puppet 6.12.0 → 6.13.0

data/lib/puppet/provider/package/apt.rb

@@ -75,7 +75,12 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     cmd += install_options if @resource[:install_options]
     cmd << :install << str
 
-    aptget(*cmd)
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      aptget(*cmd)
+    ensure
+      self.hold if @resource[:mark] == :hold
+    end
   end
 
   # What's the latest package version available?
@@ -106,12 +111,18 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
 
   def uninstall
     self.run_preseed if @resource[:responsefile]
-    aptget "-y", "-q", :remove, @resource[:name]
+    args = ['-y', '-q']
+    args << '--allow-change-held-packages' if self.properties[:mark] == :hold
+    args << :remove << @resource[:name]
+    aptget(*args)
   end
 
   def purge
     self.run_preseed if @resource[:responsefile]
-    aptget '-y', '-q', :remove, '--purge', @resource[:name]
+    args = ['-y', '-q']
+    args << '--allow-change-held-packages' if self.properties[:mark] == :hold
+    args << :remove << '--purge' << @resource[:name]
+    aptget(*args)
     # workaround a "bug" in apt, that already removed packages are not purged
     super
   end

data/lib/puppet/provider/package/dnfmodule.rb

@@ -12,7 +12,7 @@ require 'puppet/provider/package'
 
 Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
 
-  has_feature :installable, :uninstallable, :versionable
+  has_feature :installable, :uninstallable, :versionable, :supports_flavors
   #has_feature :upgradeable
   # it's not (yet) feasible to make this upgradeable since module streams don't
   # always have matching version types (i.e. idm has streams DL1 and client,
@@ -83,5 +83,12 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
     execute([command(:dnf), 'module', 'remove', '-d', '0', '-e', self.class.error_level, '-y', @resource[:name]])
     reset  # reset module to the default stream
   end
-end
 
+  def flavor
+    @property_hash[:flavor]
+  end
+
+  def flavor=(value)
+    install if flavor != @resource.should(:flavor)
+  end
+end

data/lib/puppet/provider/package/dpkg.rb

@@ -45,8 +45,8 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
   # eventually become this Puppet::Type::Package::ProviderDpkg class.
   self::DPKG_QUERY_FORMAT_STRING = %Q{'${Status} ${Package} ${Version}\\n'}
   self::DPKG_QUERY_PROVIDES_FORMAT_STRING = %Q{'${Status} ${Package} ${Version} [${Provides}]\\n'}
-  self::FIELDS_REGEX = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
-  self::FIELDS_REGEX_WITH_PROVIDES = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$}
+  self::FIELDS_REGEX = %r{^'?(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
+  self::FIELDS_REGEX_WITH_PROVIDES = %r{^'?(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$}
   self::FIELDS= [:desired, :error, :status, :name, :ensure]
 
   def self.defaultto_allow_virtual
@@ -74,7 +74,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
       elsif ['config-files', 'half-installed', 'unpacked', 'half-configured'].include?(hash[:status])
         hash[:ensure] = :absent
       end
-      hash[:ensure] = :held if hash[:desired] == 'hold'
+      hash[:mark] = :hold if hash[:desired] == 'hold'
     else
       Puppet.debug("Failed to match dpkg-query line #{line.inspect}")
     end
@@ -91,8 +91,6 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
     end
     args = []
 
-    # We always unhold when installing to remove any prior hold.
-    self.unhold
 
     if @resource[:configfiles] == :keep
       args << '--force-confold'
@@ -101,7 +99,12 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
     end
     args << '-i' << file
 
-    dpkg(*args)
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      dpkg(*args)
+    ensure
+      self.hold if @resource[:mark] == :hold
+    end
   end
 
   def update
@@ -170,10 +173,14 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
     dpkg "--purge", @resource[:name]
   end
 
-  def hold
+  def deprecated_hold
     if package_not_installed?
       self.install
     end
+    hold
+  end
+
+  def hold
     Tempfile.open('puppet_dpkg_set_selection') do |tmpfile|
       tmpfile.write("#{@resource[:name]} hold\n")
       tmpfile.flush

data/lib/puppet/provider/package/fink.rb

@@ -37,7 +37,12 @@ Puppet::Type.type(:package).provide :fink, :parent => :dpkg, :source => :dpkg do
 
     cmd << :install << str
 
-    finkcmd(cmd)
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      finkcmd(cmd)
+    ensure
+      self.hold if @resource[:mark] == :hold
+    end
   end
 
   # What's the latest package version available?
@@ -71,10 +76,22 @@ Puppet::Type.type(:package).provide :fink, :parent => :dpkg, :source => :dpkg do
   end
 
   def uninstall
-    finkcmd "-y", "-q", :remove, @model[:name]
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      finkcmd "-y", "-q", :remove, @model[:name]
+    rescue StandardError, LoadError => e
+      self.hold if self.properties[:mark] == :hold
+      raise e
+    end
   end
 
   def purge
-    aptget '-y', '-q', 'remove', '--purge', @resource[:name]
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      aptget '-y', '-q', 'remove', '--purge', @resource[:name]
+    rescue StandardError, LoadError => e
+      self.hold if self.properties[:mark] == :hold
+      raise e
+    end
   end
 end

data/lib/puppet/provider/package/openbsd.rb

@@ -20,6 +20,7 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
   has_feature :install_options
   has_feature :uninstall_options
   has_feature :upgradeable
+  has_feature :supports_flavors
 
   def self.instances
     packages = []
@@ -27,7 +28,7 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
     begin
       execpipe(listcmd) do |process|
         # our regex for matching pkg_info output
-        regex = /^(.*)-(\d[^-]*)[-]?(\w*)(.*)$/
+        regex = /^(.*)-(\d[^-]*)[-]?([\w-]*)(.*)$/
         fields = [:name, :ensure, :flavor ]
         hash = {}
 
@@ -245,4 +246,15 @@ Puppet::Type.type(:package).provide :openbsd, :parent => Puppet::Provider::Packa
   def purge
     pkgdelete "-c", "-q", @resource[:name]
   end
+
+  def flavor
+    @property_hash[:flavor]
+  end
+
+  def flavor=(value)
+    if flavor != @resource.should(:flavor)
+      uninstall
+      install
+    end
+  end
 end

data/lib/puppet/provider/package/pkg.rb

@@ -56,7 +56,7 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
     ).merge(
       case flags[1..1]
       when 'f'
-        {:ensure => 'held'}
+        {:mark => :hold}
       when '-'
         {}
       else
@@ -114,6 +114,10 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
     end).merge({:provider => self.name})
   end
 
+  def deprecated_hold
+    hold
+  end
+
   def hold
     pkg(:freeze, @resource[:name])
   end
@@ -214,8 +218,6 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
   def install(nofail = false)
     name = @resource[:name]
     should = @resource[:ensure]
-    # always unhold if explicitly told to install/update
-    self.unhold
     is = self.query
     if is[:ensure].to_sym == :absent
       command = 'install'
@@ -230,7 +232,12 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
     unless should.is_a? Symbol
       name += "@#{should}"
     end
-    r = exec_cmd(command(:pkg), command, *args, name)
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      r = exec_cmd(command(:pkg), command, *args, name)
+    ensure
+      self.hold if @resource[:mark] == :hold
+    end
     return r if nofail
     raise Puppet::Error, _("Unable to update %{package}") % { package: r[:out] } if r[:exit] != 0
   end
@@ -244,7 +251,13 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
       cmd << '-r'
     end
     cmd << @resource[:name]
-    pkg cmd
+    self.unhold if self.properties[:mark] == :hold
+    begin
+      pkg cmd
+    rescue StandardError, LoadError => e
+      self.hold if self.properties[:mark] == :hold
+      raise e
+    end
   end
 
   # update the package to the latest version available

data/lib/puppet/provider/package/yum.rb

@@ -286,12 +286,16 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
   # @param key [String] The key to look for in all contained hashes
   # @return [Array<String>] All hash values with the given key.
   def scan_options(options, key)
-    return [] if options.nil?
-    options.inject([]) do |repos, opt|
-      if opt.is_a? Hash and opt[key]
-        repos << opt[key]
+    return [] unless options.is_a?(Enumerable)
+    values = options.map do | repo |
+      value = if repo.is_a?(String)
+        next unless repo.include?('=')
+        Hash[*repo.strip.split('=')] # make it a hash
+      else
+        repo
       end
-      repos
+      value[key]
     end
+    values.compact.uniq
   end
 end

data/lib/puppet/provider/user/aix.rb

@@ -32,6 +32,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
   has_features :manages_aix_lam
   has_features :manages_homedir, :manages_passwords, :manages_shell
   has_features :manages_expiry,  :manages_password_age
+  has_features :manages_local_users_and_groups
 
   class << self
     def group_provider

data/lib/puppet/provider/user/directoryservice.rb

@@ -387,7 +387,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 
-      sleep 2
+      sleep 3
       flush_dscl_cache
       users_plist = get_users_plist(@resource.name)
       shadow_hash_data = get_shadow_hash_data(users_plist)
@@ -404,7 +404,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 
-      sleep 2
+      sleep 3
       flush_dscl_cache
       users_plist = get_users_plist(@resource.name)
       shadow_hash_data = get_shadow_hash_data(users_plist)
@@ -435,8 +435,8 @@ Puppet::Type.type(:user).provide :directoryservice do
   ['home', 'uid', 'gid', 'comment', 'shell'].each do |setter_method|
     define_method("#{setter_method}=") do |value|
       if @property_hash[setter_method.intern]
-        if self.class.get_os_version == '10.14' && %w(home uid).include?(setter_method)
-          raise Puppet::Error, "OS X version 10\.14 does not allow changing #{setter_method} using puppet"
+        if self.class.get_os_version.split('.').last.to_i >= 14 && %w(home uid).include?(setter_method)
+          raise Puppet::Error, "OS X version #{self.class.get_os_version} does not allow changing #{setter_method} using puppet"
         end
         begin
           dscl '.', '-change', "/Users/#{resource.name}", self.class.ns_to_ds_attribute_map[setter_method.intern], @property_hash[setter_method.intern], value
@@ -572,7 +572,32 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       users_plist['ShadowHashData'] = [binary_plist]
     end
-    write_users_plist_to_disk(users_plist)
+    if Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') < 0
+      write_users_plist_to_disk(users_plist)
+    else
+      write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
+    end
+  end
+
+  # This method writes the ShadowHashData plist in a temporary file,
+  # then imports it using dsimport. macOS versions 10.15 and newer do
+  # not support directly managing binary plists, so we have to use an
+  # intermediary.
+  # dsimport is an archaic utilitary with hard-to-find documentation
+  #
+  # See http://web.archive.org/web/20090106120111/http://support.apple.com/kb/TA21305?viewlocale=en_US
+  # for information regarding the dsimport syntax
+  def write_and_import_shadow_hash_data(data_plist)
+    Tempfile.create("dsimport_#{@resource.name}", :encoding => Encoding::ASCII) do |dsimport_file|
+      dsimport_file.write <<-DSIMPORT
+0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
+#{@resource.name}:#{Base64.strict_encode64(data_plist)}
+      DSIMPORT
+      dsimport_file.flush
+      # Delete the user's existing ShadowHashData, since dsimport appends, not replaces
+      dscl('.', 'delete', "/Users/#{@resource.name}", 'ShadowHashData')
+      dsimport(dsimport_file.path, '/Local/Default', 'M')
+    end
   end
 
   # This method accepts an argument of a hex password hash, and base64

data/lib/puppet/provider/user/useradd.rb

@@ -43,7 +43,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     }
 
   optional_commands :localadd => "luseradd", :localdelete => "luserdel", :localmodify => "lusermod", :localpassword => "lchage"
-  has_feature :libuser if Puppet.features.libuser?
+  has_feature :manages_local_users_and_groups if Puppet.features.libuser?
 
   def exists?
     return !!localuid if @resource.forcelocal?
@@ -64,12 +64,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     passwd_file = "/etc/passwd"
     passwd_keys = [:account, :password, :uid, :gid, :gecos, :directory, :shell]
     index = passwd_keys.index(key)
-    File.open(passwd_file) do |f|
-      f.each_line do |line|
-        user = line.split(":")
-        if user[index] == value
-          return Hash[passwd_keys.zip(user)]
-        end
+    @passwd_content ||= File.read(passwd_file)
+    @passwd_content.each_line do |line|
+      user = line.split(":")
+      if user[index] == value
+        return Hash[passwd_keys.zip(user)]
       end
     end
     false

data/lib/puppet/reports/store.rb

@@ -32,7 +32,7 @@ Puppet::Reports.register_report(:store) do
     file = File.join(dir, name)
 
     begin
-      Puppet::Util.replace_file(file, 0640) do |fh|
+      Puppet::FileSystem.replace_file(file, 0640) do |fh|
         fh.print to_yaml
       end
     rescue => detail

data/lib/puppet/settings.rb

@@ -1239,6 +1239,8 @@ Generated on #{Time.now}.
     configured_environment = self[:environment]
     if configured_environment == "production" && envdir && Puppet::FileSystem.exist?(envdir)
       configured_environment_path = File.join(envdir, configured_environment)
+      # If configured_environment_path is a symlink, assume the source path is being managed
+      # elsewhere, so don't do any of this configuration
       if !Puppet::FileSystem.symlink?(configured_environment_path)
         parameters = { :ensure => 'directory' }
         unless Puppet::FileSystem.exist?(configured_environment_path)

data/lib/puppet/ssl/certificate.rb

@@ -56,7 +56,8 @@ DOC
   def custom_extensions
     custom_exts = content.extensions.select do |ext|
       Puppet::SSL::Oids.subtree_of?('ppRegCertExt', ext.oid) or
-        Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid)
+        Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid) or
+        Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', ext.oid)
     end
 
     custom_exts.map do |ext|

data/lib/puppet/test/test_helper.rb

@@ -147,6 +147,10 @@ module Puppet::Test
       Puppet::SSL::Host.reset
       Puppet::Rest::Routes.clear
 
+      Puppet::Node::Facts.indirection.terminus_class = :memory
+      facts = Puppet::Node::Facts.new(Puppet[:node_name_value])
+      Puppet::Node::Facts.indirection.save(facts)
+
       Puppet.clear_deprecation_warnings
     end
 

data/lib/puppet/transaction/resource_harness.rb

@@ -101,7 +101,7 @@ class Puppet::Transaction::ResourceHarness
   # We persist the last known values for the properties of a resource after resource
   # application.
   # @param [Puppet::Type] resource resource whose values we are to persist.
-  # @param [ResourceApplicationContent] context the application context to operate on.
+  # @param [ResourceApplicationContext] context the application context to operate on.
   def persist_system_values(resource, context)
     param_to_event = {}
     context.status.events.each do |ev|

data/lib/puppet/type/group.rb

@@ -22,7 +22,7 @@ module Puppet
     feature :system_groups,
       "The provider allows you to create system groups with lower GIDs."
 
-    feature :libuser,
+    feature :manages_local_users_and_groups,
       "Allows local groups to be managed on systems that also use some other
        remote Name Switch Service (NSS) method of managing accounts."
 
@@ -214,7 +214,7 @@ module Puppet
     end
 
     newparam(:forcelocal, :boolean => true,
-             :required_features => :libuser,
+             :required_features => :manages_local_users_and_groups,
              :parent => Puppet::Parameter::Boolean) do
       desc "Forces the management of local accounts when accounts are also
             being managed by some other Name Switch Service (NSS). For AIX, refer to the `ia_load_module` parameter.

data/lib/puppet/type/package.rb

@@ -54,14 +54,14 @@ module Puppet
     feature :holdable, "The provider is capable of placing packages on hold
         such that they are not automatically upgraded as a result of
         other package dependencies unless explicit action is taken by
-        a user or another package. Held is considered a superset of
-        installed.",
-      :methods => [:hold]
+        a user or another package.",
+      :methods => [:hold, :unhold]
     feature :install_only, "The provider accepts options to only install packages never update (kernels, etc.)"
     feature :install_options, "The provider accepts options to be
       passed to the installer command."
     feature :uninstall_options, "The provider accepts options to be
       passed to the uninstaller command."
+    feature :supports_flavors, "The provider accepts flavors, which are specific variants of packages."
     feature :package_settings, "The provider accepts package_settings to be
       ensured for the given package. The meaning and format of these settings is
       provider-specific.",
@@ -101,7 +101,7 @@ module Puppet
       end
 
       newvalue(:held, :event => :package_held, :required_features => :holdable) do
-        provider.hold
+        provider.deprecated_hold
       end
 
       # Alias the 'present' value.
@@ -405,6 +405,11 @@ module Puppet
       end
     end
 
+    newproperty(:flavor, :required_features => :supports_flavors) do
+      desc "OpenBSD and DNF modules support 'flavors', which are
+        further specifications for which type of package you want."
+    end
+
     newparam(:source) do
       desc "Where to find the package file. This is only used by providers that don't
         automatically download packages from a central repository. (For example:
@@ -484,11 +489,6 @@ module Puppet
       newvalues(:true, :false)
     end
 
-    newparam(:flavor) do
-      desc "OpenBSD and DNF modules support 'flavors', which are
-        further specifications for which type of package you want."
-    end
-
     newparam(:install_only, :boolean => false, :parent => Puppet::Parameter::Boolean, :required_features => :install_only) do
       desc <<-EOT
         It should be set for packages that should only ever be installed,
@@ -625,5 +625,59 @@ module Puppet
         provider.reinstall
       end
     end
+
+    newproperty(:mark, :required_features => :holdable) do
+      mark_doc='Valid values are: hold/none'
+      desc <<-EOT
+        Set to hold to tell Debian apt/Solaris pkg to hold the package version
+
+        #{mark_doc}
+        Default is "none". Mark can be specified with or without `ensure`,
+        if `ensure` is missing will default to "present".
+
+        Mark cannot be specified together with "purged", "absent" or "held"
+        values for `ensure`.
+      EOT
+      newvalues(:hold, :none)
+      munge do |value|
+        case value
+        when "hold", :hold
+          :hold
+        when "none", :none
+          :none
+        else
+          raise ArgumentError, _('Invalid hold value %{value}. %{doc}') % { value: value.inspect, doc: mark_doc}
+        end
+      end
+
+      def insync?(is)
+        @should[0] == is
+      end
+
+      def should
+        @should[0] if @should && @should.is_a?(Array) && @should.size == 1
+      end
+
+      def retrieve
+        provider.properties[:mark]
+      end
+
+      def sync
+        if @should[0] == :hold
+          provider.hold
+        else
+          provider.unhold
+        end
+      end
+    end
+
+    validate do
+      if :held == @parameters[:ensure].should
+        warning '"ensure=>held" has been deprecated and will be removed in a future version, use "mark=hold" instead'
+      end
+      if @parameters[:mark] && [:absent, :purged, :held].include?(@parameters[:ensure].should)
+        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged", "held"]')
+      end
+    end
   end
 end