puppet 6.16.0-x86-mingw32 → 6.17.0-x86-mingw32

data/lib/puppet/provider/user/useradd.rb

@@ -138,10 +138,17 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
 
   def check_manage_home
     cmd = []
-    if @resource.managehome? && (!@resource.forcelocal?)
-      cmd << "-m"
-    elsif (!@resource.managehome?) && Facter.value(:osfamily) == 'RedHat'
-      cmd << "-M"
+    if @resource.managehome?
+      # libuser does not implement the -m flag
+      cmd << "-m" unless @resource.forcelocal?
+    else
+      osfamily = Facter.value(:osfamily)
+      osversion = Facter.value(:operatingsystemmajrelease).to_i
+      # SLES 11 uses pwdutils instead of shadow, which does not have -M
+      # Solaris and OpenBSD use different useradd flavors
+      unless osfamily =~ /Solaris|OpenBSD/ || osfamily == 'Suse' && osversion <= 11
+        cmd << "-M"
+      end
     end
     cmd
   end

data/lib/puppet/reports/http.rb

@@ -25,6 +25,8 @@ Puppet::Reports.register_report(:http) do
       :include_system_store => Puppet[:report_include_system_store],
     }
 
+    # Puppet's http client implementation accepts userinfo in the URL
+    # but puppetserver's does not. So pass credentials explicitly.
     if url.user && url.password
       options[:basic_auth] = {
         user: url.user,

data/lib/puppet/resource.rb

@@ -628,7 +628,8 @@ class Puppet::Resource
   def self.extract_type_and_title(argtype, argtitle)
     if (argtype.nil? || argtype == :component || argtype == :whit) &&
           argtitle =~ /^([^\[\]]+)\[(.+)\]$/m                  then [ $1,                 $2            ]
-    elsif argtitle.nil? && argtype =~ /^([^\[\]]+)\[(.+)\]$/m  then [ $1,                 $2            ]
+    elsif argtitle.nil? && argtype.is_a?(String) &&
+          argtype =~ /^([^\[\]]+)\[(.+)\]$/m                   then [ $1,                 $2            ]
     elsif argtitle                                             then [ argtype,            argtitle      ]
     elsif argtype.is_a?(Puppet::Type)                          then [ argtype.class.name, argtype.title ]
     else  raise ArgumentError, _("No title provided and %{type} is not a valid resource reference") % { type: argtype.inspect }

data/lib/puppet/resource/type.rb

@@ -11,6 +11,7 @@ class Puppet::Resource::Type
   include Puppet::Util::Warnings
   include Puppet::Util::Errors
 
+  # @deprecated application orchestration will be removed in puppet 7 (capability_mapping, application, site)
   RESOURCE_KINDS = [:hostclass, :node, :definition, :capability_mapping, :application, :site]
 
   # Map the names used in our documentation to the names used internally
@@ -69,6 +70,8 @@ class Puppet::Resource::Type
 
   # Evaluate the resources produced by the given resource. These resources are
   # evaluated in a separate but identical scope from the rest of the resource.
+  #
+  # @deprecated application orchestration will be removed in puppet 7
   def evaluate_produces(resource, scope)
     # Only defined types and classes can produce capabilities
     return unless definition? || hostclass?
@@ -161,19 +164,23 @@ class Puppet::Resource::Type
     @module_name = options[:module_name]
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   def produces
     @produces || EMPTY_ARRAY
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   def consumes
     @consumes || EMPTY_ARRAY
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   def add_produces(blueprint)
     @produces ||= []
     @produces << blueprint
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   def add_consumes(blueprint)
     @consumes ||= []
     @consumes << blueprint
@@ -235,6 +242,7 @@ class Puppet::Resource::Type
     when :node
       :node
     when :site
+      # @deprecated application orchestration will be removed in puppet 7
       :site
     end
 

data/lib/puppet/ssl/ssl_context.rb

@@ -22,9 +22,9 @@ module Puppet::SSL
     # This is an idiom to initialize a Struct from keyword
     # arguments. Ruby 2.5 introduced `keyword_init: true` for
     # that purpose, but we need to support older versions.
-    def initialize(**kwargs)
+    def initialize(kwargs = {})
       super({})
-      DEFAULTS.merge(kwargs).each { |k,v| self[k] = v }
+      DEFAULTS.merge(**kwargs).each { |k,v| self[k] = v }
     end
   end
 end

data/lib/puppet/ssl/ssl_provider.rb

@@ -46,13 +46,32 @@ class Puppet::SSL::SSLProvider
   # perform revocation checking.
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
+  # @param path [String, nil] A file containing additional trusted CA certs.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise (see #create_context)
   # @api private
-  def create_system_context(cacerts:)
+  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
     store = create_x509_store(cacerts, [], false)
     store.set_default_paths
 
+    if path
+      stat = Puppet::FileSystem.stat(path)
+      if stat
+        if stat.ftype == 'file'
+          # don't add empty files as ruby/openssl will raise
+          if stat.size > 0
+            begin
+              store.add_file(path)
+            rescue => e
+              Puppet.err(_("Failed to add '%{path}' as a trusted CA file: %{detail}" % { path: path, detail: e.message }, e))
+            end
+          end
+        else
+          Puppet.warning(_("The 'ssl_trust_store' setting does not refer to a file and will be ignored: '%{path}'" % { path: path }))
+        end
+      end
+    end
+
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
   end
 

data/lib/puppet/test/test_helper.rb

@@ -68,7 +68,14 @@ module Puppet::Test
     #  any individual tests.
     # @return nil
     def self.before_all_tests()
-      # Make sure that all of the setup is also done for any before(:all) blocks
+      # The process environment is a shared, persistent resource.
+      # Can't use Puppet.features.microsoft_windows? as it may be mocked out in a test.  This can cause test recurring test failures
+      if (!!File::ALT_SEPARATOR)
+        mode = :windows
+      else
+        mode = :posix
+      end
+      $old_env = Puppet::Util.get_environment(mode)
     end
 
     # Call this method once, at the end of a test run, when no more tests
@@ -118,15 +125,6 @@ module Puppet::Test
         }
       end
 
-      # The process environment is a shared, persistent resource.
-      # Can't use Puppet.features.microsoft_windows? as it may be mocked out in a test.  This can cause test recurring test failures
-      if (!!File::ALT_SEPARATOR)
-        mode = :windows
-      else
-        mode = :posix
-      end
-      $old_env = Puppet::Util.get_environment(mode)
-
       # So is the load_path
       $old_load_path = $LOAD_PATH.dup
 

data/lib/puppet/trusted_external.rb

@@ -3,11 +3,39 @@ module Puppet::TrustedExternal
   def retrieve(certname)
     command = Puppet[:trusted_external_command]
     return nil unless command
+    Puppet.debug _("Retrieving trusted external data from %{command}") % {command: command}
+    setting_type = Puppet.settings.setting(:trusted_external_command).type
+    if setting_type == :file
+      return fetch_data(command, certname)
+    end
+    # command is a directory. Thus, data is a hash of <basename> => <data> for
+    # each executable file in command. For example, if the files 'servicenow.rb',
+    # 'unicorn.sh' are in command, then data is the following hash:
+    #   { 'servicenow' => <servicenow.rb output>, 'unicorn' => <unicorn.sh output> }
+    data = {}
+    Puppet::FileSystem.children(command).each do |file|
+      abs_path = Puppet::FileSystem.expand_path(file)
+      executable_file = Puppet::FileSystem.file?(abs_path) && Puppet::FileSystem.executable?(abs_path)
+      unless executable_file
+        Puppet.debug _("Skipping non-executable file %{file}")  % { file: abs_path }
+        next
+      end
+      basename = file.basename(file.extname).to_s
+      unless data[basename].nil?
+        raise Puppet::Error, _("There is more than one '%{basename}' script in %{dir}") % { basename: basename, dir: command }
+      end
+      data[basename] = fetch_data(abs_path, certname)
+    end
+    data
+  end
+  module_function :retrieve
+
+  def fetch_data(command, certname)
     result = Puppet::Util::Execution.execute([command, certname], {
       :combine => false,
       :failonfail => true,
     })
     JSON.parse(result)
   end
-  module_function :retrieve
+  module_function :fetch_data
 end

data/lib/puppet/type.rb

@@ -116,8 +116,10 @@ class Type
 
   # Allow declaring that a type is actually a capability
   class << self
+    # @deprecated application orchestration will be removed in puppet 7
     attr_accessor :is_capability
 
+    # @deprecated application orchestration will be removed in puppet 7
     def is_capability?
       c = is_capability
       c.nil? ? false : c
@@ -129,6 +131,8 @@ class Type
   # represent application instances, this implementation always returns
   # +false+. Having this method though makes code checking whether a
   # resource is an application instance simpler
+  #
+  # @deprecated application orchestration will be removed in puppet 7
   def self.application?
       false
   end
@@ -749,7 +753,7 @@ class Type
   # @param options [Hash] options merged with a fixed set of options defined by this method, passed on to {Puppet::Transaction::Event}.
   # @return [Puppet::Transaction::Event] the created event
   def event(options = {})
-    Puppet::Transaction::Event.new({:resource => self, :file => file, :line => line, :tags => tags}.merge(options))
+    Puppet::Transaction::Event.new(**{:resource => self, :file => file, :line => line, :tags => tags}.merge(options))
   end
 
   # @return [Object, nil] Returns the 'should' (wanted state) value for a specified property, or nil if the
@@ -1205,15 +1209,16 @@ class Type
       provider.instances.collect do |instance|
         # We always want to use the "first" provider instance we find, unless the resource
         # is already managed and has a different provider set
-        other = provider_instances[instance.name]
+        title = instance.respond_to?(:title) ? instance.title : instance.name
+        other = provider_instances[title]
         if other
           Puppet.debug "%s %s found in both %s and %s; skipping the %s version" %
-            [self.name.to_s.capitalize, instance.name, other.class.name, instance.class.name, instance.class.name]
+            [self.name.to_s.capitalize, title, other.class.name, instance.class.name, instance.class.name]
           next
         end
-        provider_instances[instance.name] = instance
+        provider_instances[title] = instance
 
-        result = new(:name => instance.name, :provider => instance)
+        result = new(:name => instance.name, :provider => instance, :title => title)
         properties.each { |name| result.newattr(name) }
         result
       end
@@ -1714,6 +1719,7 @@ class Type
     }
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   newmetaparam(:export, :parent => RelationshipMetaparam, :attributes => {:direction => :out, :events => :NONE}) do
           desc <<EOS
 Export a capability resource.
@@ -1739,6 +1745,7 @@ web { server:
 EOS
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   newmetaparam(:consume, :parent => RelationshipMetaparam, :attributes => {:direction => :in, :events => :NONE}) do
           desc <<EOS
 Consume a capability resource.

data/lib/puppet/type/file.rb

@@ -401,8 +401,12 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  CREATORS = [:content, :source, :target]
-  SOURCE_ONLY_CHECKSUMS = [:none, :ctime, :mtime]
+  # mutually exclusive ways to create files
+  CREATORS = [:content, :source, :target].freeze
+
+  # This is both "checksum types that can't be used with the content property"
+  # and "checksum types that are not digest based"
+  SOURCE_ONLY_CHECKSUMS = [:none, :ctime, :mtime].freeze
 
   validate do
     creator_count = 0
@@ -428,7 +432,7 @@ Puppet::Type.newtype(:file) do
       @parameters[:content].value = @parameters[:checksum].sum(@parameters[:content].actual_content)
     end
 
-    if self[:checksum] && self[:checksum_value] && !send("#{self[:checksum]}?", self[:checksum_value])
+    if self[:checksum] && self[:checksum_value] && !valid_checksum?(self[:checksum], self[:checksum_value])
       self.fail _("Checksum value '%{value}' is not a valid checksum type %{checksum}") % { value: self[:checksum_value], checksum: self[:checksum] }
     end
 
@@ -930,7 +934,7 @@ Puppet::Type.newtype(:file) do
           # that out.
         end
 
-        fail_if_checksum_is_wrong(file.path, content_checksum) if validate_checksum?
+        fail_if_checksum_is_wrong(property, file.path, content_checksum)
       end
     else
       umask = mode ? 000 : 022
@@ -1040,17 +1044,38 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  # Should we validate the checksum of the file we're writing?
-  def validate_checksum?
-    self[:checksum] !~ /time/
-  end
-
   # Make sure the file we wrote out is what we think it is.
-  def fail_if_checksum_is_wrong(path, content_checksum)
-    newsum = parameter(:checksum).sum_file(path)
-    return if [:absent, nil, content_checksum].include?(newsum)
+  # @param [Puppet::Parameter] property the param or property that wrote the file, or nil
+  # @param [String] path to the file
+  # @param [String] the checksum for the local file
+  #
+  # @api private
+  #
+  def fail_if_checksum_is_wrong(property, path, content_checksum)
+    desired_checksum = desired_checksum(property, path)
 
-    self.fail _("File written to disk did not match checksum; discarding changes (%{content_checksum} vs %{newsum})") % { content_checksum: content_checksum, newsum: newsum }
+    if desired_checksum && content_checksum != desired_checksum
+      self.fail _("File written to disk did not match desired checksum; discarding changes (%{content_checksum} vs %{desired_checksum})") % { content_checksum: content_checksum, desired_checksum: desired_checksum }
+    end
+  end
+
+  # Return the desired checksum or nil
+  def desired_checksum(property, path)
+    return if SOURCE_ONLY_CHECKSUMS.include?(self[:checksum])
+
+    if self[:checksum] && self[:checksum_value]
+      "{#{self[:checksum]}}#{self[:checksum_value]}"
+    elsif property && property.name == :source
+      meta = property.metadata
+      return unless meta
+
+      # due to HttpMetadata the checksum type may fallback to mtime, so recheck
+      return if SOURCE_ONLY_CHECKSUMS.include?(meta.checksum_type)
+      meta.checksum
+    elsif property && property.name == :content
+      str = property.actual_content
+      str ? parameter(:checksum).sum(str) : nil
+    end
   end
 
   def write_temporary_file?

data/lib/puppet/type/file/checksum.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
     The default checksum type is md5."
 
-  newvalues "md5", "md5lite", "sha224", "sha256", "sha256lite", "sha384", "sha512", "mtime", "ctime", "none"
+  newvalues(*Puppet::Util::Checksums.known_checksum_types)
 
   defaultto do
     Puppet[:digest_algorithm].to_sym
@@ -23,18 +23,18 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
   def sum(content)
     content = content.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? content.binary_buffer : content
-    type = digest_algorithm()
+    type = digest_algorithm
     "{#{type}}" + send(type, content)
   end
 
   def sum_file(path)
-    type = digest_algorithm()
+    type = digest_algorithm
     method = type.to_s + "_file"
     "{#{type}}" + send(method, path).to_s
   end
 
   def sum_stream(&block)
-    type = digest_algorithm()
+    type = digest_algorithm
     method = type.to_s + "_stream"
     checksum = send(method, &block)
     "{#{type}}#{checksum}"

data/lib/puppet/type/file/source.rb

@@ -98,8 +98,8 @@ module Puppet
           # Ruby 1.9.3 and earlier have a URI bug in URI
           # to_s returns an ASCII string despite UTF-8 fragments
           # since its escaped its safe to universally call encode
-          # URI.unescape always returns strings in the original encoding
-          URI.unescape(uri_string.encode(Encoding::UTF_8))
+          # Puppet::Util.uri_unescape always returns strings in the original encoding
+          Puppet::Util.uri_unescape(uri_string.encode(Encoding::UTF_8))
         else
           source
         end
@@ -278,7 +278,7 @@ module Puppet
       api = session.route_to(:fileserver, url: url)
 
       api.get_static_file_content(
-        path: URI.unescape(url.path),
+        path: Puppet::Util.uri_unescape(url.path),
         environment: resource.catalog.environment_instance.to_s,
         code_id: resource.catalog.code_id,
         &block
@@ -290,7 +290,7 @@ module Puppet
       api = session.route_to(:fileserver, url: url)
 
       api.get_file_content(
-        path: URI.unescape(url.path),
+        path: Puppet::Util.uri_unescape(url.path),
         environment: resource.catalog.environment_instance.to_s,
         &block
       )

data/lib/puppet/type/service.rb

@@ -47,6 +47,8 @@ module Puppet
 
     feature :configurable_timeout, "The provider can specify a minumum timeout for syncing service properties"
 
+    feature :manages_logon_credentials, "The provider can specify the logon credentials used for a service"
+
     newproperty(:enable, :required_features => :enableable) do
       desc "Whether a service should be enabled to start at boot.
         This property behaves differently depending on the platform;
@@ -116,6 +118,12 @@ module Puppet
       end
 
       def sync
+        property = @resource.property(:logonaccount)
+        if property
+          val = property.retrieve
+          property.sync unless property.safe_insync?(val)
+        end
+
         event = super()
 
         property = @resource.property(:enable)
@@ -128,6 +136,47 @@ module Puppet
       end
     end
 
+    newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
+      desc "Specify an account for service logon"
+
+      munge do |value|
+        return value unless Puppet::Util::Platform.windows?
+        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
+
+        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
+        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
+
+        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
+          ".\\#{user_information.account}"
+        else
+          user_information.domain_account
+        end
+      end
+    end
+
+    newparam(:logonpassword, :required_features => :manages_logon_credentials) do
+      desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
+
+      validate do |value|
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
+        return unless Puppet::Util::Platform.windows?
+
+        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
+
+        account_info = @resource[:logonaccount].split("\\")
+        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
+
+        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
+
+        provider.logonpassword=(value)
+      end
+
+      sensitive true
+      defaultto { @resource[:logonaccount] ? "" : nil }
+    end
+
     newproperty(:flags, :required_features => :flaggable) do
       desc "Specify a string of flags to pass to the startup script."
     end