puppet 6.0.2-x64-mingw32 → 6.0.3-x64-mingw32

data/lib/puppet/face/node/clean.rb

@@ -59,7 +59,6 @@ Puppet::Face.define(:node, '0.0.1') do
   # clean signed cert for +host+
   def clean_cert(node)
     if Puppet.features.puppetserver_ca?
-      require 'puppetserver/ca/action/clean'
       Puppetserver::Ca::Action::Clean.new(LoggerIO.new).run({ 'certnames' => [node] })
     else
       Puppet.info _("Not managing %{node} certs as this host is not a CA") % { node: node }

data/lib/puppet/feature/base.rb

@@ -73,4 +73,4 @@ Puppet.features.add(:manages_symlinks) do
   end
 end
 
-Puppet.features.add(:puppetserver_ca, libs: ['puppetserver/ca'])
+Puppet.features.add(:puppetserver_ca, libs: ['puppetserver/ca', 'puppetserver/ca/action/clean'])

data/lib/puppet/file_serving/fileset.rb

@@ -122,7 +122,7 @@ class Puppet::FileServing::Fileset
     def children
       return [] unless directory?
 
-      Dir.entries(path).
+      Dir.entries(path, encoding: Encoding::UTF_8).
         reject { |child| ignore?(child) }.
         collect { |child| down_level(child) }
     end

data/lib/puppet/pops/validation/checker4_0.rb

@@ -559,6 +559,8 @@ class Checker4_0 < Evaluator::LiteralEvaluator
     return if namespace_for_file(file) == NO_NAMESPACE
 
     body = prog.body
+    return if prog.body.is_a?(Model::Nop) #Ignore empty or comment-only files
+
     if(body.is_a?(Model::BlockExpression))
       body.statements.each { |s| acceptor.accept(Issues::ILLEGAL_TOP_CONSTRUCT_LOCATION, s) unless valid_top_construct?(s) }
     else
@@ -623,9 +625,9 @@ class Checker4_0 < Evaluator::LiteralEvaluator
 
   def is_parent_dir_of(parent_dir, child_dir)
     parent_dir_path = Pathname.new(parent_dir)
-    clean_parent = parent_dir_path.cleanpath
+    clean_parent = parent_dir_path.cleanpath.to_s + File::SEPARATOR
 
-    return child_dir.to_s.start_with?(clean_parent.to_s)
+    return child_dir.to_s.start_with?(clean_parent)
   end
 
   def dir_to_names(relative_path)

data/lib/puppet/provider/package/windows.rb

@@ -63,14 +63,14 @@ Puppet::Type.type(:package).provide(:windows, :parent => Puppet::Provider::Packa
     installer = Puppet::Provider::Package::Windows::Package.installer_class(resource)
 
     command = [installer.install_command(resource), install_options].flatten.compact.join(' ')
-    output = execute(command, :failonfail => false, :combine => true)
+    output = execute(command, :failonfail => false, :combine => true, :cwd => File.dirname(resource[:source]), :suppress_window => true)
 
     check_result(output.exitstatus)
   end
 
   def uninstall
     command = [package.uninstall_command, uninstall_options].flatten.compact.join(' ')
-    output = execute(command, :failonfail => false, :combine => true)
+    output = execute(command, :failonfail => false, :combine => true, :suppress_window => true)
 
     check_result(output.exitstatus)
   end

data/lib/puppet/provider/package/windows/exe_package.rb

@@ -42,17 +42,10 @@ class Puppet::Provider::Package::Windows
     end
 
     def self.install_command(resource)
-      ['cmd.exe', '/c', 'start', '"puppet-install"', '/w', munge(resource[:source])]
+      munge(resource[:source])
     end
 
     def uninstall_command
-      # 1. Launch using cmd /c start because if the executable is a console
-      #    application Windows will automatically display its console window
-      # 2. Specify a quoted title, otherwise if uninstall_string is quoted,
-      #    start will interpret that to be the title, and get confused
-      # 3. Specify /w (wait) to wait for uninstall to finish
-      command = ['cmd.exe', '/c', 'start', '"puppet-uninstall"', '/w']
-
       # Only quote bare uninstall strings, e.g.
       #   C:\Program Files (x86)\Notepad++\uninstall.exe
       # Don't quote uninstall strings that are already quoted, e.g.
@@ -60,9 +53,9 @@ class Puppet::Provider::Package::Windows
       # Don't quote uninstall strings that contain arguments:
       #   "C:\Program Files (x86)\Git\unins000.exe" /SILENT
       if uninstall_string =~ /\A[^"]*.exe\Z/i
-        command << "\"#{uninstall_string}\""
+        command = "\"#{uninstall_string}\""
       else
-        command << uninstall_string
+        command = uninstall_string
       end
 
       command

data/lib/puppet/provider/service/windows.rb

@@ -56,6 +56,13 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
   end
 
   def start
+    if status == :paused
+      Puppet::Util::Windows::Service.resume(@resource[:name])
+      return
+    end
+
+    # status == :stopped here
+
     if enabled? == :false
       # If disabled and not managing enable, respect disabled and fail.
       if @resource[:enable].nil?
@@ -81,10 +88,11 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     current_state = Puppet::Util::Windows::Service.service_state(@resource[:name])
     state = case current_state
       when :SERVICE_STOPPED,
-           :SERVICE_PAUSED,
-           :SERVICE_STOP_PENDING,
-           :SERVICE_PAUSE_PENDING
+           :SERVICE_STOP_PENDING
         :stopped
+      when :SERVICE_PAUSED,
+           :SERVICE_PAUSE_PENDING
+        :paused
       when :SERVICE_RUNNING,
            :SERVICE_CONTINUE_PENDING,
            :SERVICE_START_PENDING

data/lib/puppet/provider/user/useradd.rb

@@ -134,15 +134,6 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd
   end
 
-  def check_manage_expiry
-    cmd = []
-    if @resource[:expiry] and not @resource.forcelocal?
-      cmd << "-e #{@resource[:expiry]}"
-    end
-
-    cmd
-  end
-
   def check_system_users
     if self.class.system_users? and resource.system?
       ["-r"]
@@ -188,7 +179,8 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
 
   def modifycmd(param, value)
     if @resource.forcelocal?
-      if param == :groups
+      case param
+      when :groups, :expiry
         cmd = [command(:modify)]
       else
         cmd = [command(property_manages_password_age?(param) ? :localpassword : :localmodify)]

data/lib/puppet/resource/catalog.rb

@@ -558,11 +558,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     Puppet::FileSystem.open(resourcefile.value, resourcefile.mode.to_i(8), "w:UTF-8") do |f|
       to_print = resources.map do |resource|
         next unless resource.managed?
-        if resource.name_var
-          "#{resource.type}[#{resource[resource.name_var]}]"
-        else
-          "#{resource.ref.downcase}"
-        end
+        "#{resource.ref.downcase}"
       end.compact
       f.puts to_print.join("\n")
     end

data/lib/puppet/ssl/host.rb

@@ -154,15 +154,14 @@ class Puppet::SSL::Host
     raise Puppet::Error, _("No certificate to validate.") unless cert
     raise Puppet::Error, _("No private key with which to validate certificate with fingerprint: %{fingerprint}") % { fingerprint: cert.fingerprint } unless key
     unless cert.content.check_private_key(key.content)
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: cert.fingerprint, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: cert.fingerprint, cert_name: Puppet[:certname] }
 The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
 Certificate fingerprint: %{fingerprint}
 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
 On the master:
   puppetserver ca clean --certname %{cert_name}
 On the agent:
-  1a. On most platforms: find %{ssl_dir} -name %{cert_name}.pem -delete
-  1b. On Windows: del "%{cert_dir}\\%{cert_name}.pem" /f
+  1. puppet ssl clean
   2. puppet agent -t
 ERROR_STRING
     end
@@ -237,15 +236,14 @@ ERROR_STRING
 
   def validate_local_csr_with_key(csr, key)
     if key.content.public_key.to_s != csr.content.public_key.to_s
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text }
 The local CSR does not match the agent's public key.
 CSR fingerprint: %{fingerprint}
 CSR public key: %{csr_public_key}
 Agent public key: %{agent_public_key}
 To fix this, remove the CSR from the agent and then start a puppet run, which will automatically regenerate a CSR.
 On the agent:
-  1a. On most platforms: find %{ssl_dir} -name %{cert_name}.pem -delete
-  1b. On Windows: del "%{cert_dir}\\%{cert_name}.pem" /f
+  1. puppet ssl clean
   2. puppet agent -t
 ERROR_STRING
     end
@@ -254,7 +252,7 @@ ERROR_STRING
 
   def validate_csr_with_key(csr, key)
     if key.content.public_key.to_s != csr.content.public_key.to_s
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
+      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname] }
 The CSR retrieved from the master does not match the agent's public key.
 CSR fingerprint: %{fingerprint}
 CSR public key: %{csr_public_key}
@@ -263,8 +261,7 @@ To fix this, remove the CSR from both the master and the agent and then start a
 On the master:
   puppetserver ca clean --certname %{cert_name}
 On the agent:
-  1a. On most platforms: find %{ssl_dir} -name %{cert_name}.pem -delete
-  1b. On Windows: del "%{cert_dir}\\%{cert_name}.pem" /f
+  1. puppet ssl clean
   2. puppet agent -t
 ERROR_STRING
     end
@@ -576,6 +573,7 @@ ERROR_STRING
       end
     end
   end
+  public :download_certificate_from_ca
 
   # Returns the file path for the named certificate, based on this host's
   # configuration.

data/lib/puppet/transaction/persistence.rb

@@ -64,7 +64,7 @@ class Puppet::Transaction::Persistence
       begin
         result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol])
       rescue Puppet::Util::Yaml::YamlLoadError => detail
-        Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail }, { :level => :warning })
+        Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 
         begin
           File.rename(filename, filename + ".bad")

data/lib/puppet/type/package.rb

@@ -172,7 +172,7 @@ module Puppet
               when is == @latest
                 return true
               when is == :present
-                # This will only happen on retarded packaging systems
+                # This will only happen on packaging systems
                 # that can't query versions.
                 return true
               else

data/lib/puppet/type/user.rb

@@ -409,7 +409,10 @@ module Puppet
         resource at the same time. For instance, Puppet creates a home directory for a managed
         user if `ensure => present` and the user does not exist at the time of the Puppet run.
         If the home directory is then deleted manually, Puppet will not recreate it on the next
-        run."
+        run.
+
+        Note that on Windows, this manages creation/deletion of the user profile instead of the
+        home directory. The user profile is stored in the `C:\Users\<username>` directory."
 
       defaultto false
 

data/lib/puppet/util.rb

@@ -478,9 +478,13 @@ module Util
 
   def safe_posix_fork(stdin=$stdin, stdout=$stdout, stderr=$stderr, &block)
     child_pid = Kernel.fork do
-      $stdin.reopen(stdin)
-      $stdout.reopen(stdout)
-      $stderr.reopen(stderr)
+      STDIN.reopen(stdin)
+      STDOUT.reopen(stdout)
+      STDERR.reopen(stderr)
+
+      $stdin = STDIN
+      $stdout = STDOUT
+      $stderr = STDERR
 
       begin
         Dir.foreach('/proc/self/fd') do |f|

data/lib/puppet/util/execution.rb

@@ -157,6 +157,7 @@ module Puppet::Util::Execution
         :override_locale => true,
         :custom_environment => {},
         :sensitive => false,
+        :suppress_window => false,
     }
 
     options = default_options.merge(options)

data/lib/puppet/util/logging.rb

@@ -49,12 +49,13 @@ module Logging
   #    to take advantage of the backtrace logging.
   def log_exception(exception, message = :default, options = {})
     trace = Puppet[:trace] || options[:trace]
+    level = options[:level] || :err
     if message == :default && exception.is_a?(Puppet::ParseErrorWithIssue)
       # Retain all detailed info and keep plain message and stacktrace separate
       backtrace = []
       build_exception_trace(backtrace, exception, trace)
       Puppet::Util::Log.create({
-          :level => options[:level] || :err,
+          :level => level,
           :source => log_source,
           :message => exception.basic_message,
           :issue_code => exception.issue_code,
@@ -66,7 +67,7 @@ module Logging
           :node => exception.node
         }.merge(log_metadata))
     else
-      err(format_exception(exception, message, trace))
+      send_log(level, format_exception(exception, message, trace))
     end
   end
 

data/lib/puppet/util/windows/process.rb

@@ -8,6 +8,8 @@ module Puppet::Util::Windows::Process
 
   WAIT_TIMEOUT = 0x102
   WAIT_INTERVAL = 200
+  # https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-creation-flags
+  CREATE_NO_WINDOW = 0x08000000
 
   def execute(command, arguments, stdin, stdout, stderr)
     create_args = {
@@ -17,9 +19,11 @@ module Puppet::Util::Windows::Process
         :stdout => stdout,
         :stderr => stderr
       },
-      :close_handles => false
+      :close_handles => false,
     }
-
+    if arguments[:suppress_window]
+      create_args[:creation_flags] = CREATE_NO_WINDOW
+    end
     cwd = arguments[:cwd]
     if cwd
       Dir.chdir(cwd) { Process.create(create_args) }

data/lib/puppet/util/windows/security.rb

@@ -324,6 +324,20 @@ module Puppet::Util::Windows::Security
       # we don't check S_ISYSTEM_MISSING bit, but automatically carry over existing SYSTEM perms
       # by default set SYSTEM perms to full
       system_allow = FILE::FILE_ALL_ACCESS
+    else
+      # It is possible to set SYSTEM with a mode other than Full Control (7) however this makes no sense and in practical terms
+      # should not be done.  We can trap these instances and correct them before being applied.
+      if (sd.owner == well_known_system_sid) && (owner_allow != FILE::FILE_ALL_ACCESS)
+        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+        owner_allow = FILE::FILE_ALL_ACCESS
+      end
+
+      if (sd.group == well_known_system_sid) && (group_allow != FILE::FILE_ALL_ACCESS)
+        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+        group_allow = FILE::FILE_ALL_ACCESS
+      end
     end
 
     # even though FILE_DELETE_CHILD only applies to directories, it can be set on files

data/lib/puppet/util/windows/service.rb

@@ -40,6 +40,26 @@ module Puppet::Util::Windows
     SERVICE_CONTROL_PRESHUTDOWN           = 0x0000000F
     SERVICE_CONTROL_TIMECHANGE            = 0x00000010
     SERVICE_CONTROL_TRIGGEREVENT          = 0x00000020
+    SERVICE_CONTROL_SIGNALS               = {
+      SERVICE_CONTROL_STOP                  => :SERVICE_CONTROL_STOP,
+      SERVICE_CONTROL_PAUSE                 => :SERVICE_CONTROL_PAUSE,
+      SERVICE_CONTROL_CONTINUE              => :SERVICE_CONTROL_CONTINUE,
+      SERVICE_CONTROL_INTERROGATE           => :SERVICE_CONTROL_INTERROGATE,
+      SERVICE_CONTROL_SHUTDOWN              => :SERVICE_CONTROL_SHUTDOWN,
+      SERVICE_CONTROL_PARAMCHANGE           => :SERVICE_CONTROL_PARAMCHANGE,
+      SERVICE_CONTROL_NETBINDADD            => :SERVICE_CONTROL_NETBINDADD,
+      SERVICE_CONTROL_NETBINDREMOVE         => :SERVICE_CONTROL_NETBINDREMOVE,
+      SERVICE_CONTROL_NETBINDENABLE         => :SERVICE_CONTROL_NETBINDENABLE,
+      SERVICE_CONTROL_NETBINDDISABLE        => :SERVICE_CONTROL_NETBINDDISABLE,
+      SERVICE_CONTROL_DEVICEEVENT           => :SERVICE_CONTROL_DEVICEEVENT,
+      SERVICE_CONTROL_HARDWAREPROFILECHANGE => :SERVICE_CONTROL_HARDWAREPROFILECHANGE,
+      SERVICE_CONTROL_POWEREVENT            => :SERVICE_CONTROL_POWEREVENT,
+      SERVICE_CONTROL_SESSIONCHANGE         => :SERVICE_CONTROL_SESSIONCHANGE,
+      SERVICE_CONTROL_PRESHUTDOWN           => :SERVICE_CONTROL_PRESHUTDOWN,
+      SERVICE_CONTROL_TIMECHANGE            => :SERVICE_CONTROL_TIMECHANGE,
+      SERVICE_CONTROL_TRIGGEREVENT          => :SERVICE_CONTROL_TRIGGEREVENT
+    }
+
 
     # Service start type codes
     # https://docs.microsoft.com/en-us/windows/desktop/api/Winsvc/nf-winsvc-changeserviceconfigw
@@ -81,7 +101,14 @@ module Puppet::Util::Windows
     SERVICE_START_PENDING    = 0x00000002
     SERVICE_STOP_PENDING     = 0x00000003
     SERVICE_STOPPED          = 0x00000001
-    SERVICE_STATES = {
+    UNSAFE_PENDING_STATES    = [SERVICE_START_PENDING, SERVICE_STOP_PENDING]
+    FINAL_STATES             = {
+      SERVICE_CONTINUE_PENDING => SERVICE_RUNNING,
+      SERVICE_PAUSE_PENDING    => SERVICE_PAUSED,
+      SERVICE_START_PENDING    => SERVICE_RUNNING,
+      SERVICE_STOP_PENDING     => SERVICE_STOPPED
+    }
+    SERVICE_STATES           = {
       SERVICE_CONTINUE_PENDING => :SERVICE_CONTINUE_PENDING,
       SERVICE_PAUSE_PENDING => :SERVICE_PAUSE_PENDING,
       SERVICE_PAUSED => :SERVICE_PAUSED,
@@ -266,37 +293,68 @@ module Puppet::Util::Windows
     end
     module_function :exists?
 
-    # Start a windows service, assume that the service is already in the stopped state
+    # Start a windows service
     #
     # @param [:string] service_name name of the service to start
     def start(service_name)
-      open_service(service_name, SC_MANAGER_CONNECT, SERVICE_START | SERVICE_QUERY_STATUS) do |service|
-        transition_service_state(service, SERVICE_STOP_PENDING, SERVICE_STOPPED, SERVICE_START_PENDING, SERVICE_RUNNING) do
-          if StartServiceW(service, 0, FFI::Pointer::NULL) == FFI::WIN32_FALSE
-            raise Puppet::Util::Windows::Error.new(_("Failed to start the service"))
-          end
+      Puppet.debug _("Starting the %{service_name} service") % { service_name: service_name }
+
+      valid_initial_states = [
+        SERVICE_STOP_PENDING,
+        SERVICE_STOPPED,
+        SERVICE_START_PENDING
+      ]
+
+      transition_service_state(service_name, valid_initial_states, SERVICE_RUNNING) do |service|
+        if StartServiceW(service, 0, FFI::Pointer::NULL) == FFI::WIN32_FALSE
+          raise Puppet::Util::Windows::Error, _("Failed to start the service")
         end
       end
+
+      Puppet.debug _("Successfully started the %{service_name} service") % { service_name: service_name }
     end
     module_function :start
 
-    # Use ControlService to send a stop signal to a windows service
+    # Stop a windows service
     #
     # @param [:string] service_name name of the service to stop
     def stop(service_name)
-      open_service(service_name, SC_MANAGER_CONNECT, SERVICE_STOP | SERVICE_QUERY_STATUS) do |service|
-        transition_service_state(service, SERVICE_START_PENDING, SERVICE_RUNNING, SERVICE_STOP_PENDING, SERVICE_STOPPED) do
-          FFI::MemoryPointer.new(SERVICE_STATUS.size) do |status_ptr|
-            status = SERVICE_STATUS.new(status_ptr)
-            if ControlService(service, SERVICE_CONTROL_STOP, status) == FFI::WIN32_FALSE
-              raise Puppet::Util::Windows::Error.new(_("Failed to send stop control to service, current state is %{current_state}. Failed with") % { current_state: status[:dwCurrentState].to_s })
-            end
-          end
-        end
+      Puppet.debug _("Stopping the %{service_name} service") % { service_name: service_name }
+
+      valid_initial_states = SERVICE_STATES.keys - [SERVICE_STOPPED]
+
+      transition_service_state(service_name, valid_initial_states, SERVICE_STOPPED) do |service|
+        send_service_control_signal(service, SERVICE_CONTROL_STOP)
       end
+
+      Puppet.debug _("Successfully stopped the %{service_name} service") % { service_name: service_name }
     end
     module_function :stop
 
+    # Resume a paused windows service
+    #
+    # @param [:string] service_name name of the service to resume
+    def resume(service_name)
+      Puppet.debug _("Resuming the %{service_name} service") % { service_name: service_name }
+
+      valid_initial_states = [
+        SERVICE_PAUSE_PENDING,
+        SERVICE_PAUSED,
+        SERVICE_CONTINUE_PENDING
+      ]
+
+      transition_service_state(service_name, valid_initial_states, SERVICE_RUNNING) do |service|
+        # The SERVICE_CONTROL_CONTINUE signal can only be sent when
+        # the service is in the SERVICE_PAUSED state
+        wait_on_pending_state(service, SERVICE_PAUSE_PENDING)
+
+        send_service_control_signal(service, SERVICE_CONTROL_CONTINUE)
+      end
+
+      Puppet.debug _("Successfully resumed the %{service_name} service") % { service_name: service_name }
+    end
+    module_function :resume
+
     # Query the state of a service using QueryServiceStatusEx
     #
     # @param [:string] service_name name of the service to query
@@ -495,24 +553,74 @@ module Puppet::Util::Windows
       private :open_scm
 
       # @api private
-      # Wait for preceeding_transition, then execute a block, then wait for resulting_transition.
-      # Do not fail on preceeding_transition,
+      # Transition the service to the specified state. The block should perform
+      # the actual transition.
       #
-      # @param [:handle] service handle of the service to query
-      # @param [:Integer] preceeding_transition integer value corresponding to the transition state to wait for
-      #   before executing the block
-      # @param [:Integer] resulting_transition integer value corresponding to the transition state to wait for
-      #   after executing the block
-      def transition_service_state(service, preceeding_transition, preceeding_state, resulting_transition, resulting_state, &block)
-        # ignore the return from the pending transition, we don't care what state the service
-        # is in after this point, only that we waited on preceeding_pending_state if that's where
-        # the service was
-        wait_on_pending_transition(service, preceeding_transition, preceeding_state, raise_on_timeout: false)
-        yield
-        # After returning from the block, wait to see a pending or active state.
-        wait_for_state_transition(service, [resulting_transition, resulting_state])
-        # After that If the state is pending, attempt to wait for the pending operation to finish
-        wait_on_pending_transition(service, resulting_transition, resulting_state, raise_on_timeout: true)
+      # @param [String] service_name the name of the service to transition
+      # @param [[Integer]] valid_initial_states an array of valid states that the service can transition from
+      # @param [:Integer] final_state the state that the service will transition to
+      def transition_service_state(service_name, valid_initial_states, final_state, &block)
+        service_access = SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_QUERY_STATUS
+        open_service(service_name, SC_MANAGER_CONNECT, service_access) do |service|
+          status = query_status(service)
+          initial_state = status[:dwCurrentState]
+
+          # If the service is already in the final_state, then
+          # no further work needs to be done
+          if initial_state == final_state 
+            Puppet.debug _("The service is already in the %{final_state} state. No further work needs to be done.") % { final_state: SERVICE_STATES[final_state] }
+
+            next
+          end
+
+          # Check that initial_state corresponds to a valid
+          # initial state
+          unless valid_initial_states.include?(initial_state)
+            valid_initial_states_str = valid_initial_states.map do |state|
+              SERVICE_STATES[state]
+            end.join(", ")
+
+            raise Puppet::Error, _("The service must be in one of the %{valid_initial_states} states to perform this transition. It is currently in the %{current_state} state.") % { valid_initial_states: valid_initial_states_str, current_state: SERVICE_STATES[initial_state] }
+          end
+
+          # Check if there's a pending transition to the final_state. If so, then wait for
+          # that transition to finish.
+          possible_pending_states = FINAL_STATES.keys.select do |pending_state|
+            # SERVICE_RUNNING has two pending states, SERVICE_START_PENDING and
+            # SERVICE_CONTINUE_PENDING. That is why we need the #select here
+            FINAL_STATES[pending_state] == final_state
+          end
+          if possible_pending_states.include?(initial_state)
+            Puppet.debug _("There is already a pending transition to the %{final_state} state for the %{service_name} service.")  % { final_state: SERVICE_STATES[final_state], service_name: service_name }
+            wait_on_pending_state(service, initial_state)
+
+            next
+          end
+
+          # If we are in an unsafe pending state like SERVICE_START_PENDING
+          # or SERVICE_STOP_PENDING, then we want to wait for that pending
+          # transition to finish before transitioning the service state.
+          # The reason we do this is because SERVICE_START_PENDING is when
+          # the service thread is being created and initialized, while
+          # SERVICE_STOP_PENDING is when the service thread is being cleaned
+          # up and destroyed. Thus there is a chance that when the service is
+          # in either of these states, its service thread may not yet be ready
+          # to perform the state transition (it may not even exist).
+          if UNSAFE_PENDING_STATES.include?(initial_state)
+            Puppet.debug _("The service is in the %{pending_state} state, which is an unsafe pending state.") % { pending_state: SERVICE_STATES[initial_state] }
+            wait_on_pending_state(service, initial_state)
+            initial_state = FINAL_STATES[initial_state]
+          end
+
+          Puppet.debug _("Transitioning the %{service_name} service from %{initial_state} to %{final_state}") % { service_name: service_name, initial_state: SERVICE_STATES[initial_state], final_state: SERVICE_STATES[final_state] }
+
+          yield service
+
+          Puppet.debug _("Waiting for the transition to finish")
+          wait_on_state_transition(service, initial_state, final_state)
+        end
+      rescue => detail
+        raise Puppet::Error, _("Failed to transition the %{service_name} service to the %{final_state} state. Detail: %{detail}") % { service_name: service_name, final_state: SERVICE_STATES[final_state], detail: detail }, detail.backtrace
       end
       private :transition_service_state
 
@@ -596,75 +704,110 @@ module Puppet::Util::Windows
       private :query_config
 
       # @api private
-      # waits for a windows service to report one of the acceptable_states
+      # Sends a service control signal to a service
+      #
+      # @param [:handle] service handle to the service
+      # @param [Integer] signal the service control signal to send
+      def send_service_control_signal(service, signal)
+        FFI::MemoryPointer.new(SERVICE_STATUS.size) do |status_ptr|
+          status = SERVICE_STATUS.new(status_ptr)
+          if ControlService(service, signal, status) == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error, _("Failed to send the %{control_signal} signal to the service. Its current state is %{current_state}. Failed with") % { control_signal: SERVICE_CONTROL_SIGNALS[signal], current_state: SERVICE_STATES[status[:dwCurrentState]] }
+          end
+        end
+      end
+
+      # @api private
+      # Waits for a service to transition from one state to
+      # another state.
       #
       # @param [:handle] service handle to the service to wait on
-      # @param [Array<Integer>] acceptable_states array of acceptable states to wait for
-      # @return [bool] 'true' once the service is reporting an acceptable_state,
-      #   'false' if the service never reached one of the acceptable_states
-      def wait_for_state_transition(service, acceptable_states)
+      # @param [Integer] initial_state the state that the service is transitioning from.
+      # @param [Integer] final_state the state that the service is transitioning to
+      def wait_on_state_transition(service, initial_state, final_state)
+        # Get the pending state for this transition. Note that SERVICE_RUNNING
+        # has two possible pending states, which is why we need this logic.
+        if final_state != SERVICE_RUNNING
+          pending_state = FINAL_STATES.key(final_state)
+        elsif initial_state == SERVICE_STOPPED
+          # SERVICE_STOPPED => SERVICE_RUNNING
+          pending_state = SERVICE_START_PENDING
+        else
+          # SERVICE_PAUSED => SERVICE_RUNNING
+          pending_state = SERVICE_CONTINUE_PENDING
+        end
+
+        # Wait for the transition to finish
+        state = nil
         elapsed_time = 0
         while elapsed_time <= DEFAULT_TIMEOUT
           status = query_status(service)
           state = status[:dwCurrentState]
-          if acceptable_states.include?(state)
-            return true
+
+          return if state == final_state
+          if state == pending_state
+            Puppet.debug _("The service transitioned to the %{pending_state} state.") % { pending_state: SERVICE_STATES[pending_state] }
+            wait_on_pending_state(service, pending_state)
+            return
           end
+
           sleep(1)
           elapsed_time += 1
         end
-        raise Puppet::Error.new(_("Transition timed out, service still in %{current_state}") % { current_state: SERVICE_STATES[state] })
+
+        # Timed out while waiting for the transition to finish. Raise an error
+        raise Puppet::Error, _("Timed out while waiting for the service to transition from %{initial_state} to %{final_state} OR from %{initial_state} to %{pending_state} to %{final_state}. The service's current state is %{current_state}.") % { initial_state: SERVICE_STATES[initial_state], final_state: SERVICE_STATES[final_state], pending_state: SERVICE_STATES[pending_state], current_state: SERVICE_STATES[state] }
       end
-      private :wait_for_state_transition
+      private :wait_on_state_transition
 
       # @api private
-      # waits for a windows service to report final_state if it
-      # is in pending_state
+      # Waits for a service to finish transitioning from
+      # a pending state. The service must be in the pending state
+      # before invoking this routine.
       #
       # @param [:handle] service handle to the service to wait on
-      # @param [Integer] pending_states array of acceptable states to wait on
-      # @param [Integer] final_state the state indicating the transition is finished
-      # @return [bool] 'true' once the service is reporting final_state,
-      #   'false' if the service never reached final_state or was not in pending_states
-      def wait_on_pending_transition(service, pending_state, final_state, raise_on_timeout: false)
+      # @param [Integer] pending_state the pending state
+      def wait_on_pending_state(service, pending_state)
+        final_state = FINAL_STATES[pending_state]
+
+        Puppet.debug _("Waiting for the pending transition to the %{final_state} state to finish.") % { final_state: SERVICE_STATES[final_state] }
+
         elapsed_time = 0
         last_checkpoint = -1
         loop do
           status = query_status(service)
           state = status[:dwCurrentState]
-          return true if state == final_state
+
+          # Check if our service has finished transitioning to
+          # the final_state OR if an unexpected transition
+          # has occurred
+          return if state == final_state
           unless state == pending_state
-            if raise_on_timeout
-              raise Puppet::Error.new(_("Service was not in pending state: %{pending_state}, current state is %{current_state}") % { pending_state: SERVICE_STATES[pending_state], current_state: SERVICE_STATES[state] })
-            else
-              return false
-            end
+            raise Puppet::Error, _("Unexpected transition to the %{current_state} state while waiting for the pending transition from %{pending_state} to %{final_state} to finish.") % { current_state: SERVICE_STATES[state], pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state] }
           end
-          # When the service is in the pending state we need to do the following:
-          # 1. check if any progress has been made since dwWaitHint using dwCheckPoint,
-          #    and fail if no progress was made
-          # 2. if progress has been made, increment elapsed_time and set last_checkpoint
-          # 3. sleep, then loop again if there was progress.
-          time_to_wait = wait_hint_to_wait_time(status[:dwWaitHint])
+
+          # Check if any progress has been made since our last sleep
+          # using the dwCheckPoint. If no progress has been made then
+          # check if we've timed out, and raise an error if so
           if status[:dwCheckPoint] > last_checkpoint
             elapsed_time = 0
+            last_checkpoint = status[:dwCheckPoint]
           else
-            timeout = milliseconds_to_seconds(status[:dwWaitHint]);
-            timeout = DEFAULT_TIMEOUT if timeout < DEFAULT_TIMEOUT
-            if elapsed_time >= (timeout)
-              if raise_on_timeout
-                raise Puppet::Error.new(_("Pending operation timed out, service still in %{current_state}") % { current_state: SERVICE_STATES[state] })
-              else
-                return false
-              end
+            wait_hint = milliseconds_to_seconds(status[:dwWaitHint])
+            timeout = wait_hint < DEFAULT_TIMEOUT ? DEFAULT_TIMEOUT : wait_hint 
+
+            if elapsed_time >= timeout
+              raise Puppet::Error, _("Timed out while waiting for the pending transition from %{pending_state} to %{final_state} to finish. The current state is %{current_state}.") % { pending_state: SERVICE_STATES[pending_state], final_state: SERVICE_STATES[final_state], current_state: SERVICE_STATES[state] }
             end
           end
-          last_checkpoint = status[:dwCheckPoint]
-          sleep(time_to_wait)
-          elapsed_time += time_to_wait
+
+          # Wait a bit before rechecking the service's state
+          wait_time = wait_hint_to_wait_time(status[:dwWaitHint])
+          sleep(wait_time)
+          elapsed_time += wait_time
         end
       end
-      private :wait_on_pending_transition
+      private :wait_on_pending_state
 
       # @api private
       #