puppet 6.17.0-x64-mingw32 → 6.18.0-x64-mingw32

data/lib/puppet/ssl/validator/default_validator.rb

@@ -104,7 +104,7 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
         crl = store_context.current_crl
         if crl
           if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
-            Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
+            Puppet.debug { "Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}" }
             preverify_ok = true
           else
             @verify_errors << "#{error_string} for #{crl.issuer.to_utf8}"

data/lib/puppet/test/test_helper.rb

@@ -120,8 +120,11 @@ module Puppet::Test
       indirections = Puppet::Indirector::Indirection.send(:class_variable_get, :@@indirections)
       indirections.each do |indirector|
         $saved_indirection_state[indirector.name] = {
-            :@terminus_class => indirector.instance_variable_get(:@terminus_class).value,
-            :@cache_class    => indirector.instance_variable_get(:@cache_class).value
+          :@terminus_class => indirector.instance_variable_get(:@terminus_class).value,
+          :@cache_class    => indirector.instance_variable_get(:@cache_class).value,
+          # dup the termini hash so termini created and registered during
+          # the test aren't stored in our saved_indirection_state
+          :@termini        => indirector.instance_variable_get(:@termini).dup
         }
       end
 
@@ -176,7 +179,11 @@ module Puppet::Test
       indirections = Puppet::Indirector::Indirection.send(:class_variable_get, :@@indirections)
       indirections.each do |indirector|
         $saved_indirection_state.fetch(indirector.name, {}).each do |variable, value|
-          indirector.instance_variable_get(variable).value = value
+          if variable == :@termini
+            indirector.instance_variable_set(variable, value)
+          else
+            indirector.instance_variable_get(variable).value = value
+          end
         end
       end
       $saved_indirection_state = nil

data/lib/puppet/transaction.rb

@@ -202,7 +202,7 @@ class Puppet::Transaction
     # mark the end of transaction evaluate.
     report.transaction_completed = true
 
-    Puppet.debug "Finishing transaction #{object_id}"
+    Puppet.debug { "Finishing transaction #{object_id}" }
   end
 
   # Wraps application run state check to flag need to interrupt processing
@@ -373,7 +373,7 @@ class Puppet::Transaction
     type_name = provider_class.resource_type.name
     return if @prefetched_providers[type_name][provider_class.name] ||
       @prefetch_failed_providers[type_name][provider_class.name]
-    Puppet.debug "Prefetching #{provider_class.name} resources for #{type_name}"
+    Puppet.debug { "Prefetching #{provider_class.name} resources for #{type_name}" }
     begin
       provider_class.prefetch(resources)
     rescue LoadError, Puppet::MissingCommand => detail

data/lib/puppet/transaction/persistence.rb

@@ -62,7 +62,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol])
+        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 

data/lib/puppet/transaction/report.rb

@@ -122,7 +122,7 @@ class Puppet::Transaction::Report
 
   # @!attribute [r] corrective_change
   #   @return [Boolean] true if the report contains any events and resources that had
-  #      corrective changes.
+  #      corrective changes, including noop corrective changes.
   attr_reader :corrective_change
 
   # @return [Boolean] true if one or more resources attempted to generate

data/lib/puppet/trusted_external.rb

@@ -3,7 +3,7 @@ module Puppet::TrustedExternal
   def retrieve(certname)
     command = Puppet[:trusted_external_command]
     return nil unless command
-    Puppet.debug _("Retrieving trusted external data from %{command}") % {command: command}
+    Puppet.debug { _("Retrieving trusted external data from %{command}") % {command: command} }
     setting_type = Puppet.settings.setting(:trusted_external_command).type
     if setting_type == :file
       return fetch_data(command, certname)
@@ -17,7 +17,7 @@ module Puppet::TrustedExternal
       abs_path = Puppet::FileSystem.expand_path(file)
       executable_file = Puppet::FileSystem.file?(abs_path) && Puppet::FileSystem.executable?(abs_path)
       unless executable_file
-        Puppet.debug _("Skipping non-executable file %{file}")  % { file: abs_path }
+        Puppet.debug { _("Skipping non-executable file %{file}")  % { file: abs_path } }
         next
       end
       basename = file.basename(file.extname).to_s

data/lib/puppet/type.rb

@@ -1212,8 +1212,9 @@ class Type
         title = instance.respond_to?(:title) ? instance.title : instance.name
         other = provider_instances[title]
         if other
-          Puppet.debug "%s %s found in both %s and %s; skipping the %s version" %
-            [self.name.to_s.capitalize, title, other.class.name, instance.class.name, instance.class.name]
+          Puppet.debug {
+            "%s %s found in both %s and %s; skipping the %s version" % [self.name.to_s.capitalize, title, other.class.name, instance.class.name, instance.class.name]
+          }
           next
         end
         provider_instances[title] = instance
@@ -1895,7 +1896,7 @@ end
     name = name.intern
 
     if unprovide(name)
-      Puppet.debug "Reloading #{name} #{self.name} provider"
+      Puppet.debug { "Reloading #{name} #{self.name} provider" }
     end
 
     pname = options[:parent]

data/lib/puppet/type/file.rb

@@ -116,9 +116,9 @@ Puppet::Type.newtype(:file) do
         that sufficient disk space is available for the file backups. Generally, you 
         can implement this using one of the following two options:
         - Use a `find` command and `crontab` entry to retain only the last X days 
-        of file backups. For example,
+        of file backups. For example:
         
-        ```shell script
+        ```
         find /opt/puppetlabs/server/data/puppetserver/bucket -type f -mtime +45 -atime +45 -print0 | xargs -0 rm
         ```
         

data/lib/puppet/type/file/source.rb

@@ -23,7 +23,7 @@ module Puppet
       * Fully qualified paths to locally available files (including files on NFS
       shares or Windows mapped drives).
       * `file:` URIs, which behave the same as local file paths.
-      * `http:` URIs, which point to files served by common web servers.
+      * `http(s):` URIs, which point to files served by common web servers.
 
       The normal form of a `puppet:` URI is:
 
@@ -44,11 +44,26 @@ module Puppet
       because HTTP servers do not transfer any metadata that translates to
       ownership or permission details.
 
-      The `http` source uses the server `Content-MD5` header as a checksum to
-      determine if the remote file has changed. If the server response does not
-      include that header, Puppet defaults to using the `Last-Modified` header.
-      Puppet will update the local file if the header is newer than the modified
-      time (mtime) of the local file.
+      Puppet determines if file content is synchronized by computing a checksum
+      for the local file and comparing it against the `checksum_value`
+      parameter. If the `checksum_value` parameter is not specified for
+      `puppet` and `file` sources, Puppet computes a checksum based on its
+      `Puppet[:digest_algorithm]`. For `http(s)` sources, Puppet uses the
+      first HTTP header it recognizes out of the following list:
+      `X-Checksum-Sha256`, `X-Checksum-Sha1`, `X-Checksum-Md5` or `Content-MD5`.
+      If the server response does not include one of these headers, Puppet
+      defaults to using the `Last-Modified` header. Puppet updates the local
+      file if the header is newer than the modified time (mtime) of the local
+      file.
+
+      _HTTP_ URIs can include a user information component so that Puppet can
+      retrieve file metadata and content from HTTP servers that require HTTP Basic
+      authentication. For example `https://<user>:<pass>@<server>:<port>/path/to/file.`
+
+      When connecting to _HTTPS_ servers, Puppet trusts CA certificates in the
+      puppet-agent certificate bundle and the Puppet CA. You can configure Puppet
+      to trust additional CA certificates using the `Puppet[:ssl_trust_store]`
+      setting.
 
       Multiple `source` values can be specified as an array, and Puppet will
       use the first source that exists. This can be used to serve different
@@ -307,7 +322,12 @@ module Puppet
 
     def chunk_file_from_source(&block)
       if uri.scheme =~ /^https?/
-        get_from_http_source(uri, &block)
+        # Historically puppet has not encoded the http(s) source URL before parsing
+        # it, for example, if the path contains spaces, then it must be URL encoded
+        # as %20 in the manifest. Puppet behaves the same when retrieving file
+        # metadata via http(s), see Puppet::Indirector::FileMetadata::Http#find.
+        url = URI.parse(metadata.source)
+        get_from_http_source(url, &block)
       elsif metadata.content_uri
         content_url = URI.parse(Puppet::Util.uri_encode(metadata.content_uri))
         get_from_content_uri_source(content_url, &block)

data/lib/puppet/type/notify.rb

@@ -4,12 +4,12 @@
 
 module Puppet
   Type.newtype(:notify) do
-    @doc = "Sends an arbitrary message to the agent run-time log. It's important to note that the notify resource type is not idempotent. As a result, notifications are shown as a change on every Puppet run."
+    @doc = "Sends an arbitrary message, specified as a string, to the agent run-time log. It's important to note that the notify resource type is not idempotent. As a result, notifications are shown as a change on every Puppet run."
 
     apply_to_all
 
     newproperty(:message, :idempotent => false) do
-      desc "The message to be sent to the log."
+      desc "The message to be sent to the log. Note that the value specified must be a string."
       def sync
         message = @sensitive ? 'Sensitive [value redacted]' : self.should
         case @resource["withpath"]

data/lib/puppet/type/service.rb

@@ -147,6 +147,10 @@ module Puppet
         user_information = Puppet::Util::Windows::SID.name_to_principal(value)
         raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
 
+        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+
         if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
           ".\\#{user_information.account}"
         else

data/lib/puppet/type/user.rb

@@ -40,7 +40,10 @@ module Puppet
        implement PBKDF2 passwords with salt properties."
 
     feature :manages_solaris_rbac,
-      "The provider can manage roles and normal users"
+      "The provider can manage normal users"
+
+    feature :manages_roles,
+      "The provider can manage roles"
 
     feature :manages_expiry,
       "The provider can manage the expiry date for a user."
@@ -97,6 +100,18 @@ module Puppet
           return :absent
         end
       end
+
+      def sync
+        event = super
+
+        property = @resource.property(:roles)
+        if property
+          val = property.retrieve
+          property.sync unless property.safe_insync?(val)
+        end
+
+        event
+      end
     end
 
     newproperty(:home) do
@@ -493,7 +508,7 @@ module Puppet
       provider.exists?
     end
 
-    newproperty(:roles, :parent => Puppet::Property::List, :required_features => :manages_solaris_rbac) do
+    newproperty(:roles, :parent => Puppet::Property::List, :required_features => :manages_roles) do
       desc "The roles the user has.  Multiple roles should be
         specified as an array."
 
@@ -520,7 +535,7 @@ module Puppet
       end
 
       reqs
-    end
+    end unless Puppet::Util::Platform.windows?
 
     newparam(:role_membership) do
       desc "Whether specified roles should be considered the **complete list**

data/lib/puppet/util.rb

@@ -26,20 +26,21 @@ module Util
 
   extend Puppet::Util::SymbolicFileMode
 
-  DEFAULT_ENV = if Puppet::Util::Platform.windows?
-                  :windows
-                else
-                  :posix
-                end.freeze
+  def default_env
+    Puppet.features.microsoft_windows? ?
+      :windows :
+      :posix
+  end
+  module_function :default_env
 
   # @param name [String] The name of the environment variable to retrieve
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @return [String] Value of the specified environment variable.  nil if it does not exist
   # @api private
-  def get_env(name, mode = DEFAULT_ENV)
+  def get_env(name, mode = default_env)
     if mode == :windows
-      Puppet::Util::Windows::Process.get_environment_strings.find do |key, value|
-        if name.casecmp(key) == 0
+      Puppet::Util::Windows::Process.get_environment_strings.each do |key, value |
+        if name.casecmp(key) == 0 then
           return value
         end
       end
@@ -53,7 +54,7 @@ module Util
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @return [Hash] A hashtable of all environment variables
   # @api private
-  def get_environment(mode = DEFAULT_ENV)
+  def get_environment(mode = default_env)
     case mode
       when :posix
         ENV.to_hash
@@ -68,7 +69,7 @@ module Util
   # Removes all environment variables
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @api private
-  def clear_environment(mode = DEFAULT_ENV)
+  def clear_environment(mode = default_env)
     case mode
       when :posix
         ENV.clear
@@ -86,7 +87,7 @@ module Util
   # @param value [String] The value to set the variable to.  nil deletes the environment variable
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @api private
-  def set_env(name, value = nil, mode = DEFAULT_ENV)
+  def set_env(name, value = nil, mode = default_env)
     case mode
       when :posix
         ENV[name] = value
@@ -101,7 +102,7 @@ module Util
   # @param name [Hash] Environment variables to merge into the existing environment.  nil values will remove the variable
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @api private
-  def merge_environment(env_hash, mode = DEFAULT_ENV)
+  def merge_environment(env_hash, mode = default_env)
     case mode
       when :posix
         env_hash.each { |name, val| ENV[name.to_s] = val }
@@ -758,6 +759,19 @@ module Util
     Random.new(seed).rand(max)
   end
   module_function :deterministic_rand_int
+
+  # Executes a block of code, wrapped around Facter.load_external(false) and
+  # Facter.load_external(true) which will cause Facter to not evaluate external facts.
+  def skip_external_facts
+    return yield unless Facter.respond_to? :load_external
+    begin
+      Facter.load_external(false)
+      yield
+    ensure
+      Facter.load_external(true)
+    end
+  end
+  module_function :skip_external_facts
 end
 end
 

data/lib/puppet/util/autoload.rb

@@ -10,6 +10,14 @@ require 'puppet/concurrent/synchronized'
 # @api private
 class Puppet::Util::ModuleDirectoriesAdapter < Puppet::Pops::Adaptable::Adapter
   attr_accessor :directories
+
+  def self.create_adapter(env)
+    adapter = super(env)
+    adapter.directories = env.modulepath.flat_map do |dir|
+      Dir.glob(File.join(dir, '*', 'lib'))
+    end
+    adapter
+  end
 end
 
 # Autoload paths, either based on names or all at once.
@@ -119,13 +127,7 @@ class Puppet::Util::Autoload
     def module_directories(env)
       raise ArgumentError, "Autoloader requires an environment" unless env
 
-      Puppet::Util::ModuleDirectoriesAdapter.adapt(env) do |a|
-        a.directories ||= env.modulepath.collect do |dir|
-          Dir.entries(dir).reject { |f| f =~ /^\./ }.collect { |f| File.join(dir, f, "lib") }
-        end.flatten.find_all do |d|
-          FileTest.directory?(d)
-        end
-      end.directories
+      Puppet::Util::ModuleDirectoriesAdapter.adapt(env).directories
     end
 
     # @api private

data/lib/puppet/util/character_encoding.rb

@@ -19,8 +19,9 @@ module Puppet::Util::CharacterEncoding
       begin
         if original_encoding == Encoding::UTF_8
           if !string_copy.valid_encoding?
-            Puppet.debug(_("%{value} is already labeled as UTF-8 but this encoding is invalid. It cannot be transcoded by Puppet.") %
-              { value: string.dump })
+            Puppet.debug {
+              _("%{value} is already labeled as UTF-8 but this encoding is invalid. It cannot be transcoded by Puppet.") % { value: string.dump }
+            }
           end
           # String is already valid UTF-8 - noop
           return string_copy
@@ -40,8 +41,9 @@ module Puppet::Util::CharacterEncoding
         # Catch both our own self-determined failure to transcode as well as any
         # error on ruby's part, ie Encoding::UndefinedConversionError on a
         # failure to encode!.
-        Puppet.debug(_("%{error}: %{value} cannot be transcoded by Puppet.") %
-          { error: detail.inspect, value: string.dump })
+        Puppet.debug {
+          _("%{error}: %{value} cannot be transcoded by Puppet.") % { error: detail.inspect, value: string.dump }
+        }
         return string_copy
       end
     end
@@ -67,7 +69,9 @@ module Puppet::Util::CharacterEncoding
       if string_copy.force_encoding(Encoding::UTF_8).valid_encoding?
         return string_copy
       else
-        Puppet.debug(_("%{value} is not valid UTF-8 and result of overriding encoding would be invalid.") % { value: string.dump })
+        Puppet.debug {
+          _("%{value} is not valid UTF-8 and result of overriding encoding would be invalid.") % { value: string.dump }
+        }
         # Set copy back to its original encoding before returning
         return string_copy.force_encoding(original_encoding)
       end

data/lib/puppet/util/execution.rb

@@ -68,7 +68,7 @@ module Puppet::Util::Execution
     if respond_to? :debug
       debug "Executing '#{command_str}'"
     else
-      Puppet.debug "Executing '#{command_str}'"
+      Puppet.debug { "Executing '#{command_str}'" }
     end
 
     # force the run of the command with
@@ -186,7 +186,7 @@ module Puppet::Util::Execution
     if respond_to? :debug
       debug "Executing#{user_log_s}: '#{command_str}'"
     else
-      Puppet.debug "Executing#{user_log_s}: '#{command_str}'"
+      Puppet.debug { "Executing#{user_log_s}: '#{command_str}'" }
     end
 
     null_file = Puppet::Util::Platform.windows? ? 'NUL' : '/dev/null'

data/lib/puppet/util/windows.rb

@@ -26,6 +26,7 @@ module Puppet::Util::Windows
     require 'win32ole' ; WIN32OLE.codepage = WIN32OLE::CP_UTF8
     # gems
     require 'win32/process'
+    require 'puppet/util/windows/monkey_patches/dir'
     require 'win32/dir'
     require 'win32/service'
 

data/lib/puppet/util/windows/api_types.rb

@@ -60,7 +60,7 @@ module Puppet::Util::Windows::APITypes
 
       str.encode(dst_encoding, str.encoding, encode_options)
     rescue EncodingError => e
-      Puppet.debug "Unable to convert value #{str.nil? ? 'nil' : str.dump} to encoding #{dst_encoding} due to #{e.inspect}"
+      Puppet.debug { "Unable to convert value #{str.nil? ? 'nil' : str.dump} to encoding #{dst_encoding} due to #{e.inspect}" }
       raise
     end
 
@@ -196,6 +196,20 @@ module Puppet::Util::Windows::APITypes
   FFI.typedef :uchar, :byte
   FFI.typedef :uint16, :wchar
 
+  # Definitions for data types used in LSA structures and functions
+  # https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/
+  # https://docs.microsoft.com/sr-latn-rs/windows/win32/secmgmt/management-data-types
+  FFI.typedef :pointer, :pwstr
+  FFI.typedef :pointer, :pulong
+  FFI.typedef :pointer, :lsa_handle
+  FFI.typedef :pointer, :plsa_handle
+  FFI.typedef :pointer, :psid
+  FFI.typedef :pointer, :pvoid
+  FFI.typedef :pointer, :plsa_unicode_string
+  FFI.typedef :pointer, :plsa_object_attributes
+  FFI.typedef :uint32,  :ntstatus
+  FFI.typedef :dword,   :access_mask
+
   module ::FFI::WIN32
     extend ::FFI::Library