RubyGems - puppet - Versions diffs - 6.12.0 → 6.13.0 - Mend

puppet 6.12.0 → 6.13.0

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (144) hide show

checksums.yaml +4 -4
data/Gemfile.lock +12 -12
data/README.md +1 -1
data/ext/project_data.yaml +1 -1
data/lib/puppet.rb +22 -7
data/lib/puppet/application/resource.rb +1 -1
data/lib/puppet/configurer.rb +8 -13
data/lib/puppet/defaults.rb +83 -49
data/lib/puppet/environments.rb +26 -18
data/lib/puppet/face/facts.rb +8 -5
data/lib/puppet/file_system/memory_file.rb +6 -0
data/lib/puppet/file_system/memory_impl.rb +13 -0
data/lib/puppet/file_system/windows.rb +7 -10
data/lib/puppet/http.rb +2 -0
data/lib/puppet/http/client.rb +30 -0
data/lib/puppet/http/errors.rb +2 -0
data/lib/puppet/http/service.rb +61 -2
data/lib/puppet/http/service/compiler.rb +86 -0
data/lib/puppet/http/service/file_server.rb +85 -0
data/lib/puppet/http/service/report.rb +4 -8
data/lib/puppet/http/session.rb +8 -1
data/lib/puppet/indirector/catalog/compiler.rb +10 -0
data/lib/puppet/indirector/file_bucket_file/file.rb +1 -1
data/lib/puppet/indirector/json.rb +1 -1
data/lib/puppet/indirector/msgpack.rb +1 -1
data/lib/puppet/network/http/connection.rb +4 -0
data/lib/puppet/network/http/nocache_pool.rb +1 -0
data/lib/puppet/network/http/pool.rb +5 -1
data/lib/puppet/parser/ast/pops_bridge.rb +6 -11
data/lib/puppet/pops/evaluator/access_operator.rb +2 -2
data/lib/puppet/pops/evaluator/evaluator_impl.rb +1 -1
data/lib/puppet/pops/loader/puppet_plan_instantiator.rb +12 -3
data/lib/puppet/pops/parser/evaluating_parser.rb +5 -7
data/lib/puppet/pops/types/p_object_type_extension.rb +10 -0
data/lib/puppet/pops/types/type_calculator.rb +24 -0
data/lib/puppet/pops/validation/checker4_0.rb +1 -1
data/lib/puppet/pops/validation/tasks_checker.rb +5 -1
data/lib/puppet/provider/aix_object.rb +4 -2
data/lib/puppet/provider/group/aix.rb +1 -0
data/lib/puppet/provider/group/groupadd.rb +52 -24
data/lib/puppet/provider/package/apt.rb +14 -3
data/lib/puppet/provider/package/dnfmodule.rb +9 -2
data/lib/puppet/provider/package/dpkg.rb +14 -7
data/lib/puppet/provider/package/fink.rb +20 -3
data/lib/puppet/provider/package/openbsd.rb +13 -1
data/lib/puppet/provider/package/pkg.rb +18 -5
data/lib/puppet/provider/package/yum.rb +9 -5
data/lib/puppet/provider/user/aix.rb +1 -0
data/lib/puppet/provider/user/directoryservice.rb +30 -5
data/lib/puppet/provider/user/useradd.rb +6 -7
data/lib/puppet/reports/store.rb +1 -1
data/lib/puppet/settings.rb +2 -0
data/lib/puppet/ssl/certificate.rb +2 -1
data/lib/puppet/test/test_helper.rb +4 -0
data/lib/puppet/transaction/resource_harness.rb +1 -1
data/lib/puppet/type/group.rb +2 -2
data/lib/puppet/type/package.rb +63 -9
data/lib/puppet/type/user.rb +2 -2
data/lib/puppet/util/log/destinations.rb +1 -1
data/lib/puppet/util/pidlock.rb +26 -6
data/lib/puppet/util/plist.rb +6 -0
data/lib/puppet/util/storage.rb +0 -1
data/lib/puppet/util/yaml.rb +1 -1
data/lib/puppet/version.rb +1 -1
data/locales/puppet.pot +127 -115
data/man/man5/puppet.conf.5 +21 -7
data/man/man8/puppet-agent.8 +1 -1
data/man/man8/puppet-apply.8 +1 -1
data/man/man8/puppet-catalog.8 +1 -1
data/man/man8/puppet-config.8 +1 -1
data/man/man8/puppet-describe.8 +1 -1
data/man/man8/puppet-device.8 +1 -1
data/man/man8/puppet-doc.8 +1 -1
data/man/man8/puppet-epp.8 +1 -1
data/man/man8/puppet-facts.8 +1 -1
data/man/man8/puppet-filebucket.8 +1 -1
data/man/man8/puppet-generate.8 +1 -1
data/man/man8/puppet-help.8 +1 -1
data/man/man8/puppet-key.8 +1 -1
data/man/man8/puppet-lookup.8 +1 -1
data/man/man8/puppet-man.8 +1 -1
data/man/man8/puppet-module.8 +1 -1
data/man/man8/puppet-node.8 +1 -1
data/man/man8/puppet-parser.8 +1 -1
data/man/man8/puppet-plugin.8 +1 -1
data/man/man8/puppet-report.8 +1 -1
data/man/man8/puppet-resource.8 +1 -1
data/man/man8/puppet-script.8 +1 -1
data/man/man8/puppet-ssl.8 +1 -1
data/man/man8/puppet-status.8 +1 -1
data/man/man8/puppet.8 +2 -2
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_md5/should_fetch_if_not_on_the_local_disk.yml +0 -35
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_md5/should_not_update_if_content_on_disk_is_up-to-date.yml +0 -37
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_md5/should_update_if_content_differs_on_disk.yml +0 -37
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_mtime/should_fetch_if_mtime_is_older_on_disk.yml +0 -35
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_mtime/should_fetch_if_no_header_specified.yml +0 -33
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_mtime/should_fetch_if_not_on_the_local_disk.yml +0 -35
data/spec/fixtures/vcr/cassettes/Puppet_Type_File/when_sourcing/from_http/using_mtime/should_not_update_if_mtime_is_newer_on_disk.yml +0 -35
data/spec/integration/configurer_spec.rb +26 -7
data/spec/integration/indirector/facts/facter_spec.rb +4 -0
data/spec/unit/application/apply_spec.rb +2 -12
data/spec/unit/application/resource_spec.rb +2 -2
data/spec/unit/configurer/fact_handler_spec.rb +0 -4
data/spec/unit/configurer_spec.rb +0 -3
data/spec/unit/defaults_spec.rb +1 -1
data/spec/unit/environments_spec.rb +57 -28
data/spec/unit/face/facts_spec.rb +24 -20
data/spec/unit/file_system_spec.rb +16 -2
data/spec/unit/http/client_spec.rb +6 -0
data/spec/unit/http/service/compiler_spec.rb +322 -0
data/spec/unit/http/service/file_server_spec.rb +219 -0
data/spec/unit/http/service/report_spec.rb +8 -1
data/spec/unit/http/service_spec.rb +4 -0
data/spec/unit/http/session_spec.rb +31 -0
data/spec/unit/indirector/catalog/compiler_spec.rb +46 -29
data/spec/unit/network/http/connection_spec.rb +23 -1
data/spec/unit/network/http/nocache_pool_spec.rb +3 -3
data/spec/unit/network/http/pool_spec.rb +32 -0
data/spec/unit/node/facts_spec.rb +2 -1
data/spec/unit/node_spec.rb +7 -4
data/spec/unit/pops/serialization/to_from_hr_spec.rb +6 -1
data/spec/unit/pops/validator/validator_spec.rb +7 -2
data/spec/unit/provider/aix_object_spec.rb +16 -2
data/spec/unit/provider/group/groupadd_spec.rb +167 -56
data/spec/unit/provider/package/apt_spec.rb +13 -2
data/spec/unit/provider/package/aptitude_spec.rb +1 -0
data/spec/unit/provider/package/dnfmodule_spec.rb +22 -0
data/spec/unit/provider/package/dpkg_spec.rb +28 -6
data/spec/unit/provider/package/openbsd_spec.rb +17 -0
data/spec/unit/provider/package/pkg_spec.rb +15 -1
data/spec/unit/provider/package/yum_spec.rb +50 -0
data/spec/unit/provider/user/directoryservice_spec.rb +41 -0
data/spec/unit/provider/user/useradd_spec.rb +13 -8
data/spec/unit/puppet_pal_2pec.rb +3 -0
data/spec/unit/puppet_pal_catalog_spec.rb +3 -0
data/spec/unit/puppet_spec.rb +14 -0
data/spec/unit/ssl/certificate_spec.rb +7 -0
data/spec/unit/transaction/persistence_spec.rb +1 -10
data/spec/unit/type/package_spec.rb +8 -0
data/spec/unit/type/user_spec.rb +0 -1
data/spec/unit/util/pidlock_spec.rb +38 -16
data/spec/unit/util/plist_spec.rb +20 -0
data/spec/unit/util/storage_spec.rb +1 -8
metadata +10 -4

data/spec/unit/network/http/connection_spec.rb CHANGED Viewed

@@ -159,12 +159,33 @@ describe Puppet::Network::HTTP::Connection do
     end
     it "should return a 503 response if Retry-After is not convertible to an Integer or RFC 2822 Date" do
-      stub_request(:get, url).to_return(status: [503, 'Service Unavailable'], headers: {'Retry-After' => 'foo'})
+      retry_after('foo')
       result = subject.get('/foo')
       expect(result.code).to eq("503")
     end
+    it "should close the connection before sleeping" do
+      retry_after('42')
+      http1 = Net::HTTP.new(host, port)
+      http1.use_ssl = true
+      allow(http1).to receive(:started?).and_return(true)
+      http2 = Net::HTTP.new(host, port)
+      http2.use_ssl = true
+      allow(http1).to receive(:started?).and_return(true)
+      # The "with_connection" method is required to yield started connections
+      pool = Puppet.lookup(:http_pool)
+      allow(pool).to receive(:with_connection).and_yield(http1).and_yield(http2)
+      expect(http1).to receive(:finish).ordered
+      expect(::Kernel).to receive(:sleep).with(42).ordered
+      subject.get('/foo')
+    end
     it "should sleep and retry if Retry-After is an Integer" do
       retry_after('42')
@@ -188,6 +209,7 @@ describe Puppet::Network::HTTP::Connection do
     it "should sleep for no more than the Puppet runinterval" do
       retry_after('60')
       Puppet[:runinterval] = 30
       expect(::Kernel).to receive(:sleep).with(30)

data/spec/unit/network/http/nocache_pool_spec.rb CHANGED Viewed

@@ -8,7 +8,7 @@ describe Puppet::Network::HTTP::NoCachePool do
   let(:verifier) { double('verifier', :setup_connection => nil) }
   it 'yields a started connection' do
-    http  = double('http', start: nil, finish: nil)
+    http  = double('http', start: nil, finish: nil, started?: true)
     factory = Puppet::Network::HTTP::Factory.new
     allow(factory).to receive(:create_connection).and_return(http)
@@ -20,8 +20,8 @@ describe Puppet::Network::HTTP::NoCachePool do
   end
   it 'yields a new connection each time' do
-    http1  = double('http1', start: nil, finish: nil)
-    http2  = double('http2', start: nil, finish: nil)
+    http1  = double('http1', start: nil, finish: nil, started?: true)
+    http2  = double('http2', start: nil, finish: nil, started?: true)
     factory = Puppet::Network::HTTP::Factory.new
     allow(factory).to receive(:create_connection).and_return(http1, http2)

data/spec/unit/network/http/pool_spec.rb CHANGED Viewed

@@ -63,6 +63,8 @@ describe Puppet::Network::HTTP::Pool do
     it 'returns the connection to the pool' do
       conn = create_connection(site)
+      expect(conn).to receive(:started?).and_return(true)
       pool = create_pool
       pool.release(site, verifier, conn)
@@ -140,6 +142,7 @@ describe Puppet::Network::HTTP::Pool do
       it 'releases HTTP connections' do
         conn = create_connection(site)
         expect(conn).to receive(:use_ssl?).and_return(false)
+        expect(conn).to receive(:started?).and_return(true)
         pool = create_pool_with_connections(site, conn)
         expect(pool).to receive(:release).with(site, verifier, conn)
@@ -151,6 +154,7 @@ describe Puppet::Network::HTTP::Pool do
         conn = create_connection(site)
         expect(conn).to receive(:use_ssl?).and_return(true)
         expect(conn).to receive(:verify_mode).and_return(OpenSSL::SSL::VERIFY_PEER)
+        expect(conn).to receive(:started?).and_return(true)
         pool = create_pool_with_connections(site, conn)
         expect(pool).to receive(:release).with(site, verifier, conn)
@@ -169,6 +173,19 @@ describe Puppet::Network::HTTP::Pool do
         pool.with_connection(site, verifier) {|c| }
       end
+      it "doesn't add a closed  connection back to the pool" do
+        http = Net::HTTP.new(site.addr)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        http.start
+        pool = create_pool_with_connections(site, http)
+        pool.with_connection(site, verifier) {|c| c.finish}
+        expect(pool.pool[site]).to be_empty
+      end
     end
   end
@@ -258,6 +275,7 @@ describe Puppet::Network::HTTP::Pool do
     it 'finishes expired connections' do
       conn = create_connection(site)
+      allow(conn).to receive(:started?).and_return(true)
       expect(conn).to receive(:finish)
       pool = create_pool_with_expired_connections(site, conn)
@@ -271,6 +289,7 @@ describe Puppet::Network::HTTP::Pool do
       expect(Puppet).to receive(:log_exception).with(be_a(IOError), "Failed to close connection for #{site}: read timeout")
       conn = create_connection(site)
+      expect(conn).to receive(:started?).and_return(true)
       expect(conn).to receive(:finish).and_raise(IOError, 'read timeout')
       pool = create_pool_with_expired_connections(site, conn)
@@ -319,10 +338,23 @@ describe Puppet::Network::HTTP::Pool do
     it 'closes all cached connections' do
       conn = create_connection(site)
+      allow(conn).to receive(:started?).and_return(true)
       expect(conn).to receive(:finish)
       pool = create_pool_with_connections(site, conn)
       pool.close
     end
+    it 'allows a connection to be closed multiple times safely' do
+      http = Net::HTTP.new(site.addr)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http.start
+      pool = create_pool
+      expect(pool.close_connection(site, http)).to eq(true)
+      expect(pool.close_connection(site, http)).to eq(false)
+    end
   end
 end

data/spec/unit/node/facts_spec.rb CHANGED Viewed

@@ -88,7 +88,8 @@ describe Puppet::Node::Facts, "when indirecting" do
       @facts.sanitize
       fact_value = @facts.values['test']
       expect(fact_value).to eq(an_alien.to_s)
-      expect(fact_value.encoding).to eq(Encoding::UTF_8)
+      # JRuby 9.2.8 reports US-ASCII which is a subset of UTF-8
+      expect(fact_value.encoding).to eq(Encoding::UTF_8).or eq(Encoding::US_ASCII)
     end
   end

data/spec/unit/node_spec.rb CHANGED Viewed

@@ -417,7 +417,9 @@ end
 describe Puppet::Node, "when generating the list of names to search through" do
   before do
-    @node = Puppet::Node.new("foo.domain.com", :parameters => {"hostname" => "yay", "domain" => "domain.com"})
+    Puppet[:strict_hostname_checking] = false
+    @node = Puppet::Node.new("foo.domain.com",
+                             :parameters => {"hostname" => "yay", "domain" => "domain.com"})
   end
   it "returns an array of names" do
@@ -448,7 +450,6 @@ describe Puppet::Node, "when generating the list of names to search through" do
   describe "and :node_name is set to 'cert'" do
     before do
-      Puppet[:strict_hostname_checking] = false
       Puppet[:node_name] = "cert"
     end
@@ -457,8 +458,11 @@ describe Puppet::Node, "when generating the list of names to search through" do
     end
     describe "and strict hostname checking is enabled" do
-      it "only uses the passed-in key" do
+      before do
         Puppet[:strict_hostname_checking] = true
+      end
+      it "only uses the passed-in key" do
         expect(@node.names).to eq(["foo.domain.com"])
       end
     end
@@ -466,7 +470,6 @@ describe Puppet::Node, "when generating the list of names to search through" do
   describe "and :node_name is set to 'facter'" do
     before do
-      Puppet[:strict_hostname_checking] = false
       Puppet[:node_name] = "facter"
     end

data/spec/unit/pops/serialization/to_from_hr_spec.rb CHANGED Viewed

@@ -296,10 +296,15 @@ module Serialization
           expect(val2).to be_a(Types::PObjectTypeExtension)
           expect(val2).to eql(val)
         end
+        it 'with POjbectTypeExtension type being converted' do
+          val = { 'ObjectExtension' => type.create(34) }
+          expect(to_converter.convert(val))
+            .to eq({"ObjectExtension"=>{"__ptype"=>"MyType", "x"=>34}})
+        end
       end
     end
     it 'Array of rich data' do
       # Sensitive omitted because it doesn't respond to ==
       val = [

data/spec/unit/pops/validator/validator_spec.rb CHANGED Viewed

@@ -486,10 +486,15 @@ describe "validating 4x" do
         expect(acceptor).to have_issue(Puppet::Pops::Issues::EXPRESSION_NOT_SUPPORTED_WHEN_SCRIPTING)
       end
-      it 'produces an error for node expressions' do
+      it 'allows node expressions' do
         acceptor = validate(parse('apply("foo.example.com") { node default {} }'))
+        expect(acceptor.error_count).to eql(0)
+      end
+      it 'produces an error for node expressions nested in a block' do
+        acceptor = validate(parse('apply("foo.example.com") { if true { node default {} } }'))
         expect(acceptor.error_count).to eql(1)
-        expect(acceptor).to have_issue(Puppet::Pops::Issues::EXPRESSION_NOT_SUPPORTED_WHEN_SCRIPTING)
+        expect(acceptor).to have_issue(Puppet::Pops::Issues::NOT_TOP_LEVEL)
       end
       it 'produces an error for resource definitions' do

data/spec/unit/provider/aix_object_spec.rb CHANGED Viewed

@@ -418,15 +418,29 @@ bin:2
   end
   describe '#ia_module_args' do
-    it 'returns no arguments if the ia_load_module parameter is not specified' do
+    it 'returns no arguments if ia_load_module parameter or forcelocal parameter are not specified' do
       allow(provider.resource).to receive(:[]).with(:ia_load_module).and_return(nil)
+      allow(provider.resource).to receive(:[]).with(:forcelocal).and_return(nil)
       expect(provider.ia_module_args).to eql([])
     end
-    it 'returns the ia_load_module as a CLI argument' do
+    it 'returns the ia_load_module as a CLI argument when ia_load_module is specified' do
       allow(provider.resource).to receive(:[]).with(:ia_load_module).and_return('module')
+      allow(provider.resource).to receive(:[]).with(:forcelocal).and_return(nil)
       expect(provider.ia_module_args).to eql(['-R', 'module'])
     end
+    it 'returns "files" as a CLI argument when forcelocal is specified' do
+      allow(provider.resource).to receive(:[]).with(:ia_load_module).and_return(nil)
+      allow(provider.resource).to receive(:[]).with(:forcelocal).and_return(true)
+      expect(provider.ia_module_args).to eql(['-R', 'files'])
+    end
+    it 'raises argument error when both ia_load_module and forcelocal parameters are set' do
+      allow(provider.resource).to receive(:[]).with(:ia_load_module).and_return('files')
+      allow(provider.resource).to receive(:[]).with(:forcelocal).and_return(true)
+      expect { provider.ia_module_args }.to raise_error(ArgumentError, "Cannot have both 'forcelocal' and 'ia_load_module' at the same time!")
+    end
   end
   describe '#lscmd' do

data/spec/unit/provider/group/groupadd_spec.rb CHANGED Viewed

@@ -14,10 +14,11 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
   let(:resource) { Puppet::Type.type(:group).new(:name => 'mygroup', :provider => provider) }
   let(:provider) { described_class.new(:name => 'mygroup') }
+  let(:members) { ['user2', 'user1', 'user3'] }
   describe "#create" do
     before do
-       allow(provider).to receive(:exists?).and_return(false)
+      allow(provider).to receive(:exists?).and_return(false)
     end
     it "should add -o when allowdupe is enabled and the group is being created" do
@@ -42,77 +43,127 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
       end
     end
-    describe "on systems with the libuser and forcelocal=true" do
-      before do
-        described_class.has_feature(:libuser)
-        resource[:forcelocal] = :true
-      end
-      it "should use lgroupadd instead of groupadd" do
-        expect(provider).to receive(:execute).with(including('/usr/sbin/lgroupadd'), hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
-        provider.create
-      end
+    describe "on systems with libuser" do
+      describe "with forcelocal=true" do
+        before do
+          described_class.has_feature(:manages_local_users_and_groups)
+          resource[:forcelocal] = :true
+        end
-      it "should NOT pass -o to lgroupadd" do
-        resource[:allowdupe] = :true
-        expect(provider).to receive(:execute).with(excluding('-o'), hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
-        provider.create
+        it "should use lgroupadd instead of groupadd" do
+          expect(provider).to receive(:execute).with(including('/usr/sbin/lgroupadd'), hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
+          provider.create
+        end
+        it "should NOT pass -o to lgroupadd" do
+          resource[:allowdupe] = :true
+          expect(provider).to receive(:execute).with(excluding('-o'), hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
+          provider.create
+        end
+        it "should raise an exception for duplicate GID if allowdupe is not set and duplicate GIDs exist" do
+          resource[:gid] = 505
+          allow(provider).to receive(:findgroup).and_return(true)
+          expect { provider.create }.to raise_error(Puppet::Error, "GID 505 already exists, use allowdupe to force group creation")
+        end
       end
-      it "should raise an exception for duplicate GID if allowdupe is not set and duplicate GIDs exist" do
-        resource[:gid] = 505
-        allow(provider).to receive(:findgroup).and_return(true)
-        expect { provider.create }.to raise_error(Puppet::Error, "GID 505 already exists, use allowdupe to force group creation")
-     end
+      describe "with a list of members" do
+        before do
+          members.each { |m| allow(Etc).to receive(:getpwnam).with(m).and_return(true) }
+          described_class.has_feature(:manages_members)
+          resource[:forcelocal] = false
+          resource[:members] = members
+        end
+        it "should use lgroupmod to add the members" do
+          allow(provider).to receive(:execute).with(['/usr/sbin/groupadd', 'mygroup'], hash_including({:failonfail => true, :combine => true, :custom_environment => {}})).and_return(true)
+          expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-M', members.join(','), 'mygroup'], hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
+          provider.create
+        end
+      end
     end
   end
   describe "#modify" do
     before do
-       allow(provider).to receive(:exists?).and_return(true)
+      allow(provider).to receive(:exists?).and_return(true)
     end
-    describe "on systems with the libuser and forcelocal=false" do
-      before do
-        described_class.has_feature(:libuser)
-        resource[:forcelocal] = :false
-      end
+    describe "on systems with libuser" do
+      describe "with forcelocal=false" do
+        before do
+          described_class.has_feature(:manages_local_users_and_groups)
+          resource[:forcelocal] = :false
+        end
-      it "should use groupmod" do
-        expect(provider).to receive(:execute).with(['/usr/sbin/groupmod', '-g', 150, 'mygroup'], hash_including({:failonfail => true, :combine => true, :custom_environment => {}}))
-        provider.gid = 150
-      end
+        it "should use groupmod" do
+          expect(provider).to receive(:execute).with(['/usr/sbin/groupmod', '-g', 150, 'mygroup'], hash_including({:failonfail => true, :combine => true, :custom_environment => {}}))
+          provider.gid = 150
+        end
-      it "should pass -o to groupmod" do
-        resource[:allowdupe] = :true
-        expect(provider).to receive(:execute).with(['/usr/sbin/groupmod', '-g', 150, '-o', 'mygroup'], hash_including({:failonfail => true, :combine => true, :custom_environment => {}}))
-        provider.gid = 150
+        it "should pass -o to groupmod" do
+          resource[:allowdupe] = :true
+          expect(provider).to receive(:execute).with(['/usr/sbin/groupmod', '-g', 150, '-o', 'mygroup'], hash_including({:failonfail => true, :combine => true, :custom_environment => {}}))
+          provider.gid = 150
+        end
       end
-    end
-    describe "on systems with the libuser and forcelocal=true" do
-      before do
-        described_class.has_feature(:libuser)
-        resource[:forcelocal] = :true
-      end
+      describe "with forcelocal=true" do
+        before do
+          described_class.has_feature(:manages_local_users_and_groups)
+          resource[:forcelocal] = :true
+        end
-      it "should use lgroupmod instead of groupmod" do
-        expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-g', 150, 'mygroup'], hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
-        provider.gid = 150
-      end
+        it "should use lgroupmod instead of groupmod" do
+          expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-g', 150, 'mygroup'], hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
+          provider.gid = 150
+        end
+        it "should NOT pass -o to lgroupmod" do
+          resource[:allowdupe] = :true
+          expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-g', 150, 'mygroup'], hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
+          provider.gid = 150
+        end
-      it "should NOT pass -o to lgroupmod" do
-        resource[:allowdupe] = :true
-        expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-g', 150, 'mygroup'], hash_including(:custom_environment => hash_including('LIBUSER_CONF')))
-        provider.gid = 150
+        it "should raise an exception for duplicate GID if allowdupe is not set and duplicate GIDs exist" do
+          resource[:gid] = 150
+          resource[:allowdupe] = :false
+          allow(provider).to receive(:findgroup).and_return(true)
+          expect { provider.gid = 150 }.to raise_error(Puppet::Error, "GID 150 already exists, use allowdupe to force group creation")
+        end
       end
-      it "should raise an exception for duplicate GID if allowdupe is not set and duplicate GIDs exist" do
-        resource[:gid] = 150
-        resource[:allowdupe] = :false
-        allow(provider).to receive(:findgroup).and_return(true)
-        expect { provider.gid = 150 }.to raise_error(Puppet::Error, "GID 150 already exists, use allowdupe to force group creation")
-     end
+      describe "with members=something" do
+        before do
+          described_class.has_feature(:manages_members)
+          allow(Etc).to receive(:getpwnam).and_return(true)
+          resource[:members] = members
+        end
+        describe "with auth_membership on" do
+          before { resource[:auth_membership] = true }
+          it "should purge existing users before adding" do
+            allow(provider).to receive(:members).and_return(members)
+            expect(provider).to receive(:localmodify).with('-m', members.join(','), 'mygroup')
+            provider.modifycmd(:members, ['user1'])
+          end
+        end
+        describe "with auth_membership off" do
+          before { resource[:auth_membership] = false }
+          it "should add to the existing users" do
+            new_members = ['user1', 'user2', 'user3', 'user4']
+            allow(provider).to receive(:members).and_return(members)
+            expect(provider).not_to receive(:localmodify).with('-m', members.join(','), 'mygroup')
+            expect(provider).to receive(:execute).with(['/usr/sbin/lgroupmod', '-M', new_members.join(','), 'mygroup'], kind_of(Hash))
+            provider.members = new_members
+          end
+        end
+      end
     end
   end
@@ -124,6 +175,35 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
     end
   end
+  describe "#findgroup" do
+    before { allow(File).to receive(:read).with('/etc/group').and_return(content) }
+    let(:content) { "sample_group_name:sample_password:sample_gid:sample_user_list" }
+    let(:output) do
+      {
+        group_name: 'sample_group_name',
+        password: 'sample_password',
+        gid: 'sample_gid',
+        user_list: 'sample_user_list',
+      }
+    end
+    [:group_name, :password, :gid, :user_list].each do |key|
+      it "finds a group by #{key} when asked" do
+        expect(provider.send(:findgroup, key, "sample_#{key}")).to eq(output)
+      end
+    end
+    it "returns false when specified key/value pair is not found" do
+      expect(provider.send(:findgroup, :group_name, 'invalid_group_name')).to eq(false)
+    end
+    it "reads the group file only once per resource" do
+      expect(File).to receive(:read).with('/etc/group').once
+      5.times { provider.send(:findgroup, :group_name, 'sample_group_name') }
+    end
+  end
   describe "#delete" do
     before do
       allow(provider).to receive(:exists?).and_return(true)
@@ -131,7 +211,7 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
     describe "on systems with the libuser and forcelocal=false" do
       before do
-        described_class.has_feature(:libuser)
+        described_class.has_feature(:manages_local_users_and_groups)
         resource[:forcelocal] = :false
       end
@@ -143,7 +223,7 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
     describe "on systems with the libuser and forcelocal=true" do
       before do
-        described_class.has_feature(:libuser)
+        described_class.has_feature(:manages_local_users_and_groups)
         resource[:forcelocal] = :true
       end
@@ -153,4 +233,35 @@ describe Puppet::Type.type(:group).provider(:groupadd) do
       end
     end
   end
+  describe "group type :members property helpers" do
+    describe "#member_valid?" do
+      it "should return true if a member exists" do
+        passwd = Struct::Passwd.new('existinguser', nil, 1100)
+        allow(Etc).to receive(:getpwnam).with('existinguser').and_return(passwd)
+        expect(provider.member_valid?('existinguser')).to eq(true)
+      end
+    end
+    describe "#members_to_s" do
+      it "should return an empty string on non-array input" do
+        [Object.new, {}, 1, :symbol, ''].each do |input|
+          expect(provider.members_to_s(input)).to be_empty
+        end
+      end
+      it "should return an empty string on empty or nil users" do
+        expect(provider.members_to_s([])).to be_empty
+        expect(provider.members_to_s(nil)).to be_empty
+      end
+      it "should return a user string for a single user" do
+        expect(provider.members_to_s(['user1'])).to eq('user1')
+      end
+      it "should return a user string for multiple users" do
+        expect(provider.members_to_s(['user1', 'user2'])).to eq('user1,user2')
+      end
+    end
+  end
 end