schedule resource, then a
+      resource could be checked & applied multiple times in the schedule as
+      the information about when the resource was last checked will have
+      expired from the cache.
       EOT
 
     apply_to_all
@@ -312,7 +319,7 @@ module Puppet
 
     newparam(:repeat) do
       desc "How often a given resource may be applied in this schedule's `period`.
-        Defaults to 1; must be an integer."
+        Must be an integer."
 
       defaultto 1
 

data/lib/puppet/type/selboolean.rb

@@ -15,8 +15,8 @@ module Puppet
     end
 
     newparam(:persistent) do
-      desc "If set true, SELinux booleans will be written to disk and persist across reboots.
-        The default is `false`."
+      desc "If set to true, SELinux booleans will be written to disk and persist across
+        reboots."
 
       defaultto :false
       newvalues(:true, :false)

data/lib/puppet/type/selmodule.rb

@@ -23,10 +23,9 @@ Puppet::Type.newtype(:selmodule) do
   newparam(:selmoduledir) do
 
     desc "The directory to look for the compiled pp module file in.
-      Currently defaults to `/usr/share/selinux/targeted`.  If the
-      `selmodulepath` attribute is not specified, Puppet will expect to find
-      the module in `<selmoduledir>/<name>.pp`, where `name` is the value of the
-      `name` parameter."
+      If the `selmodulepath` attribute is not specified, Puppet expects to
+      find the module in `<selmoduledir>/<name>.pp`, where `name` is the
+      value of the `name` parameter."
 
     defaultto "/usr/share/selinux/targeted"
   end

data/lib/puppet/type/service.rb

@@ -135,8 +135,7 @@ module Puppet
 
     newparam(:hasstatus) do
       desc "Declare whether the service's init script has a functional status
-        command; defaults to `true`. This attribute's default value changed in
-        Puppet 2.7.0.
+        command. This attribute's default value changed in Puppet 2.7.0.
 
         The init script's status command must return 0 if the service is
         running and a nonzero value otherwise. Ideally, these exit codes
@@ -230,9 +229,7 @@ module Puppet
     newparam :hasrestart do
       desc "Specify that an init script has a `restart` command.  If this is
         false and you do not specify a command in the `restart` attribute,
-        the init script's `stop` and `start` commands will be used.
-
-        Defaults to false."
+        the init script's `stop` and `start` commands will be used."
       newvalues(:true, :false)
     end
 

data/lib/puppet/type/tidy.rb

@@ -188,7 +188,7 @@ Puppet::Type.newtype(:tidy) do
   end
 
   newparam(:type) do
-    desc "Set the mechanism for determining age. Default: atime."
+    desc "Set the mechanism for determining age."
 
     newvalues(:atime, :mtime, :ctime)