puppet 6.14.0 → 6.15.0

data/lib/puppet/provider/service/systemd.rb

@@ -30,7 +30,8 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def self.instances
     i = []
     output = systemctl('list-unit-files', '--type', 'service', '--full', '--all',  '--no-pager')
-    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect)\s*$/i).each do |m|
+    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad)\s*$/i).each do |m|
+      Puppet.debug("#{m[0]} marked as bad by `systemctl`. It is recommended to be further checked.") if m[1] == "bad"
       i << new(:name => m[0])
     end
     return i

data/lib/puppet/reports/http.rb

@@ -20,19 +20,21 @@ Puppet::Reports.register_report(:http) do
     # (Puppet::Network::HTTP) but is used by Puppet Server's http client
     # (Puppet::Server::HttpClient) to track metrics on the request made to the
     # `reporturl` to store a report.
-    options = { :metric_id => [:puppet, :report, :http] }
+    options = {
+      :metric_id => [:puppet, :report, :http],
+      :include_system_store => Puppet[:report_include_system_store],
+    }
+
     if url.user && url.password
-      options[:basic_auth] = {
-        :user => url.user,
-        :password => url.password
-      }
+      options[:user] = url.user
+      options[:password] = url.password
     end
-    use_ssl = url.scheme == 'https'
-    ssl_context = use_ssl ? Puppet.lookup(:ssl_context) : nil
-    conn = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
-    response = conn.post(url.path, self.to_yaml, headers, options)
-    unless response.kind_of?(Net::HTTPSuccess)
-      Puppet.err _("Unable to submit report to %{url} [%{code}] %{message}") % { url: Puppet[:reporturl].to_s, code: response.code, message: response.msg }
+
+    client = Puppet.runtime['http']
+    client.post(url, self.to_yaml, headers: headers, options: options) do |response|
+      unless response.success?
+        Puppet.err _("Unable to submit report to %{url} [%{code}] %{message}") % { url: Puppet[:reporturl].to_s, code: response.code, message: response.reason }
+      end
     end
   end
 end

data/lib/puppet/resource/type_collection.rb

@@ -1,6 +1,7 @@
 require 'puppet/parser/type_loader'
 require 'puppet/util/file_watcher'
 require 'puppet/util/warnings'
+require 'puppet/concurrent/lock'
 
 # @api private
 class Puppet::Resource::TypeCollection
@@ -28,6 +29,7 @@ class Puppet::Resource::TypeCollection
     @nodes = {}
     @notfound = {}
     @sites = []
+    @lock = Puppet::Concurrent::Lock.new
 
     # So we can keep a list and match the first-defined regex
     @node_list = []
@@ -225,25 +227,27 @@ class Puppet::Resource::TypeCollection
   # Resolve namespaces and find the given object.  Autoload it if
   # necessary.
   def find_or_load(name, type)
-    # Name is always absolute, but may start with :: which must be removed
-    fqname = (name[0,2] == COLON_COLON ? name[2..-1] : name)
-
-    result = send(type, fqname)
-    unless result
-      if @notfound[ fqname ] && Puppet[ :ignoremissingtypes ]
-        # do not try to autoload if we already tried and it wasn't conclusive
-        # as this is a time consuming operation. Warn the user.
-        # Check first if debugging is on since the call to debug_once is expensive
-        if Puppet[:debug]
-          debug_once _("Not attempting to load %{type} %{fqname} as this object was missing during a prior compilation") % { type: type, fqname: fqname }
+    @lock.synchronize do
+      # Name is always absolute, but may start with :: which must be removed
+      fqname = (name[0,2] == COLON_COLON ? name[2..-1] : name)
+
+      result = send(type, fqname)
+      unless result
+        if @notfound[ fqname ] && Puppet[ :ignoremissingtypes ]
+          # do not try to autoload if we already tried and it wasn't conclusive
+          # as this is a time consuming operation. Warn the user.
+          # Check first if debugging is on since the call to debug_once is expensive
+          if Puppet[:debug]
+            debug_once _("Not attempting to load %{type} %{fqname} as this object was missing during a prior compilation") % { type: type, fqname: fqname }
+          end
+        else
+          fqname = munge_name(fqname)
+          result = loader.try_load_fqname(type, fqname)
+          @notfound[ fqname ] = result.nil?
         end
-      else
-        fqname = munge_name(fqname)
-        result = loader.try_load_fqname(type, fqname)
-        @notfound[ fqname ] = result.nil?
       end
+      result
     end
-    result
   end
 
   def munge_name(name)

data/lib/puppet/ssl.rb

@@ -2,6 +2,7 @@
 require 'puppet'
 require 'puppet/ssl/openssl_loader'
 
+# @api private
 module Puppet::SSL # :nodoc:
   CA_NAME = "ca".freeze
   require 'puppet/ssl/host'

data/lib/puppet/ssl/host.rb

@@ -22,9 +22,9 @@ class Puppet::SSL::Host
 
   attr_writer :key, :certificate, :certificate_request, :crl_usage
 
-  def self.localhost
+  def self.localhost(suppress_warning = false)
     return @localhost if @localhost
-    @localhost = new
+    @localhost = new(nil, false, suppress_warning)
     @localhost.generate unless @localhost.certificate
     @localhost.key
     @localhost
@@ -225,14 +225,14 @@ ERROR_STRING
   end
   private :validate_csr_with_key
 
-  def initialize(name = nil, device = false)
+  def initialize(name = nil, device = false, suppress_warning = false)
     @name = (name || Puppet[:certname]).downcase
     @device = device
     Puppet::SSL::Base.validate_certname(@name)
     @key = @certificate = @certificate_request = nil
     @crl_usage = Puppet.settings[:certificate_revocation]
     @crl_path = Puppet.settings[:hostcrl]
-    Puppet.deprecation_warning(_("Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet."));
+    Puppet.deprecation_warning(_("Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet.")) unless suppress_warning
   end
 
   # Extract the public key from the private key.

data/lib/puppet/ssl/oids.rb

@@ -61,6 +61,7 @@ module Puppet::SSL::Oids
     ["1.3.6.1.4.1.34380.1.1.23", 'pp_cloudplatform', 'Puppet Node Cloud Platform Name'],
     ["1.3.6.1.4.1.34380.1.1.24", 'pp_apptier', 'Puppet Node Application Tier'],
     ["1.3.6.1.4.1.34380.1.1.25", 'pp_hostname', 'Puppet Node Hostname'],
+    ["1.3.6.1.4.1.34380.1.1.26", 'pp_owner', 'Puppet Node Owner'],
 
     ["1.3.6.1.4.1.34380.1.2", 'ppPrivCertExt', 'Puppet Private Certificate Extension'],
 

data/lib/puppet/ssl/state_machine.rb

@@ -45,7 +45,7 @@ class Puppet::SSL::StateMachine
         next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
       else
         route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
-        pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
+        _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
         if @machine.ca_fingerprint
           actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
           expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
@@ -146,7 +146,7 @@ class Puppet::SSL::StateMachine
 
     def download_crl(ssl_ctx, last_update)
       route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
-      pem = route.get_certificate_revocation_list(if_modified_since: last_update, ssl_context: ssl_ctx)
+      _, pem = route.get_certificate_revocation_list(if_modified_since: last_update, ssl_context: ssl_ctx)
       crls = @cert_provider.load_crls_from_pem(pem)
       # verify crls before saving
       next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
@@ -234,7 +234,7 @@ class Puppet::SSL::StateMachine
 
       route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
       cert = OpenSSL::X509::Certificate.new(
-        route.get_certificate(Puppet[:certname], ssl_context: @ssl_context)
+        route.get_certificate(Puppet[:certname], ssl_context: @ssl_context)[1]
       )
       Puppet.info _("Downloaded certificate for %{name} from %{url}") % { name: Puppet[:certname], url: route.url }
       # verify client cert before saving
@@ -280,18 +280,37 @@ class Puppet::SSL::StateMachine
 
         # close persistent connections and session state before sleeping
         Puppet.runtime['http'].close
-        @machine.session = nil
+        @machine.session = Puppet.runtime['http'].create_session
 
+        @machine.unlock
         Kernel.sleep(time)
+        NeedLock.new(@machine)
+      end
+    end
+  end
 
+  # Acquire the ssl lock or return LockFailure causing us to exit.
+  #
+  class NeedLock < SSLState
+    def initialize(machine)
+      super(machine, nil)
+    end
+
+    def next_state
+      if @machine.lock
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
-        @machine.session = Puppet.runtime['http'].create_session
         NeedCACerts.new(@machine)
+      else
+        LockFailure.new(@machine, nil)
       end
     end
   end
 
+  # We failed to acquire the lock, so exit
+  #
+  class LockFailure < SSLState; end
+
   # We cannot make progress due to an error.
   #
   class Error < SSLState
@@ -362,7 +381,7 @@ class Puppet::SSL::StateMachine
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_ca_certificates
-    final_state = run_machine(NeedCACerts.new(self), NeedKey)
+    final_state = run_machine(NeedLock.new(self), NeedKey)
     final_state.ssl_context
   end
 
@@ -371,7 +390,7 @@ class Puppet::SSL::StateMachine
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_client_certificate
-    final_state = run_machine(NeedCACerts.new(self), Done)
+    final_state = run_machine(NeedLock.new(self), Done)
     ssl_context = final_state.ssl_context
 
     if Puppet::Util::Log.sendlevel?(:debug)
@@ -390,40 +409,38 @@ class Puppet::SSL::StateMachine
     ssl_context
   end
 
+  def lock
+    @lockfile.lock
+  end
+
+  def unlock
+    @lockfile.unlock
+  end
+
   private
 
   def run_machine(state, stop)
-    with_lock do
-      loop do
-        state = run_step(state)
-
-        case state
-        when stop
-          break
-        when Error
-          if @onetime
-            Puppet.log_exception(state.error)
-            raise state.error
-          end
-        else
-          # fall through
+    loop do
+      state = run_step(state)
+
+      case state
+      when stop
+        break
+      when LockFailure
+        raise Puppet::Error, _('Another puppet instance is already running; exiting')
+      when Error
+        if @onetime
+          Puppet.log_exception(state.error)
+          raise state.error
         end
+      else
+        # fall through
       end
     end
 
     state
-  end
-
-  def with_lock
-    if @lockfile.lock
-      begin
-        yield
-      ensure
-        @lockfile.unlock
-      end
-    else
-      raise Puppet::Error, _('Another puppet instance is already running; exiting')
-    end
+  ensure
+    @lockfile.unlock if @lockfile.locked?
   end
 
   def run_step(state)

data/lib/puppet/transaction/report.rb

@@ -217,13 +217,13 @@ class Puppet::Transaction::Report
   end
 
   # @api private
-  def initialize(configuration_version=nil, environment=nil, transaction_uuid=nil, job_id=nil)
+  def initialize(configuration_version=nil, environment=nil, transaction_uuid=nil, job_id=nil, start_time=Time.now)
     @metrics = {}
     @logs = []
     @resource_statuses = {}
     @external_times ||= {}
     @host = Puppet[:node_name_value]
-    @time = Time.now
+    @time = start_time
     @report_format = 10
     @puppet_version = Puppet.version
     @configuration_version = configuration_version

data/lib/puppet/type.rb

@@ -10,6 +10,7 @@ require 'puppet/metatype/manager'
 require 'puppet/util/errors'
 require 'puppet/util/logging'
 require 'puppet/util/tagging'
+require 'puppet/concurrent/lock'
 
 # see the bottom of the file for the rest of the inclusions
 
@@ -84,6 +85,11 @@ class Type
   # Comparing type instances.
   include Comparable
 
+  # These variables are used in Metatype::Manager for managing types
+  @types = {}
+  @manager_lock = Puppet::Concurrent::Lock.new
+  extend Puppet::MetaType::Manager
+
   # Compares this type against the given _other_ (type) and returns -1, 0, or +1 depending on the order.
   # @param other [Object] the object to compare against (produces nil, if not kind of Type}
   # @return [-1, 0, +1, nil] produces -1 if this type is before the given _other_ type, 0 if equals, and 1 if after.
@@ -2284,7 +2290,6 @@ end
     #
     attr_accessor :self_refresh
     include Enumerable, Puppet::Util::ClassGen
-    include Puppet::MetaType::Manager
 
     include Puppet::Util
     include Puppet::Util::Logging

data/lib/puppet/type/file/source.rb

@@ -47,6 +47,8 @@ module Puppet
       The `http` source uses the server `Content-MD5` header as a checksum to
       determine if the remote file has changed. If the server response does not
       include that header, Puppet defaults to using the `Last-Modified` header.
+      Puppet will update the local file if the header is newer than the modified
+      time (mtime) of the local file.
 
       Multiple `source` values can be specified as an array, and Puppet will
       use the first source that exists. This can be used to serve different
@@ -255,7 +257,7 @@ module Puppet
 
     def each_chunk_from(&block)
       if Puppet[:default_file_terminus] == :file_server && scheme == 'puppet' && (uri.host.nil? || uri.host.empty?)
-        chunk_file_from_disk(metadata.path, &block)
+        chunk_file_from_disk(metadata.full_path, &block)
       elsif local?
         chunk_file_from_disk(full_path, &block)
       else
@@ -296,7 +298,7 @@ module Puppet
 
     def get_from_http_source(url, &block)
       client = Puppet.runtime['http']
-      client.get(url) do |response|
+      client.get(url, options: {include_system_store: true}) do |response|
         raise Puppet::HTTP::ResponseError.new(response) unless response.success?
 
         response.read_body(&block)

data/lib/puppet/type/package.rb

@@ -51,6 +51,7 @@ module Puppet
         package database for installed version(s), and can select
         which out of a set of available versions of a package to
         install if asked."
+    feature :version_ranges, "The provider can ensure version ranges."
     feature :holdable, "The provider is capable of placing packages on hold
         such that they are not automatically upgraded as a result of
         other package dependencies unless explicit action is taken by
@@ -80,10 +81,12 @@ module Puppet
         specifying `purged` as the ensure value. This defaults to `installed`.
 
         Version numbers must match the full version to install, including
-        release if the provider uses a release moniker. Ranges or semver
-        patterns are not accepted except for the `gem` package provider. For
+        release if the provider uses a release moniker. For
         example, to install the bash package from the rpm
         `bash-4.1.2-29.el6.x86_64.rpm`, use the string `'4.1.2-29.el6'`.
+
+        On supported providers, version ranges can also be ensured. For example,
+        inequalities: `<2.0.0`, or intersections: `>1.0.0 <2.0.0`.
       EOT
 
       attr_accessor :latest
@@ -489,6 +492,26 @@ module Puppet
       newvalues(:true, :false)
     end
 
+    newparam(:enable_only, :boolean => false, :parent => Puppet::Parameter::Boolean) do
+      desc <<-EOT
+        Tells `dnf module` to only enable a specific module, instead
+        of installing its default profile.
+
+        Modules with no default profile will be enabled automatically
+        without the use of this parameter.
+
+        Conflicts with the `flavor` property, which selects a profile
+        to install.
+      EOT
+      defaultto false
+
+      validate do |value|
+        if [true, :true, "true"].include?(value) && @resource[:flavor]
+          raise ArgumentError, _('Cannot have both `enable_only => true` and `flavor`')
+        end
+      end
+    end
+
     newparam(:install_only, :boolean => false, :parent => Puppet::Parameter::Boolean, :required_features => :install_only) do
       desc <<-EOT
         It should be set for packages that should only ever be installed,

data/lib/puppet/type/user.rb

@@ -493,25 +493,6 @@ module Puppet
       provider.exists?
     end
 
-    def retrieve
-      absent = false
-      properties.inject({}) { |prophash, property|
-        current_value = :absent
-
-        if absent
-          prophash[property] = :absent
-        else
-          current_value = property.retrieve
-          prophash[property] = current_value
-        end
-
-        if property.name == :ensure and current_value == :absent
-          absent = true
-        end
-        prophash
-      }
-    end
-
     newproperty(:roles, :parent => Puppet::Property::List, :required_features => :manages_solaris_rbac) do
       desc "The roles the user has.  Multiple roles should be
         specified as an array."

data/lib/puppet/util/at_fork.rb

@@ -13,7 +13,7 @@ require 'puppet'
 #   service.
 module Puppet::Util::AtFork
   @handler_class = loop do
-    if Facter.value(:operatingsystem) == 'Solaris'
+    if Puppet::Util::Platform.solaris?
       begin
         require 'puppet/util/at_fork/solaris'
         # using break to return a value from the loop block