puppet 6.0.5-x86-mingw32 → 6.0.7-x86-mingw32

data/lib/puppet/provider/group/windows_adsi.rb

@@ -67,7 +67,10 @@ Puppet::Type.type(:group).provide :windows_adsi do
 
   def members
     @members ||= Puppet::Util::Windows::ADSI::Group.name_sid_hash(group.members)
-    @members.keys
+
+    # @members.keys returns an array of SIDs. We need to convert those SIDs into
+    # names so that `puppet resource` prints the right output.
+    members_to_s(@members.keys).split(',')
   end
 
   def members=(members)

data/lib/puppet/provider/package/windows.rb

@@ -63,7 +63,11 @@ Puppet::Type.type(:package).provide(:windows, :parent => Puppet::Provider::Packa
     installer = Puppet::Provider::Package::Windows::Package.installer_class(resource)
 
     command = [installer.install_command(resource), install_options].flatten.compact.join(' ')
-    output = execute(command, :failonfail => false, :combine => true, :cwd => File.dirname(resource[:source]), :suppress_window => true)
+    working_dir = File.dirname(resource[:source])
+    if !Puppet::FileSystem.exist?(working_dir) && resource[:source] =~ /\.msi"?\Z/i
+      working_dir = nil
+    end
+    output = execute(command, :failonfail => false, :combine => true, :cwd => working_dir, :suppress_window => true)
 
     check_result(output.exitstatus)
   end

data/lib/puppet/provider/service/upstart.rb

@@ -28,12 +28,22 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
   # We only want to use upstart as our provider if the upstart daemon is running.
   # This can be checked by running `initctl version --quiet` on a machine that has
   # upstart installed.
-  confine :true => begin
-    initctl('version', '--quiet')
-    true
-  rescue
-    false
-  end
+  confine :true => lambda {
+    # Puppet::Util::Execution.execute does not currently work on jRuby.
+    # Unfortunately, since this confine is invoked whenever we check for
+    # provider suitability and since provider suitability is still checked
+    # on the master, this confine will still be invoked on the master. Thus
+    # to avoid raising an exception, we do an early return if we're running
+    # on jRuby.
+    next false if Puppet::Util::Platform.jruby?
+
+    begin
+      initctl('version', '--quiet')
+      true
+    rescue
+      false
+    end
+  }
 
   # upstart developer haven't implemented initctl enable/disable yet:
   # http://www.linuxplanet.com/linuxplanet/tutorials/7033/2/

data/lib/puppet/settings.rb

@@ -255,7 +255,7 @@ class Puppet::Settings
     @global_defaults_initialized
   end
 
-  def initialize_global_settings(args = [])
+  def initialize_global_settings(args = [], require_config = true)
     raise Puppet::DevError, _("Attempting to initialize global default settings more than once!") if global_defaults_initialized?
 
     # The first two phases of the lifecycle of a puppet application are:
@@ -264,7 +264,7 @@ class Puppet::Settings
     # 2) Parse the puppet config file(s).
 
     parse_global_options(args)
-    parse_config_files
+    parse_config_files(require_config)
 
     @global_defaults_initialized = true
   end
@@ -590,14 +590,19 @@ class Puppet::Settings
   end
 
   # Parse the configuration file.  Just provides thread safety.
-  def parse_config_files
+  def parse_config_files(require_config = true)
     file = which_configuration_file
     if Puppet::FileSystem.exist?(file)
       begin
         text = read_file(file)
       rescue => detail
-        Puppet.log_exception(detail, "Could not load #{file}: #{detail}")
-        return
+        message = _("Could not load %{file}: %{detail}") % { file: file, detail: detail}
+        if require_config
+          Puppet.log_and_raise(detail, message)
+        else
+          Puppet.log_exception(detail, message)
+          return
+        end
       end
     else
       return

data/lib/puppet/transaction.rb

@@ -358,15 +358,17 @@ class Puppet::Transaction
     Puppet.debug "Prefetching #{provider_class.name} resources for #{type_name}"
     begin
       provider_class.prefetch(resources)
-    rescue Exception => detail
-      if !detail.is_a?(LoadError) && !detail.is_a?(Puppet::MissingCommand)
-        raise unless Puppet.settings[:future_features]
-        
-        @prefetch_failed_providers[type_name][provider_class.name] = true
-      end
+    rescue LoadError, Puppet::MissingCommand => detail
       #TRANSLATORS `prefetch` is a function name and should not be translated
       message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
       Puppet.log_exception(detail, message)
+    rescue StandardError => detail
+      message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
+      Puppet.log_exception(detail, message)
+
+      raise unless Puppet.settings[:future_features]
+
+      @prefetch_failed_providers[type_name][provider_class.name] = true
     end
     @prefetched_providers[type_name][provider_class.name] = true
   end

data/lib/puppet/transaction/resource_harness.rb

@@ -161,6 +161,7 @@ class Puppet::Transaction::ResourceHarness
         name = param.name.to_s
         event.message ||= _("could not create change error message for %{name}") % { name: name }
         event.calculate_corrective_change(@persistence.get_system_value(context.resource.ref, name))
+        event.message << ' (corrective)' if event.corrective_change
         context.record(event)
         event.send_log
         context.synced_params << param.name

data/lib/puppet/type/exec.rb

@@ -581,7 +581,15 @@ module Puppet
           val = @parameters[check].value
           val = [val] unless val.is_a? Array
           val.each do |value|
-            return false unless @parameters[check].check(value)
+            if !@parameters[check].check(value)
+              # Give a debug message so users can figure out what command would have been
+              # but don't print sensitive commands or parameters in the clear
+              cmdstring = @parameters[:command].sensitive ? "[command redacted]" : @parameters[:command].value
+
+              debug(_("'%{cmd}' won't be executed because of failed check '%{check}'") % { cmd: cmdstring, check: check })
+
+              return false 
+            end
           end
         end
       }
@@ -614,11 +622,25 @@ module Puppet
 
     private
     def set_sensitive_parameters(sensitive_parameters)
-      # Respect sensitive commands
-      if sensitive_parameters.include?(:command)
-        sensitive_parameters.delete(:command)
-        parameter(:command).sensitive = true
+      # If any are sensitive, mark all as sensitive
+      sensitive = false
+      parameters_to_check = [:command, :unless, :onlyif]
+
+      parameters_to_check.each do |p| 
+        if sensitive_parameters.include?(p)
+          sensitive_parameters.delete(p)
+          sensitive = true
+        end
       end
+
+      if sensitive
+        parameters_to_check.each do |p|
+          if parameters.include?(p)
+            parameter(p).sensitive = true
+          end
+        end
+      end
+
       super(sensitive_parameters)
     end
   end

data/lib/puppet/type/file/mode.rb

@@ -116,8 +116,13 @@ module Puppet
     # If we're not following links and we're a link, then we just turn
     # off mode management entirely.
     def insync?(currentvalue)
+      if provider.respond_to?(:munge_windows_system_group)
+        munged_mode = provider.munge_windows_system_group(currentvalue, @should)
+        return false if munged_mode.nil?
+        currentvalue = munged_mode
+      end
       if stat = @resource.stat and stat.ftype == "link" and @resource[:links] != :follow
-        self.debug "Not managing symlink mode"
+        self.debug _("Not managing symlink mode")
         return true
       else
         return super(currentvalue)

data/lib/puppet/type/filebucket.rb

@@ -42,19 +42,23 @@ module Puppet
     end
 
     newparam(:server) do
-      desc "The server providing the remote filebucket service. Defaults to the
-        value of the `server` setting (that is, the currently configured
-        puppet master server).
+      desc "The server providing the remote filebucket service.
 
-        This setting is _only_ consulted if the `path` attribute is set to `false`."
-      defaultto { Puppet[:server] }
+        This setting is _only_ consulted if the `path` attribute is set to `false`.
+
+        If this attribute is not specified, the first entry in the `server_list`
+        configuration setting is used, followed by the value of the `server` setting
+        if `server_list` is not set."
     end
 
     newparam(:port) do
-      desc "The port on which the remote server is listening. Defaults to the
-        value of the `masterport` setting, which is usually %s." % Puppet[:masterport]
+      desc "The port on which the remote server is listening.
+
+        This setting is _only_ consulted if the `path` attribute is set to `false`.
 
-      defaultto { Puppet[:masterport] }
+        If this attribute is not specified, the first entry in the `server_list`
+        configuration setting is used, followed by the value of the `masterport`
+        setting if `server_list` is not set."
     end
 
     newparam(:path) do

data/lib/puppet/util/command_line.rb

@@ -64,8 +64,12 @@ module Puppet
       #
       # @return [void]
       def execute
+        require_config = true
+        if @argv.first =~ /help|-h|--help|-V|--version/
+          require_config = false
+        end
         Puppet::Util.exit_on_fail(_("Could not initialize global default settings")) do
-          Puppet.initialize_settings(args)
+          Puppet.initialize_settings(args, require_config)
         end
 
         setpriority(Puppet[:priority])

data/lib/puppet/util/log.rb

@@ -60,7 +60,7 @@ class Puppet::Util::Log
   end
 
   def self.close_all
-    destinations.keys.each { |dest|
+    @destinations.keys.each { |dest|
       close(dest)
     }
     #TRANSLATORS "Log.close_all" is a method name and should not be translated
@@ -147,7 +147,12 @@ class Puppet::Util::Log
       Puppet.log_exception(detail)
 
       # If this was our only destination, then add the console back in.
-      newdestination(:console) if @destinations.empty? and (dest != :console and dest != "console")
+      if destinations.empty? && dest.intern != :console
+        newdestination(:console)
+      end
+
+      # Re-raise (end exit Puppet) because we could not set up logging correctly.
+      raise detail
     end
   end
 

data/lib/puppet/util/pidlock.rb

@@ -54,7 +54,20 @@ class Puppet::Util::Pidlock
     begin
       Process.kill(0, lock_pid)
     rescue *errors
-      @lockfile.unlock
+      return @lockfile.unlock
+    end
+
+    # Ensure the process associated with this pid is our process. If
+    # not, we can unlock the lockfile. For now this is only done on
+    # POSIX and Windows platforms (PUP-9247).
+    if Puppet.features.posix?
+      procname = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "comm="]).strip
+      @lockfile.unlock unless procname =~ /puppet(-.*)?$/
+    elsif Puppet.features.microsoft_windows?
+      # On Windows, we're checking if the filesystem path name of the running
+      # process is our vendored ruby:
+      exe_path = Puppet::Util::Windows::Process::get_process_image_name_by_pid(lock_pid)
+      @lockfile.unlock unless exe_path =~ /Puppet\\puppet\\bin\\ruby.exe/
     end
   end
   private :clear_if_stale

data/lib/puppet/util/windows/process.rb

@@ -10,6 +10,10 @@ module Puppet::Util::Windows::Process
   WAIT_INTERVAL = 200
   # https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-creation-flags
   CREATE_NO_WINDOW = 0x08000000
+  # https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights
+  PROCESS_QUERY_INFORMATION = 0x0400
+  # https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file#maximum-path-length-limitation
+  MAX_PATH_LENGTH = 32767
 
   def execute(command, arguments, stdin, stdout, stderr)
     create_args = {
@@ -24,12 +28,10 @@ module Puppet::Util::Windows::Process
     if arguments[:suppress_window]
       create_args[:creation_flags] = CREATE_NO_WINDOW
     end
-    cwd = arguments[:cwd]
-    if cwd
-      Dir.chdir(cwd) { Process.create(create_args) }
-    else
-      Process.create(create_args)
+    if arguments[:cwd]
+      create_args[:cwd] = arguments[:cwd]
     end
+    Process.create(create_args)
   end
   module_function :execute
 
@@ -62,6 +64,26 @@ module Puppet::Util::Windows::Process
   end
   module_function :get_current_process
 
+  def open_process(desired_access, inherit_handle, process_id, &block)
+    phandle = nil
+    inherit = inherit_handle ? FFI::WIN32_TRUE : FFI::WIN32_FALSE
+    begin
+      phandle = OpenProcess(desired_access, inherit, process_id)
+      if phandle == FFI::Pointer::NULL_HANDLE
+        raise Puppet::Util::Windows::Error.new(
+          "OpenProcess(#{desired_access.to_s(8)}, #{inherit}, #{process_id})")
+      end
+
+      yield phandle
+    ensure
+      FFI::WIN32.CloseHandle(phandle) if phandle
+    end
+
+    # phandle has had CloseHandle called against it, so nothing to return
+    nil
+  end
+  module_function :open_process
+
   def open_process_token(handle, desired_access, &block)
     token_handle = nil
     begin
@@ -97,6 +119,32 @@ module Puppet::Util::Windows::Process
   end
   module_function :with_process_token
 
+  def get_process_image_name_by_pid(pid)
+    image_name = ""
+
+    open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
+
+      FFI::MemoryPointer.new(:dword, 1) do |exe_name_length_ptr|
+        # Add 1 for the null terminator, and UTF is 2 bytes/char:
+        max_path_length = (MAX_PATH_LENGTH + 1) * 2
+        exe_name_length_ptr.write_dword(max_path_length)
+        FFI::MemoryPointer.new(max_path_length) do |exe_name_ptr|
+          use_win32_path_format = 0
+          result = QueryFullProcessImageNameW(phandle, use_win32_path_format, exe_name_ptr, exe_name_length_ptr)
+          if result == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(
+              "QueryFullProcessImageNameW(phandle, #{use_win32_path_format}, " +
+              "exe_name_ptr, #{max_path_length}")
+          end
+          image_name = exe_name_ptr.read_wide_string(MAX_PATH_LENGTH + 1)
+        end
+      end
+    end
+
+    image_name
+  end
+  module_function :get_process_image_name_by_pid
+
   def lookup_privilege_value(name, system_name = '', &block)
     FFI::MemoryPointer.new(LUID.size) do |luid_ptr|
       result = LookupPrivilegeValueW(
@@ -366,6 +414,16 @@ module Puppet::Util::Windows::Process
   attach_function_private :SetEnvironmentVariableW,
     [:lpcwstr, :lpcwstr], :win32_bool
 
+  # https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
+  # HANDLE WINAPI OpenProcess(
+  #   _In_   DWORD DesiredAccess,
+  #   _In_   BOOL InheritHandle,
+  #   _In_   DWORD ProcessId
+  # );
+  ffi_lib :kernel32
+  attach_function_private :OpenProcess,
+    [:dword, :win32_bool, :dword], :handle
+
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379295(v=vs.85).aspx
   # BOOL WINAPI OpenProcessToken(
   #   _In_   HANDLE ProcessHandle,
@@ -376,6 +434,16 @@ module Puppet::Util::Windows::Process
   attach_function_private :OpenProcessToken,
     [:handle, :dword, :phandle], :win32_bool
 
+  # https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-queryfullprocessimagenamew
+  # BOOL WINAPI QueryFullProcessImageName(
+  #   _In_   HANDLE hProcess,
+  #   _In_   DWORD dwFlags,
+  #   _Out_  LPWSTR lpExeName,
+  #   _In_   PDWORD lpdwSize,
+  # );
+  ffi_lib :kernel32
+  attach_function_private :QueryFullProcessImageNameW,
+    [:handle, :dword, :lpwstr, :pdword], :win32_bool
 
   # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379261(v=vs.85).aspx
   # typedef struct _LUID {

data/lib/puppet/util/windows/security.rb

@@ -274,7 +274,7 @@ module Puppet::Util::Windows::Security
   # mode. Only a user with the SE_BACKUP_NAME and SE_RESTORE_NAME
   # privileges in their process token can change the mode for objects
   # that they do not have read and write access to.
-  def set_mode(mode, path, protected = true)
+  def set_mode(mode, path, protected = true, managing_owner = false, managing_group = false)
     sd = get_security_descriptor(path)
     well_known_world_sid = Puppet::Util::Windows::SID::Everyone
     well_known_nobody_sid = Puppet::Util::Windows::SID::Nobody
@@ -319,6 +319,8 @@ module Puppet::Util::Windows::Security
       nobody_allow |= FILE::FILE_APPEND_DATA;
     end
 
+    isownergroup = sd.owner == sd.group
+
     # caller is NOT managing SYSTEM by using group or owner, so set to FULL
     if ! [sd.owner, sd.group].include? well_known_system_sid
       # we don't check S_ISYSTEM_MISSING bit, but automatically carry over existing SYSTEM perms
@@ -328,15 +330,35 @@ module Puppet::Util::Windows::Security
       # It is possible to set SYSTEM with a mode other than Full Control (7) however this makes no sense and in practical terms
       # should not be done.  We can trap these instances and correct them before being applied.
       if (sd.owner == well_known_system_sid) && (owner_allow != FILE::FILE_ALL_ACCESS)
-        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
-        owner_allow = FILE::FILE_ALL_ACCESS
+        # If owner and group are both SYSTEM but group is unmanaged the control rights of system will be set to FullControl by
+        # the unmanaged group, so there is no need for the warning
+        if managing_owner && (!isownergroup || managing_group)
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.warning _("Setting control rights for %{path} owner SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
+        elsif managing_owner && isownergroup
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path }
+        else
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          owner_allow = FILE::FILE_ALL_ACCESS
+        end
       end
 
       if (sd.group == well_known_system_sid) && (group_allow != FILE::FILE_ALL_ACCESS)
-        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
-        group_allow = FILE::FILE_ALL_ACCESS
+        # If owner and group are both SYSTEM but owner is unmanaged the control rights of system will be set to FullControl by
+        # the unmanaged owner, so there is no need for the warning.
+        if managing_group && (!isownergroup || managing_owner)
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.warning _("Setting control rights for %{path} group SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
+        elsif managing_group && isownergroup
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path }
+        else
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          group_allow = FILE::FILE_ALL_ACCESS
+        end
       end
     end
 
@@ -353,7 +375,6 @@ module Puppet::Util::Windows::Security
     end
 
     # if owner and group the same, then map group permissions to the one owner ACE
-    isownergroup = sd.owner == sd.group
     if isownergroup
       owner_allow |= group_allow
     end