puppet 6.15.0 → 6.16.0

data/lib/puppet/provider/package/portage.rb

@@ -20,9 +20,9 @@ Puppet::Type.type(:package).provide :portage, :parent => Puppet::Provider::Packa
     end
   end
 
-  confine :operatingsystem => :gentoo
+  confine :osfamily => :gentoo
 
-  defaultfor :operatingsystem => :gentoo
+  defaultfor :osfamily => :gentoo
 
   def self.instances
     result_format = self.eix_result_format

data/lib/puppet/provider/package/yum.rb

@@ -43,6 +43,10 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
     if should.is_a?(String)
       begin
         should_version = RPM_VERSION_RANGE.parse(should, RPM_VERSION)
+
+        if should_version.is_a?(RPM_VERSION_RANGE::Eq)
+          return super
+        end
       rescue RPM_VERSION_RANGE::ValidationFailure, RPM_VERSION::ValidationFailure
         Puppet.debug("Cannot parse #{should} as a RPM version range")
         return super
@@ -192,6 +196,9 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
     if should.is_a?(String)
       begin
         should_range = RPM_VERSION_RANGE.parse(should, RPM_VERSION)
+        if should_range.is_a?(RPM_VERSION_RANGE::Eq)
+          return should
+        end
       rescue RPM_VERSION_RANGE::ValidationFailure, RPM_VERSION::ValidationFailure
         Puppet.debug("Cannot parse #{should} as a RPM version range")
         return should

data/lib/puppet/provider/package/zypper.rb

@@ -2,7 +2,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
   desc "Support for SuSE `zypper` package manager. Found in SLES10sp2+ and SLES11.
 
     This provider supports the `install_options` attribute, which allows command-line flags to be passed to zypper.
-    These options should be specified as an array where each element is either a 
+    These options should be specified as an array where each element is either a
     string or a hash."
 
   has_feature :versionable, :install_options, :virtual_packages
@@ -50,6 +50,41 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
     execute(cmd, { :failonfail => false, :combine => true})
   end
 
+  def best_version(should)
+    if should.is_a?(String)
+      begin
+        should_range = Puppet::Util::Package::Version::Range.parse(should, Puppet::Util::Package::Version::Rpm)
+      rescue Puppet::Util::Package::Version::Range::ValidationFailure, Puppet::Util::Package::Version::Rpm::ValidationFailure
+        Puppet.debug("Cannot parse #{should} as a RPM version range")
+        return should
+      end
+
+      if should_range.is_a?(Puppet::Util::Package::Version::Range::Eq)
+        return should
+      end
+
+      sorted_versions = SortedSet.new
+
+      output = zypper('search', '--match-exact', '--type', 'package', '--uninstalled-only', '-s', @resource[:name])
+      output.lines.each do |line|
+        pkg_ver = line.split(/\s*\|\s*/)
+        next unless pkg_ver[1] == @resource[:name]
+        begin
+          rpm_version = Puppet::Util::Package::Version::Rpm.parse(pkg_ver[3])
+
+          sorted_versions << rpm_version if should_range.include?(rpm_version)
+        rescue Puppet::Util::Package::Version::Rpm::ValidationFailure
+          Puppet.debug("Cannot parse #{pkg_ver[3]} as a RPM version")
+        end
+      end
+
+      return sorted_versions.entries.last if sorted_versions.any?
+
+      Puppet.debug("No available version for package #{@resource[:name]} is included in range #{should_range}")
+      should
+    end
+  end
+
   # Install a package using 'zypper'.
   def install
     should = @resource.should(:ensure)
@@ -62,6 +97,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
       should = nil
     else
       # Add the package version
+      should = best_version(should)
       wanted = "#{wanted}-#{should}"
     end
 
@@ -89,6 +125,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
     options = []
     options << quiet
     options << '--no-gpg-check' unless inst_opts.delete('--no-gpg-check').nil?
+    options << '--no-gpg-checks' unless inst_opts.delete('--no-gpg-checks').nil?
     options << :install
 
     #zypper 0.6.13 (OpenSuSE 10.2) does not support auto agree with licenses
@@ -142,4 +179,25 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
     end
 
   end
+
+  def insync?(is)
+    return false if [:purged, :absent].include?(is)
+
+    should = @resource[:ensure]
+    if should.is_a?(String)
+      begin
+        should_version = Puppet::Util::Package::Version::Range.parse(should, Puppet::Util::Package::Version::Rpm)
+      rescue Puppet::Util::Package::Version::Range::ValidationFailure, Puppet::Util::Package::Version::Rpm::ValidationFailure
+        Puppet.debug("Cannot parse #{should} as a RPM version range")
+        return super
+      end
+
+      begin
+        is_version = Puppet::Util::Package::Version::Rpm.parse(is)
+        should_version.include?(is_version)
+      rescue Puppet::Util::Package::Version::Rpm::ValidationFailure
+        Puppet.debug("Cannot parse #{is} as a RPM version")
+      end
+    end
+  end
 end

data/lib/puppet/provider/service/systemd.rb

@@ -30,7 +30,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def self.instances
     i = []
     output = systemctl('list-unit-files', '--type', 'service', '--full', '--all',  '--no-pager')
-    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad)\s*$/i).each do |m|
+    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad|static)\s*$/i).each do |m|
       Puppet.debug("#{m[0]} marked as bad by `systemctl`. It is recommended to be further checked.") if m[1] == "bad"
       i << new(:name => m[0])
     end
@@ -39,6 +39,22 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
     return []
   end
 
+  # Static services cannot be enabled or disabled manually. Indirect services 
+  # should not be enabled or disabled due to limitations in systemd (see 
+  # https://github.com/systemd/systemd/issues/6681).
+  def enabled_insync?(current)
+    case cached_enabled?[:output]
+    when 'static'
+      Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
+      return true
+    when 'indirect'
+      Puppet.debug("Service #{@resource[:name]} is in 'indirect' state and cannot be enabled/disabled")
+      return true
+    else
+      current == @resource[:enable]
+    end
+  end
+
   # This helper ensures that the enable state cache is always reset
   # after a systemctl enable operation. A particular service state is not guaranteed
   # after such an operation, so the cache must be emptied to prevent inconsistencies
@@ -70,12 +86,13 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def cached_enabled?
     return @cached_enabled if @cached_enabled
     cmd = [command(:systemctl), 'is-enabled', '--', @resource[:name]]
-    @cached_enabled = execute(cmd, :failonfail => false).strip
+    result = execute(cmd, :failonfail => false)
+    @cached_enabled = { output: result.chomp, exitcode: result.exitstatus }
   end
 
   def enabled?
-    output = cached_enabled?
-    code = $CHILD_STATUS.exitstatus
+    output = cached_enabled?[:output]
+    code = cached_enabled?[:exitcode]
 
     # The masked state is equivalent to the disabled state in terms of
     # comparison so we only care to check if it is masked if we want to keep

data/lib/puppet/provider/user/useradd.rb

@@ -21,7 +21,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
   options :expiry, :method => :sp_expire,
     :munge => proc { |value|
       if value == :absent
-        ''
+        if Facter.value(:operatingsystem)=='SLES' && Facter.value(:operatingsystemmajrelease) == "11"
+          -1
+        else
+          ''
+        end
       else
         case Facter.value(:operatingsystem)
         when 'Solaris'

data/lib/puppet/reports/http.rb

@@ -26,11 +26,13 @@ Puppet::Reports.register_report(:http) do
     }
 
     if url.user && url.password
-      options[:user] = url.user
-      options[:password] = url.password
+      options[:basic_auth] = {
+        user: url.user,
+        password: url.password
+      }
     end
 
-    client = Puppet.runtime['http']
+    client = Puppet.runtime[:http]
     client.post(url, self.to_yaml, headers: headers, options: options) do |response|
       unless response.success?
         Puppet.err _("Unable to submit report to %{url} [%{code}] %{message}") % { url: Puppet[:reporturl].to_s, code: response.code, message: response.reason }

data/lib/puppet/runtime.rb

@@ -1,16 +1,32 @@
 require 'puppet/http'
 require 'singleton'
 
+# Provides access to runtime implementations.
+#
+# @api private
 class Puppet::Runtime
   include Singleton
 
   def initialize
     @runtime_services = {
-      'http' => proc { Puppet::HTTP::Client.new }
+      http: proc do
+        klass = Puppet::Network::HttpPool.http_client_class
+        if klass == Puppet::Network::HTTP::Connection ||
+           klass == Puppet::Network::HTTP::ConnectionAdapter
+          Puppet::HTTP::Client.new
+        else
+          Puppet::HTTP::ExternalClient.new(klass)
+        end
+      end
     }
   end
   private :initialize
 
+  # Get a runtime implementation.
+  #
+  # @param name [Symbol] the name of the implementation
+  # @return [Object] the runtime implementation
+  # @api private
   def [](name)
     service = @runtime_services[name]
     raise ArgumentError, "Unknown service #{name}" unless service
@@ -22,11 +38,18 @@ class Puppet::Runtime
     end
   end
 
+  # Register a runtime implementation.
+  #
+  # @param name [Symbol] the name of the implementation
+  # @param impl [Object] the runtime implementation
+  # @api private
   def []=(name, impl)
     @runtime_services[name] = impl
   end
 
-  # for testing
+  # Clears all implementations. This is used for testing.
+  #
+  # @api private
   def clear
     initialize
   end

data/lib/puppet/ssl/state_machine.rb

@@ -279,8 +279,8 @@ class Puppet::SSL::StateMachine
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
         # close persistent connections and session state before sleeping
-        Puppet.runtime['http'].close
-        @machine.session = Puppet.runtime['http'].create_session
+        Puppet.runtime[:http].close
+        @machine.session = Puppet.runtime[:http].create_session
 
         @machine.unlock
         Kernel.sleep(time)
@@ -301,15 +301,31 @@ class Puppet::SSL::StateMachine
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
         NeedCACerts.new(@machine)
+      elsif @machine.waitforlock < 1
+        LockFailure.new(@machine, _("Another puppet instance is already running and the waitforlock setting is set to 0; exiting"))
+      elsif Time.now.to_i >= @machine.waitlock_deadline
+        LockFailure.new(@machine, _("Another puppet instance is already running and the maxwaitforlock timeout has been exceeded; exiting"))
       else
-        LockFailure.new(@machine, nil)
+        Puppet.info _("Another puppet instance is already running; waiting for it to finish")
+        Puppet.info _("Will try again in %{time} seconds.") % {time: @machine.waitforlock}
+        Kernel.sleep @machine.waitforlock
+
+        # try again
+        self
       end
     end
   end
 
   # We failed to acquire the lock, so exit
   #
-  class LockFailure < SSLState; end
+  class LockFailure < SSLState
+    attr_reader :message
+
+    def initialize(machine, message)
+      super(machine, nil)
+      @message = message
+    end
+  end
 
   # We cannot make progress due to an error.
   #
@@ -333,7 +349,7 @@ class Puppet::SSL::StateMachine
   #
   class Done < SSLState; end
 
-  attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider, :ca_fingerprint, :digest
+  attr_reader :waitforcert, :wait_deadline, :waitforlock, :waitlock_deadline, :cert_provider, :ssl_provider, :ca_fingerprint, :digest
   attr_accessor :session
 
   # Construct a state machine to manage the SSL initialization process. By
@@ -346,7 +362,12 @@ class Puppet::SSL::StateMachine
   # then then state machine will exit instead of wait.
   #
   # @param waitforcert [Integer] how many seconds to wait between attempts
-  # @param maxwiatforcert [Integer] maximum amount of second
+  # @param maxwaitforcert [Integer] maximum amount of seconds to wait for the
+  #   server to sign the certificate request
+  # @param waitforlock [Integer] how many seconds to wait between attempts for
+  #   acquiring the ssl lock
+  # @param maxwaitforlock [Integer] maximum amount of seconds to wait for an
+  #   already running process to release the ssl lock
   # @param onetime [Boolean] whether to run onetime
   # @param lockfile [Puppet::Util::Pidlock] lockfile to protect against
   #   concurrent modification by multiple processes
@@ -359,6 +380,8 @@ class Puppet::SSL::StateMachine
   #   downloaded CA bundle
   def initialize(waitforcert: Puppet[:waitforcert],
                  maxwaitforcert: Puppet[:maxwaitforcert],
+                 waitforlock: Puppet[:waitforlock],
+                 maxwaitforlock: Puppet[:maxwaitforlock],
                  onetime: Puppet[:onetime],
                  cert_provider: Puppet::X509::CertProvider.new,
                  ssl_provider: Puppet::SSL::SSLProvider.new,
@@ -367,13 +390,15 @@ class Puppet::SSL::StateMachine
                  ca_fingerprint: Puppet[:ca_fingerprint])
     @waitforcert = waitforcert
     @wait_deadline = Time.now.to_i + maxwaitforcert
+    @waitforlock = waitforlock
+    @waitlock_deadline = Time.now.to_i + maxwaitforlock
     @onetime = onetime
     @cert_provider = cert_provider
     @ssl_provider = ssl_provider
     @lockfile = lockfile
     @digest = digest
     @ca_fingerprint = ca_fingerprint
-    @session = Puppet.runtime['http'].create_session
+    @session = Puppet.runtime[:http].create_session
   end
 
   # Run the state machine for CA certs and CRLs.
@@ -427,7 +452,7 @@ class Puppet::SSL::StateMachine
       when stop
         break
       when LockFailure
-        raise Puppet::Error, _('Another puppet instance is already running; exiting')
+        raise Puppet::Error, state.message
       when Error
         if @onetime
           Puppet.log_exception(state.error)

data/lib/puppet/ssl/verifier_adapter.rb

@@ -6,10 +6,18 @@
 #   loaded above.
 #
 class Puppet::SSL::VerifierAdapter
-  attr_reader :validator
+  attr_reader :validator, :ssl_context
 
   def initialize(validator)
     @validator = validator
+
+    if validator.is_a?(Puppet::SSL::Validator::NoValidator)
+      ssl = Puppet::SSL::SSLProvider.new
+      @ssl_context = ssl.create_insecure_context
+    else
+      # nil means use the default SSLContext
+      @ssl_context = nil
+    end
   end
 
   # Return true if `self` is reusable with `verifier` meaning they

data/lib/puppet/test/test_helper.rb

@@ -137,7 +137,7 @@ module Puppet::Test
           trusted_information:
             Puppet::Context::TrustedInformation.new('local', 'testing', {}, { "trusted_testhelper" => true }),
           ssl_context: Puppet::SSL::SSLContext.new(cacerts: []).freeze,
-          http_session: proc { Puppet.runtime["http"].create_session }
+          http_session: proc { Puppet.runtime[:http].create_session }
         },
         "Context for specs")
 

data/lib/puppet/type/file/source.rb

@@ -297,7 +297,7 @@ module Puppet
     end
 
     def get_from_http_source(url, &block)
-      client = Puppet.runtime['http']
+      client = Puppet.runtime[:http]
       client.get(url, options: {include_system_store: true}) do |response|
         raise Puppet::HTTP::ResponseError.new(response) unless response.success?
 

data/lib/puppet/type/package.rb

@@ -62,6 +62,9 @@ module Puppet
       passed to the installer command."
     feature :uninstall_options, "The provider accepts options to be
       passed to the uninstaller command."
+    feature :disableable, "The provider can disable packages. This feature is used by specifying `disabled` as the
+      desired value for the package.",
+      :methods => [:disable]
     feature :supports_flavors, "The provider accepts flavors, which are specific variants of packages."
     feature :package_settings, "The provider accepts package_settings to be
       ensured for the given package. The meaning and format of these settings is
@@ -107,6 +110,10 @@ module Puppet
         provider.deprecated_hold
       end
 
+      newvalue(:disabled, :required_features => :disableable) do
+        provider.disable
+      end
+
       # Alias the 'present' value.
       aliasvalue(:installed, :present)
 
@@ -154,7 +161,7 @@ module Puppet
         @should.each { |should|
           case should
           when :present
-            return true unless [:absent, :purged, :held].include?(is)
+            return true unless [:absent, :purged, :held, :disabled].include?(is)
           when :latest
             # Short-circuit packages that are not present
             return false if is == :absent || is == :purged
@@ -411,6 +418,11 @@ module Puppet
     newproperty(:flavor, :required_features => :supports_flavors) do
       desc "OpenBSD and DNF modules support 'flavors', which are
         further specifications for which type of package you want."
+      validate do |value|
+        if [:disabled, "disabled"].include?(@resource[:ensure]) && value
+          raise ArgumentError, _('Cannot have both `ensure => disabled` and `flavor`')
+        end
+      end
     end
 
     newparam(:source) do
@@ -509,6 +521,9 @@ module Puppet
         if [true, :true, "true"].include?(value) && @resource[:flavor]
           raise ArgumentError, _('Cannot have both `enable_only => true` and `flavor`')
         end
+        if [:disabled, "disabled"].include?(@resource[:ensure])
+          raise ArgumentError, _('Cannot have both `ensure => disabled` and `enable_only => true`')
+        end
       end
     end