puppet 5.5.8 → 5.5.10

data/lib/puppet/provider/service/smf.rb

@@ -49,6 +49,52 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
    end
   end
 
+  # Returns the service's FMRI. We fail if multiple FMRIs correspond to
+  # @resource[:name].
+  #
+  # If the service does not exist or we fail to get any FMRIs from svcs,
+  # this method will raise a Puppet::Error
+  def service_fmri
+    return @fmri if @fmri
+
+    # `svcs -l` is better to use because we can detect service instances
+    # that have not yet been activated or enabled (i.e. it lets us detect
+    # services that svcadm has not yet touched). `svcs -H -o fmri` is a bit
+    # more limited.
+    lines = svcs("-l", @resource[:name]).chomp.lines.to_a
+    lines.select! { |line| line =~ /^fmri/ }
+    fmris = lines.map! { |line| line.split(' ')[-1].chomp }
+    unless fmris.length == 1
+      raise Puppet::Error, _("Failed to get the FMRI of the %{service} service: The pattern '%{service}' matches multiple FMRIs! These are the FMRIs it matches: %{all_fmris}") % { service: @resource[:name], all_fmris: fmris.join(', ') }
+    end
+
+    @fmri = fmris.first
+  end
+
+  # Returns true if the provider supports incomplete services.
+  def supports_incomplete_services?
+    Puppet::Util::Package.versioncmp(Facter.value(:operatingsystemrelease), '11.1') >= 0
+  end
+
+  # Returns true if the service is complete. A complete service is a service that
+  # has the general/complete property defined.
+  def complete_service?
+    unless supports_incomplete_services?
+      raise Puppet::Error, _("Cannot query if the %{service} service is complete: The concept of complete/incomplete services was introduced in Solaris 11.1. You are on a Solaris %{release} machine.") % { service: @resource[:name], release: Facter.value(:operatingsystemrelease) }
+    end
+
+    return @complete_service if @complete_service
+
+    # We need to use the service's FMRI when querying its config. because
+    # general/complete is an instance-specific property.
+    fmri = service_fmri
+
+    # Check if the general/complete property is defined. If it is undefined,
+    # then svccfg will not print anything to the console.
+    property_defn = svccfg("-s", fmri, "listprop", "general/complete").chomp
+    @complete_service = ! property_defn.empty?
+  end
+
   def enable
     self.start
   end
@@ -131,6 +177,14 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
     end
 
     begin
+      if supports_incomplete_services?
+        unless complete_service?
+          debug _("The %{service} service is incomplete so its status will be reported as :stopped. See `svcs -xv %{fmri}` for more details.") % { service: @resource[:name], fmri: service_fmri }
+
+          return :stopped
+        end
+      end
+
       # get the current state and the next state, and if the next
       # state is set (i.e. not "-") use it for state comparison
       states = service_states

data/lib/puppet/transaction.rb

@@ -56,6 +56,8 @@ class Puppet::Transaction
     @prefetched_providers = Hash.new { |h,k| h[k] = {} }
 
     @prefetch_failed_providers = Hash.new { |h,k| h[k] = {} }
+
+    @failed_dependencies_already_notified = Set.new()
   end
 
   # Invoke the pre_run_check hook in every resource in the catalog.
@@ -291,8 +293,9 @@ class Puppet::Transaction
     if s && s.dependency_failed?
       # See above. --daniel 2011-06-06
       unless suppress_report then
-        s.failed_dependencies.each do |dep|
+        s.failed_dependencies.find_all { |d| !(@failed_dependencies_already_notified.include?(d.ref)) }.each do |dep|
           resource.notice _("Dependency %{dep} has failures: %{status}") % { dep: dep, status: resource_status(dep).failed }
+          @failed_dependencies_already_notified.add(dep.ref)
         end
       end
     end

data/lib/puppet/transaction/event_manager.rb

@@ -147,12 +147,18 @@ class Puppet::Transaction::EventManager
     resource.send(callback)
 
     if not resource.is_a?(Puppet::Type.type(:whit))
-      resource.notice n_("Triggered '%{callback}' from %{count} event", "Triggered '%{callback}' from %{count} events", events.length) % { count: events.length, callback: callback }
+      message = n_("Triggered '%{callback}' from %{count} event", "Triggered '%{callback}' from %{count} events", events.length) % { count: events.length, callback: callback }
+      resource.notice message
+      add_callback_status_event(resource, callback, message, "success")
     end
+
     return true
   rescue => detail
     resource_error_message = _("Failed to call %{callback}: %{detail}") % { callback: callback, detail: detail }
     resource.err resource_error_message
+    if not resource.is_a?(Puppet::Type.type(:whit))
+      add_callback_status_event(resource, callback, resource_error_message, "failure")
+    end
 
     transaction.resource_status(resource).failed_to_restart = true
     transaction.resource_status(resource).fail_with_event(resource_error_message)
@@ -160,6 +166,12 @@ class Puppet::Transaction::EventManager
     return false
   end
 
+  def add_callback_status_event(resource, callback, message, status)
+    options = { message: message, status: status, name: callback.to_s }
+    event = resource.event options
+    transaction.resource_status(resource) << event if event
+  end
+
   def process_noop_events(resource, callback, events)
     resource.notice n_("Would have triggered '%{callback}' from %{count} event", "Would have triggered '%{callback}' from %{count} events", events.length) % { count: events.length, callback: callback }
 

data/lib/puppet/transaction/resource_harness.rb

@@ -158,7 +158,9 @@ class Puppet::Transaction::ResourceHarness
       raise
     ensure
       if event
-        event.calculate_corrective_change(@persistence.get_system_value(context.resource.ref, param.name.to_s))
+        name = param.name.to_s
+        event.message ||= _("could not create change error message for %{name}") % { name: name }
+        event.calculate_corrective_change(@persistence.get_system_value(context.resource.ref, name))
         context.record(event)
         event.send_log
         context.synced_params << param.name

data/lib/puppet/util/command_line.rb

@@ -106,7 +106,7 @@ module Puppet
         def run
           # For most applications, we want to be able to load code from the modulepath,
           # such as apply, describe, resource, and faces.
-          # For agent, we only want to load pluginsync'ed code from libdir.
+          # For agent and device in agent mode, we only want to load pluginsync'ed code from libdir.
           # For master, we shouldn't ever be loading per-environment code into the master's
           # ruby process, but that requires fixing (#17210, #12173, #8750). So for now
           # we try to restrict to only code that can be autoloaded from the node's
@@ -116,8 +116,7 @@ module Puppet
           # have an appropriate application-wide current_environment set.
           # If we cannot find the configured environment, which may not exist,
           # we do not attempt to add plugin directories to the load path.
-          #
-          if @subcommand_name != 'master' and @subcommand_name != 'agent'
+          unless @subcommand_name == 'master' || @subcommand_name == 'agent' || (@subcommand_name == 'device' && (['--apply', '--facts', '--resource'] - @command_line.args).empty?)
             if configured_environment = Puppet.lookup(:environments).get(Puppet[:environment])
               configured_environment.each_plugin_directory do |dir|
                 $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)

data/lib/puppet/util/filetype.rb

@@ -191,13 +191,21 @@ class Puppet::Util::FileType
 
     # Read a specific @path's cron tab.
     def read
+      unless Puppet::Util.uid(@path)
+        Puppet.debug _("The %{path} user does not exist. Treating their crontab file as empty in case Puppet creates them in the middle of the run.") % { path: @path }
+
+        return ""
+      end
+
       Puppet::Util::Execution.execute("#{cmdbase} -l", failonfail: true, combine: true)
     rescue => detail
       case detail.to_s
       when /no crontab for/
         return ""
       when /are not allowed to/
-        raise FileReadError, _("User %{path} not authorized to use cron") % { path: @path }, detail.backtrace
+        Puppet.debug _("The %{path} user is not authorized to use cron. Their crontab file is treated as empty in case Puppet authorizes them in the middle of the run (by, for example, modifying the cron.deny or cron.allow files).") % { path: @path }
+
+        return ""
       else
         raise FileReadError, _("Could not read crontab for %{path}: %{detail}") % { path: @path, detail: detail }, detail.backtrace
       end
@@ -215,7 +223,15 @@ class Puppet::Util::FileType
 
     # Overwrite a specific @path's cron tab; must be passed the @path name
     # and the text with which to create the cron tab.
+    #
+    # TODO: We should refactor this at some point to make it identical to the
+    # :aixtab and :suntab's write methods so that, at the very least, the pipe
+    # is not created and the crontab command's errors are not swallowed.
     def write(text)
+      unless Puppet::Util.uid(@path)
+        raise Puppet::Error, _("Cannot write the %{path} user's crontab: The user does not exist") % { path: @path }
+      end
+
       # this file is managed by the OS and should be using system encoding
       IO.popen("#{cmdbase()} -", "w", :encoding => Encoding.default_external) { |p|
         p.print text
@@ -240,13 +256,21 @@ class Puppet::Util::FileType
   newfiletype(:suntab) do
     # Read a specific @path's cron tab.
     def read
+      unless Puppet::Util.uid(@path)
+        Puppet.debug _("The %{path} user does not exist. Treating their crontab file as empty in case Puppet creates them in the middle of the run.") % { path: @path }
+
+        return ""
+      end
+
       Puppet::Util::Execution.execute(%w{crontab -l}, cronargs)
     rescue => detail
       case detail.to_s
       when /can't open your crontab/
         return ""
       when /you are not authorized to use cron/
-        raise FileReadError, _("User %{path} not authorized to use cron") % { path: @path }, detail.backtrace
+        Puppet.debug _("The %{path} user is not authorized to use cron. Their crontab file is treated as empty in case Puppet authorizes them in the middle of the run (by, for example, modifying the cron.deny or cron.allow files).") % { path: @path }
+
+        return ""
       else
         raise FileReadError, _("Could not read crontab for %{path}: %{detail}") % { path: @path, detail: detail }, detail.backtrace
       end
@@ -283,13 +307,21 @@ class Puppet::Util::FileType
   newfiletype(:aixtab) do
     # Read a specific @path's cron tab.
     def read
+      unless Puppet::Util.uid(@path)
+        Puppet.debug _("The %{path} user does not exist. Treating their crontab file as empty in case Puppet creates them in the middle of the run.") % { path: @path }
+
+        return ""
+      end
+
       Puppet::Util::Execution.execute(%w{crontab -l}, cronargs)
     rescue => detail
       case detail.to_s
       when /open.*in.*directory/
         return ""
-      when /You are not authorized to use the cron command/
-        raise FileReadError, _("User %{path} not authorized to use cron") % { path: @path }, detail.backtrace
+      when /not.*authorized.*cron/
+        Puppet.debug _("The %{path} user is not authorized to use cron. Their crontab file is treated as empty in case Puppet authorizes them in the middle of the run (by, for example, modifying the cron.deny or cron.allow files).") % { path: @path }
+
+        return ""
       else
         raise FileReadError, _("Could not read crontab for %{path}: %{detail}") % { path: @path, detail: detail }, detail.backtrace
       end

data/lib/puppet/util/selinux.rb

@@ -190,7 +190,7 @@ module Puppet::Util::SELinux
   def selinux_label_support?(file)
     fstype = find_fs(file)
     return false if fstype.nil?
-    filesystems = ['ext2', 'ext3', 'ext4', 'gfs', 'gfs2', 'xfs', 'jfs', 'btrfs']
+    filesystems = ['ext2', 'ext3', 'ext4', 'gfs', 'gfs2', 'xfs', 'jfs', 'btrfs', 'tmpfs']
     filesystems.include?(fstype)
   end
 

data/lib/puppet/util/windows/api_types.rb

@@ -58,7 +58,7 @@ module Puppet::Util::Windows::APITypes
       str = get_bytes(0, char_length * 2).force_encoding('UTF-16LE')
       str.encode(dst_encoding, str.encoding, encode_options)
     rescue Exception => e
-      Puppet.debug "Unable to convert value #{str.dump} to encoding #{dst_encoding} due to #{e.inspect}"
+      Puppet.debug "Unable to convert value #{str.nil? ? 'nil' : str.dump} to encoding #{dst_encoding} due to #{e.inspect}"
       raise
     end
 

data/lib/puppet/util/windows/registry.rb

@@ -65,6 +65,28 @@ module Puppet::Util::Windows
       vals
     end
 
+    # Retrieve a set of values from a registry key given their names
+    # Value names listed but not found in the registry will not be added to the
+    # resultant Hashtable
+    #
+    # @param key [RegistryKey] An open handle to a Registry Key
+    # @param names [String[]] An array of names of registry values to return if they exist
+    # @return [Hashtable<String, Object>] A hashtable of all of the found values in the registry key
+    def values_by_name(key, names)
+      vals = {}
+      names.each do |name|
+        FFI::Pointer.from_string_to_wide_string(name) do |subkeyname_ptr|
+          begin
+            _, vals[name] = read(key, subkeyname_ptr)
+          rescue Puppet::Util::Windows::Error => e
+            # ignore missing names, but raise other errors
+            raise e unless e.code == Puppet::Util::Windows::Error::ERROR_FILE_NOT_FOUND
+          end
+        end
+      end
+      vals
+    end
+
     def each_value(key, &block)
       index = 0
       subkey = nil
@@ -104,7 +126,7 @@ module Puppet::Util::Windows
 
             if result != FFI::ERROR_SUCCESS
               msg = _("Failed to enumerate %{key} registry keys at index %{index}") % { key: key.keyname, index: index }
-              raise Puppet::Util::Windows::Error.new(msg)
+              raise Puppet::Util::Windows::Error.new(msg, result)
             end
 
             filetime = FFI::WIN32::FILETIME.new(filetime_ptr)
@@ -135,7 +157,7 @@ module Puppet::Util::Windows
 
           if result != FFI::ERROR_SUCCESS
             msg = _("Failed to enumerate %{key} registry values at index %{index}") % { key: key.keyname, index: index }
-            raise Puppet::Util::Windows::Error.new(msg)
+            raise Puppet::Util::Windows::Error.new(msg, result)
           end
 
           subkey_length = subkey_length_ptr.read_dword
@@ -165,7 +187,7 @@ module Puppet::Util::Windows
 
           if status != FFI::ERROR_SUCCESS
             msg = _("Failed to query registry %{key} for sizes") % { key: key.keyname }
-            raise Puppet::Util::Windows::Error.new(msg)
+            raise Puppet::Util::Windows::Error.new(msg, status)
           end
 
           result = [
@@ -247,8 +269,10 @@ module Puppet::Util::Windows
               buffer_ptr, length_ptr)
 
             if result != FFI::ERROR_SUCCESS
-              msg = _("Failed to read registry value %{value} at %{key}") % { value: name_ptr.read_wide_string, key: key.keyname }
-              raise Puppet::Util::Windows::Error.new(msg)
+              # buffer is raw bytes, *not* chars - less a NULL terminator
+              name_length = (name_ptr.size / FFI.type_size(:wchar)) - 1 if name_ptr.size > 0
+              msg = _("Failed to read registry value %{value} at %{key}") % { value: name_ptr.read_wide_string(name_length), key: key.keyname }
+              raise Puppet::Util::Windows::Error.new(msg, result)
             end
 
             # allows caller to use FFI MemoryPointer helpers to read / shape

data/lib/puppet/util/windows/service.rb

@@ -360,13 +360,14 @@ module Puppet::Util::Windows
     # @param [:string] service_name name of the service to query
     # @return [string] the status of the service
     def service_state(service_name)
-      status = nil
+      state = nil
       open_service(service_name, SC_MANAGER_CONNECT, SERVICE_QUERY_STATUS) do |service|
-        status = query_status(service)
+        query_status(service) do |status|
+          state = SERVICE_STATES[status[:dwCurrentState]]
+        end
       end
-      state = SERVICE_STATES[status[:dwCurrentState]]
       if state.nil?
-        raise Puppet::Error.new(_("Unknown Service state '%{current_state}' for '%{service_name}'") % { current_state: status[:dwCurrentState].to_s, service_name: service_name})
+        raise Puppet::Error.new(_("Unknown Service state '%{current_state}' for '%{service_name}'") % { current_state: state.to_s, service_name: service_name})
       end
       state
     end
@@ -377,13 +378,14 @@ module Puppet::Util::Windows
     # @param [:string] service_name name of the service to query
     # @return [QUERY_SERVICE_CONFIGW.struct] the configuration of the service
     def service_start_type(service_name)
-      config = nil
+      start_type = nil
       open_service(service_name, SC_MANAGER_CONNECT, SERVICE_QUERY_CONFIG) do |service|
-        config = query_config(service)
+        query_config(service) do |config|
+          start_type = SERVICE_START_TYPES[config[:dwStartType]]
+        end
       end
-      start_type = SERVICE_START_TYPES[config[:dwStartType]]
       if start_type.nil?
-        raise Puppet::Error.new(_("Unknown start type '%{start_type}' for '%{service_name}'") % { start_type: config[:dwStartType].to_s, service_name: service_name})
+        raise Puppet::Error.new(_("Unknown start type '%{start_type}' for '%{service_name}'") % { start_type: start_type.to_s, service_name: service_name})
       end
       start_type
     end
@@ -562,62 +564,62 @@ module Puppet::Util::Windows
       def transition_service_state(service_name, valid_initial_states, final_state, &block)
         service_access = SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_QUERY_STATUS
         open_service(service_name, SC_MANAGER_CONNECT, service_access) do |service|
-          status = query_status(service)
-          initial_state = status[:dwCurrentState]
-
-          # If the service is already in the final_state, then
-          # no further work needs to be done
-          if initial_state == final_state 
-            Puppet.debug _("The service is already in the %{final_state} state. No further work needs to be done.") % { final_state: SERVICE_STATES[final_state] }
-
-            next
-          end
+          query_status(service) do |status|
+            initial_state = status[:dwCurrentState]
+            # If the service is already in the final_state, then
+            # no further work needs to be done
+            if initial_state == final_state
+              Puppet.debug _("The service is already in the %{final_state} state. No further work needs to be done.") % { final_state: SERVICE_STATES[final_state] }
+
+              next
+            end
 
-          # Check that initial_state corresponds to a valid
-          # initial state
-          unless valid_initial_states.include?(initial_state)
-            valid_initial_states_str = valid_initial_states.map do |state|
-              SERVICE_STATES[state]
-            end.join(", ")
+            # Check that initial_state corresponds to a valid
+            # initial state
+            unless valid_initial_states.include?(initial_state)
+              valid_initial_states_str = valid_initial_states.map do |state|
+                SERVICE_STATES[state]
+              end.join(", ")
 
-            raise Puppet::Error, _("The service must be in one of the %{valid_initial_states} states to perform this transition. It is currently in the %{current_state} state.") % { valid_initial_states: valid_initial_states_str, current_state: SERVICE_STATES[initial_state] }
-          end
+              raise Puppet::Error, _("The service must be in one of the %{valid_initial_states} states to perform this transition. It is currently in the %{current_state} state.") % { valid_initial_states: valid_initial_states_str, current_state: SERVICE_STATES[initial_state] }
+            end
 
-          # Check if there's a pending transition to the final_state. If so, then wait for
-          # that transition to finish.
-          possible_pending_states = FINAL_STATES.keys.select do |pending_state|
-            # SERVICE_RUNNING has two pending states, SERVICE_START_PENDING and
-            # SERVICE_CONTINUE_PENDING. That is why we need the #select here
-            FINAL_STATES[pending_state] == final_state
-          end
-          if possible_pending_states.include?(initial_state)
-            Puppet.debug _("There is already a pending transition to the %{final_state} state for the %{service_name} service.")  % { final_state: SERVICE_STATES[final_state], service_name: service_name }
-            wait_on_pending_state(service, initial_state)
+            # Check if there's a pending transition to the final_state. If so, then wait for
+            # that transition to finish.
+            possible_pending_states = FINAL_STATES.keys.select do |pending_state|
+              # SERVICE_RUNNING has two pending states, SERVICE_START_PENDING and
+              # SERVICE_CONTINUE_PENDING. That is why we need the #select here
+              FINAL_STATES[pending_state] == final_state
+            end
+            if possible_pending_states.include?(initial_state)
+              Puppet.debug _("There is already a pending transition to the %{final_state} state for the %{service_name} service.")  % { final_state: SERVICE_STATES[final_state], service_name: service_name }
+              wait_on_pending_state(service, initial_state)
 
-            next
-          end
+              next
+            end
 
-          # If we are in an unsafe pending state like SERVICE_START_PENDING
-          # or SERVICE_STOP_PENDING, then we want to wait for that pending
-          # transition to finish before transitioning the service state.
-          # The reason we do this is because SERVICE_START_PENDING is when
-          # the service thread is being created and initialized, while
-          # SERVICE_STOP_PENDING is when the service thread is being cleaned
-          # up and destroyed. Thus there is a chance that when the service is
-          # in either of these states, its service thread may not yet be ready
-          # to perform the state transition (it may not even exist).
-          if UNSAFE_PENDING_STATES.include?(initial_state)
-            Puppet.debug _("The service is in the %{pending_state} state, which is an unsafe pending state.") % { pending_state: SERVICE_STATES[initial_state] }
-            wait_on_pending_state(service, initial_state)
-            initial_state = FINAL_STATES[initial_state]
-          end
+            # If we are in an unsafe pending state like SERVICE_START_PENDING
+            # or SERVICE_STOP_PENDING, then we want to wait for that pending
+            # transition to finish before transitioning the service state.
+            # The reason we do this is because SERVICE_START_PENDING is when
+            # the service thread is being created and initialized, while
+            # SERVICE_STOP_PENDING is when the service thread is being cleaned
+            # up and destroyed. Thus there is a chance that when the service is
+            # in either of these states, its service thread may not yet be ready
+            # to perform the state transition (it may not even exist).
+            if UNSAFE_PENDING_STATES.include?(initial_state)
+              Puppet.debug _("The service is in the %{pending_state} state, which is an unsafe pending state.") % { pending_state: SERVICE_STATES[initial_state] }
+              wait_on_pending_state(service, initial_state)
+              initial_state = FINAL_STATES[initial_state]
+            end
 
-          Puppet.debug _("Transitioning the %{service_name} service from %{initial_state} to %{final_state}") % { service_name: service_name, initial_state: SERVICE_STATES[initial_state], final_state: SERVICE_STATES[final_state] }
+            Puppet.debug _("Transitioning the %{service_name} service from %{initial_state} to %{final_state}") % { service_name: service_name, initial_state: SERVICE_STATES[initial_state], final_state: SERVICE_STATES[final_state] }
 
-          yield service
+            yield service
 
-          Puppet.debug _("Waiting for the transition to finish")
-          wait_on_state_transition(service, initial_state, final_state)
+            Puppet.debug _("Waiting for the transition to finish")
+            wait_on_state_transition(service, initial_state, final_state)
+          end
         end
       rescue => detail
         raise Puppet::Error, _("Failed to transition the %{service_name} service to the %{final_state} state. Detail: %{detail}") % { service_name: service_name, final_state: SERVICE_STATES[final_state], detail: detail }, detail.backtrace
@@ -661,9 +663,9 @@ module Puppet::Util::Windows
             if success == FFI::WIN32_FALSE
               raise Puppet::Util::Windows::Error.new(_("Service query failed"))
             end
+            yield status
           end
         end
-        status
       end
       private :query_status
 
@@ -673,7 +675,7 @@ module Puppet::Util::Windows
       #
       # @param [:handle] service handle of the service to query
       # @return [QUERY_SERVICE_CONFIGW struct] the result of the query
-      def query_config(service)
+      def query_config(service, &block)
         config = nil
         size_required = nil
         # Fetch the bytes of memory required to be allocated
@@ -697,9 +699,9 @@ module Puppet::Util::Windows
             if success == FFI::WIN32_FALSE
               raise Puppet::Util::Windows::Error.new(_("Service query failed"))
             end
+            yield config
           end
         end
-        config
       end
       private :query_config
 
@@ -712,7 +714,7 @@ module Puppet::Util::Windows
         FFI::MemoryPointer.new(SERVICE_STATUS.size) do |status_ptr|
           status = SERVICE_STATUS.new(status_ptr)
           if ControlService(service, signal, status) == FFI::WIN32_FALSE
-            raise Puppet::Util::Windows::Error, _("Failed to send the %{control_signal} signal to the service. Its current state is %{current_state}. Failed with") % { control_signal: SERVICE_CONTROL_SIGNALS[signal], current_state: SERVICE_STATES[status[:dwCurrentState]] }
+            raise Puppet::Util::Windows::Error, _("Failed to send the %{control_signal} signal to the service. Its current state is %{current_state}. Reason for failure:") % { control_signal: SERVICE_CONTROL_SIGNALS[signal], current_state: SERVICE_STATES[status[:dwCurrentState]] }
           end
         end
       end
@@ -741,21 +743,25 @@ module Puppet::Util::Windows
         state = nil
         elapsed_time = 0
         while elapsed_time <= DEFAULT_TIMEOUT
-          status = query_status(service)
-          state = status[:dwCurrentState]
-
-          return if state == final_state
-          if state == pending_state
-            Puppet.debug _("The service transitioned to the %{pending_state} state.") % { pending_state: SERVICE_STATES[pending_state] }
-            wait_on_pending_state(service, pending_state)
-            return
-          end
 
-          sleep(1)
-          elapsed_time += 1
+          query_status(service) do |status|
+            state = status[:dwCurrentState]
+            return if state == final_state
+            if state == pending_state
+              Puppet.debug _("The service transitioned to the %{pending_state} state.") % { pending_state: SERVICE_STATES[pending_state] }
+              wait_on_pending_state(service, pending_state)
+              return
+            end
+            sleep(1)
+            elapsed_time += 1
+          end
         end
-
         # Timed out while waiting for the transition to finish. Raise an error
+        # We can still use the state variable read from the FFI struct because
+        # FFI creates new Integer objects during an assignment of an integer value
+        # stored in an FFI struct. We verified that the '=' operater is safe
+        # from the freed memory since the new ruby object created during the
+        # assignment will remain in ruby memory and remain immutable and constant.
         raise Puppet::Error, _("Timed out while waiting for the service to transition from %{initial_state} to %{final_state} OR from %{initial_state} to %{pending_state} to %{final_state}. The service's current state is %{current_state}.") % { initial_state: SERVICE_STATES[initial_state], final_state: SERVICE_STATES[final_state], pending_state: SERVICE_STATES[pending_state], current_state: SERVICE_STATES[state] }
       end
       private :wait_on_state_transition
@@ -775,36 +781,37 @@ module Puppet::Util::Windows
         elapsed_time = 0
         last_checkpoint = -1
         loop do
-          status = query_status(service)
-          state = status[:dwCurrentState]
-
-          # Check if our service has finished transitioning to
-          # the final_state OR if an unexpected transition
-          # has occurred
-          return if state == final_state
-          unless state == pending_state
-            raise Puppet::Error, _("Unexpected transition to the %{current_state} state while waiting for the pending transition from %{pending_state} to %{final_state} to finish.") % { current_state: SERVICE_STATES[state], pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state] }
-          end
+          query_status(service) do |status|
+            state = status[:dwCurrentState]
+            checkpoint = status[:dwCheckPoint]
+            wait_hint = status[:dwWaitHint]
+            # Check if our service has finished transitioning to
+            # the final_state OR if an unexpected transition
+            # has occurred
+            return if state == final_state
+            unless state == pending_state
+              raise Puppet::Error, _("Unexpected transition to the %{current_state} state while waiting for the pending transition from %{pending_state} to %{final_state} to finish.") % { current_state: SERVICE_STATES[state], pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state] }
+            end
 
-          # Check if any progress has been made since our last sleep
-          # using the dwCheckPoint. If no progress has been made then
-          # check if we've timed out, and raise an error if so
-          if status[:dwCheckPoint] > last_checkpoint
-            elapsed_time = 0
-            last_checkpoint = status[:dwCheckPoint]
-          else
-            wait_hint = milliseconds_to_seconds(status[:dwWaitHint])
-            timeout = wait_hint < DEFAULT_TIMEOUT ? DEFAULT_TIMEOUT : wait_hint 
-
-            if elapsed_time >= timeout
-              raise Puppet::Error, _("Timed out while waiting for the pending transition from %{pending_state} to %{final_state} to finish. The current state is %{current_state}.") % { pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state], current_state: SERVICE_STATES[state] }
+            # Check if any progress has been made since our last sleep
+            # using the dwCheckPoint. If no progress has been made then
+            # check if we've timed out, and raise an error if so
+            if checkpoint > last_checkpoint
+              elapsed_time = 0
+              last_checkpoint = checkpoint
+            else
+              wait_hint_in_seconds = milliseconds_to_seconds(wait_hint)
+              timeout = wait_hint_in_seconds < DEFAULT_TIMEOUT ? DEFAULT_TIMEOUT : wait_hint_in_seconds
+
+              if elapsed_time >= timeout
+                raise Puppet::Error, _("Timed out while waiting for the pending transition from %{pending_state} to %{final_state} to finish. The current state is %{current_state}.") % { pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state], current_state: SERVICE_STATES[state] }
+              end
             end
+            wait_time = wait_hint_to_wait_time(wait_hint)
+            # Wait a bit before rechecking the service's state
+            sleep(wait_time)
+            elapsed_time += wait_time
           end
-
-          # Wait a bit before rechecking the service's state
-          wait_time = wait_hint_to_wait_time(status[:dwWaitHint])
-          sleep(wait_time)
-          elapsed_time += wait_time
         end
       end
       private :wait_on_pending_state