puppet 6.18.0-universal-darwin → 6.21.1-universal-darwin

data/lib/puppet/provider/package/aptitude.rb

@@ -26,4 +26,10 @@ Puppet::Type.type(:package).provide :aptitude, :parent => :apt, :source => :dpkg
   def purge
     aptitude '-y', 'purge', @resource[:name]
   end
+
+  private
+
+  def source
+    nil
+  end
 end

data/lib/puppet/provider/package/dpkg.rb

@@ -74,7 +74,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
       elsif ['config-files', 'half-installed', 'unpacked', 'half-configured'].include?(hash[:status])
         hash[:ensure] = :absent
       end
-      hash[:mark] = :hold if hash[:desired] == 'hold'
+      hash[:mark] = hash[:desired] == 'hold' ? :hold : :none
     else
       Puppet.debug("Failed to match dpkg-query line #{line.inspect}")
     end

data/lib/puppet/provider/package/pip2.rb

@@ -0,0 +1,17 @@
+# Puppet package provider for Python's `pip2` package management frontend.
+# <http://pip.pypa.io/>
+
+Puppet::Type.type(:package).provide :pip2,
+  :parent => :pip do
+
+  desc "Python packages via `pip2`.
+
+  This provider supports the `install_options` attribute, which allows command-line flags to be passed to pip2.
+  These options should be specified as an array where each element is either a string or a hash."
+
+  has_feature :installable, :uninstallable, :upgradeable, :versionable, :install_options, :targetable
+
+  def self.cmd
+    ["pip2"]
+  end
+end

data/lib/puppet/provider/package/puppetserver_gem.rb

@@ -0,0 +1,180 @@
+unless Puppet::Util::Platform.jruby_fips?
+  require 'rubygems/commands/list_command'
+end
+require 'stringio'
+require 'uri'
+
+# Ruby gems support.
+Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
+  desc "Puppet Server Ruby Gem support. If a URL is passed via `source`, then
+    that URL is appended to the list of remote gem repositories which by default
+    contains rubygems.org; To ensure that only the specified source is used also
+    pass `--clear-sources` in via `install_options`; if a source is present but
+    is not a valid URL, it will be interpreted as the path to a local gem file.
+    If source is not present at all, the gem will be installed from the default
+    gem repositories."
+
+  has_feature :versionable, :install_options, :uninstall_options
+
+  confine :feature => :hocon
+  # see SERVER-2578
+  confine :fips_enabled => false
+
+  # Define the default provider package command name, as the parent 'gem' provider is targetable.
+  # Required by Puppet::Provider::Package::Targetable::resource_or_provider_command
+
+  def self.provider_command
+    command(:puppetservercmd)
+  end
+
+  # The gem command uses HOME to locate a gemrc file.
+  # CommandDefiner in provider.rb will set failonfail, combine, and environment.
+
+  has_command(:puppetservercmd, '/opt/puppetlabs/bin/puppetserver') do
+    environment(HOME: ENV['HOME'])
+  end
+
+  def self.gemlist(options)
+    command_options = ['gem', 'list']
+
+    if options[:local]
+      command_options << '--local'
+    else
+      command_options << '--remote'
+    end
+
+    if options[:source]
+      command_options << '--source' << options[:source]
+    end
+
+    if options[:justme]
+      gem_regex = '\A' + options[:justme] + '\z'
+      command_options << gem_regex
+    end
+
+    if options[:local]
+      list = execute_rubygems_list_command(gem_regex)
+    else
+      begin
+        list = puppetservercmd(command_options)
+      rescue Puppet::ExecutionFailure => detail
+        raise Puppet::Error, _("Could not list gems: %{detail}") % { detail: detail }, detail.backtrace
+      end
+    end
+
+    # When `/tmp` is mounted `noexec`, `puppetserver gem list` will output:
+    # *** LOCAL GEMS ***
+    # causing gemsplit to output:
+    # Warning: Could not match *** LOCAL GEMS ***
+    gem_list = list
+                 .lines
+                 .select { |x| x =~ /^(\S+)\s+\((.+)\)/ }
+                 .map { |set| gemsplit(set) }
+
+    if options[:justme]
+      return gem_list.shift
+    else
+      return gem_list
+    end
+  end
+
+  def install(useversion = true)
+    command_options = ['gem', 'install']
+    command_options += install_options if resource[:install_options]
+
+    command_options << '-v' << resource[:ensure] if (!resource[:ensure].is_a? Symbol) && useversion
+
+    command_options << '--no-document'
+
+    if resource[:source]
+      begin
+        uri = URI.parse(resource[:source])
+      rescue => detail
+        self.fail Puppet::Error, _("Invalid source '%{uri}': %{detail}") % { uri: uri, detail: detail }, detail
+      end
+
+      case uri.scheme
+      when nil
+        # no URI scheme => interpret the source as a local file
+        command_options << resource[:source]
+      when /file/i
+        command_options << uri.path
+      when 'puppet'
+        # we don't support puppet:// URLs (yet)
+        raise Puppet::Error.new(_('puppet:// URLs are not supported as gem sources'))
+      else
+        # interpret it as a gem repository
+        command_options << '--source' << "#{resource[:source]}" << resource[:name]
+      end
+    else
+      command_options << resource[:name]
+    end
+
+    output = puppetservercmd(command_options)
+    # Apparently, some gem versions don't exit non-0 on failure.
+    self.fail _("Could not install: %{output}") % { output: output.chomp } if output.include?('ERROR')
+  end
+
+  def uninstall
+    command_options = ['gem', 'uninstall']
+    command_options << '--executables' << '--all' << resource[:name]
+    command_options += uninstall_options if resource[:uninstall_options]
+
+    output = puppetservercmd(command_options)
+    # Apparently, some gem versions don't exit non-0 on failure.
+    self.fail _("Could not uninstall: %{output}") % { output: output.chomp } if output.include?('ERROR')
+  end
+
+  private
+
+  # The puppetserver gem cli command is very slow, since it starts a JVM.
+  #
+  # Instead, for the list subcommand (which is executed with every puppet run),
+  # use the rubygems library from puppet ruby: setting GEM_HOME and GEM_PATH
+  # to the default values, or the values in the puppetserver configuration file.
+  #
+  # The rubygems library cannot access java platform gems,
+  # for example: json (1.8.3 java)
+  # but java platform gems should not be managed by this (or any) provider.
+
+  def self.execute_rubygems_list_command(gem_regex)
+    puppetserver_default_gem_home            = '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
+    puppetserver_default_vendored_jruby_gems = '/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems'
+    puppet_default_vendor_gems               = '/opt/puppetlabs/puppet/lib/ruby/vendor_gems'
+    puppetserver_default_gem_path = [puppetserver_default_gem_home, puppetserver_default_vendored_jruby_gems, puppet_default_vendor_gems].join(':')
+
+    pe_puppetserver_conf_file = '/etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf'
+    os_puppetserver_conf_file = '/etc/puppetlabs/puppetserver/puppetserver.conf'
+    puppetserver_conf_file = Facter.value(:pe_server_version) ? pe_puppetserver_conf_file : os_puppetserver_conf_file
+    puppetserver_conf = Hocon.load(puppetserver_conf_file)
+
+    gem_env = {}
+    if puppetserver_conf.empty? || puppetserver_conf.key?('jruby-puppet') == false
+      gem_env['GEM_HOME'] = puppetserver_default_gem_home
+      gem_env['GEM_PATH'] = puppetserver_default_gem_path
+    else
+      gem_env['GEM_HOME'] = puppetserver_conf['jruby-puppet'].key?('gem-home') ? puppetserver_conf['jruby-puppet']['gem-home'] : puppetserver_default_gem_home
+      gem_env['GEM_PATH'] = puppetserver_conf['jruby-puppet'].key?('gem-path') ? puppetserver_conf['jruby-puppet']['gem-path'].join(':') : puppetserver_default_gem_path
+    end
+    gem_env['GEM_SPEC_CACHE'] = "/tmp/#{$$}"
+    Gem.paths = gem_env
+
+    sio_inn = StringIO.new
+    sio_out = StringIO.new
+    sio_err = StringIO.new
+    stream_ui = Gem::StreamUI.new(sio_inn, sio_out, sio_err, false)
+    gem_list_cmd = Gem::Commands::ListCommand.new
+    gem_list_cmd.options[:domain] = :local
+    gem_list_cmd.options[:args] = [gem_regex] if gem_regex
+    gem_list_cmd.ui = stream_ui
+    gem_list_cmd.execute
+
+    # There is no method exclude default gems from the local gem list,
+    # for example: psych (default: 2.2.2)
+    # but default gems should not be managed by this (or any) provider.
+    gem_list = sio_out.string.lines.reject { |gem| gem =~ / \(default\: / }
+    gem_list.join("\n")
+  ensure
+    Gem.clear_paths
+  end
+end

data/lib/puppet/provider/package/yum.rb

@@ -328,6 +328,7 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
       return "#{upd[:epoch]}:#{upd[:version]}-#{upd[:release]}"
     else
       # Yum didn't find updates, pretend the current version is the latest
+      self.debug "Yum didn't find updates, current version (#{properties[:ensure]}) is the latest"
       version = properties[:ensure]
       raise Puppet::DevError, _("Tried to get latest on a missing package") if version == :absent || version == :purged
       return version

data/lib/puppet/provider/service/debian.rb

@@ -17,6 +17,8 @@ Puppet::Type.type(:service).provide :debian, :parent => :init do
   commands :invoke_rc => "/usr/sbin/invoke-rc.d"
   commands :service => "/usr/sbin/service"
 
+  confine :false => Puppet::FileSystem.exist?('/proc/1/comm') && Puppet::FileSystem.read('/proc/1/comm').include?('systemd')
+
   defaultfor :operatingsystem => :cumuluslinux, :operatingsystemmajrelease => ['1','2']
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ['5','6','7']
   defaultfor :operatingsystem => :devuan

data/lib/puppet/provider/user/aix.rb

@@ -178,7 +178,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
       # does not have a password.
       break if line =~ /^\S+:$/
 
-      match_obj = /password = (\S+)/.match(line)
+      match_obj = /password\s+=\s+(\S+)/.match(line)
     end
     return :absent unless match_obj
 
@@ -211,7 +211,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
       tempfile = Tempfile.new("puppet_#{user}_pw", :encoding => Encoding::ASCII)
       tempfile << "#{user}:#{value}\n"
       tempfile.close()
-  
+
       # Options '-e', '-c', use encrypted password and clear flags
       # Must receive "user:enc_password" as input
       # command, arguments = {:failonfail => true, :combine => true}

data/lib/puppet/provider/user/useradd.rb

@@ -59,23 +59,37 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
      get(:uid)
   end
 
+  def gid
+     return localgid if @resource.forcelocal?
+     get(:gid)
+  end
+
   def comment
      return localcomment if @resource.forcelocal?
      get(:comment)
   end
 
+  def groups
+     return localgroups if @resource.forcelocal?
+     super
+  end
+
   def finduser(key, value)
-    passwd_file = "/etc/passwd"
+    passwd_file = '/etc/passwd'
     passwd_keys = [:account, :password, :uid, :gid, :gecos, :directory, :shell]
-    index = passwd_keys.index(key)
-    @passwd_content ||= File.read(passwd_file)
-    @passwd_content.each_line do |line|
-      user = line.split(":")
-      if user[index] == value
-        return Hash[passwd_keys.zip(user)]
+
+    unless @users
+      unless Puppet::FileSystem.exist?(passwd_file)
+        raise Puppet::Error.new("Forcelocal set for user resource '#{resource[:name]}', but #{passwd_file} does not exist")
+      end
+
+      @users = []
+      Puppet::FileSystem.each_line(passwd_file) do |line|
+        user = line.chomp.split(':')
+        @users << Hash[passwd_keys.zip(user)]
       end
     end
-    false
+    @users.find { |param| param[key] == value } || false
   end
 
   def local_username
@@ -88,16 +102,56 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     false
   end
 
+  def localgid
+    user = finduser(:account, resource[:name])
+    if user
+      begin
+        return Integer(user[:gid])
+      rescue ArgumentError
+        Puppet.debug("Non-numeric GID found in /etc/passwd for user #{resource[:name]}")
+        return user[:gid]
+      end
+    end
+    false
+  end
+
   def localcomment
     user = finduser(:account, resource[:name])
     user[:gecos]
   end
 
+  def localgroups
+    @groups_of ||= {}
+    group_file = '/etc/group'
+    user = resource[:name]
+
+    return @groups_of[user] if @groups_of[user]
+
+    @groups_of[user] = []
+
+    unless Puppet::FileSystem.exist?(group_file)
+      raise Puppet::Error.new("Forcelocal set for user resource '#{user}', but #{group_file} does not exist")
+    end
+
+    Puppet::FileSystem.each_line(group_file) do |line|
+      data = line.chomp.split(':')
+      if data.last.split(',').include?(user)
+        @groups_of[user] << data.first
+      end
+    end
+
+    @groups_of[user]
+  end
+
   def shell=(value)
     check_valid_shell
     set(:shell, value)
   end
 
+  def groups=(value)
+    set(:groups, value)
+  end
+
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end

data/lib/puppet/reference/configuration.rb

@@ -55,11 +55,12 @@ config.header = <<EOT
 * Each of these settings can be specified in `puppet.conf` or on the
   command line.
 * Puppet Enterprise (PE) and open source Puppet share the configuration settings
-  that are documented here. However, PE defaults for some settings differ from
-  the open source Puppet defaults. Some examples of settings that have different
-  PE defaults include `disable18n`, `environment_timeout`, `always_retry_plugins`,
-  and the Puppet Server JRuby `max-active-instances` setting. To verify PE
-  configuration defaults, check the `puppet.conf` file after installation.
+  documented here. However, PE defaults differ from open source defaults for some 
+  settings, such as `node_terminus`, `storeconfigs`, `always_retry_plugins`, 
+  `disable18n`, `environment_timeout` (when Code Manager is enabled), and the 
+  Puppet Server JRuby `max-active-instances` setting. To verify PE configuration 
+  defaults, check the `puppet.conf` or `pe-puppet-server.conf` file after 
+  installation.
 * When using boolean settings on the command line, use `--setting` and
   `--no-setting` instead of `--setting (true|false)`. (Using `--setting false`
   results in "Error: Could not parse application options: needless argument".)

data/lib/puppet/resource/type.rb

@@ -34,7 +34,7 @@ class Puppet::Resource::Type
   DOUBLE_COLON = '::'.freeze
   EMPTY_ARRAY = [].freeze
 
-  attr_accessor :file, :line, :doc, :code, :parent, :resource_type_collection
+  attr_accessor :file, :line, :doc, :code, :parent, :resource_type_collection, :override
   attr_reader :namespace, :arguments, :behaves_like, :module_name
 
   # The attributes 'produces' and 'consumes' are arrays of the blueprints
@@ -63,6 +63,7 @@ class Puppet::Resource::Type
   # Are we a child of the passed class?  Do a recursive search up our
   # parentage tree to figure it out.
   def child_of?(klass)
+    return true if override
     return false unless parent
 
     return(klass == parent_type ? true : parent_type.child_of?(klass))

data/lib/puppet/rest/route.rb

@@ -14,11 +14,11 @@ module Puppet::Rest
     #                 construction
     # @param [Symbol] server_setting the setting to check for special
     #                 server configuration
-    # @param [Symbol] port_setting the setting to check for speical
+    # @param [Symbol] port_setting the setting to check for special
     #                  port configuration
     # @param [Symbol] srv_service the name of the service when using SRV
     #                 records
-    def initialize(api:, server_setting: :server, port_setting: :masterport, srv_service: :puppet)
+    def initialize(api:, server_setting: :server, port_setting: :serverport, srv_service: :puppet)
       @api = api
       @default_server = Puppet::Util::Connection.determine_server(server_setting)
       @default_port = Puppet::Util::Connection.determine_port(port_setting, server_setting)

data/lib/puppet/settings.rb

@@ -32,6 +32,7 @@ class Puppet::Settings
   require 'puppet/settings/server_list_setting'
   require 'puppet/settings/http_extra_headers_setting'
   require 'puppet/settings/certificate_revocation_setting'
+  require 'puppet/settings/alias_setting'
 
   # local reference for convenience
   PuppetOptionParser = Puppet::Util::CommandLine::PuppetOptionParser
@@ -44,7 +45,7 @@ class Puppet::Settings
   REQUIRED_APP_SETTINGS = [:logdir, :confdir, :vardir, :codedir]
 
   # The acceptable sections of the puppet.conf configuration file.
-  ALLOWED_SECTION_NAMES = ['main', 'master', 'agent', 'user'].freeze
+  ALLOWED_SECTION_NAMES = ['main', 'server', 'master', 'agent', 'user'].freeze
 
   NONE = 'none'.freeze
 
@@ -330,7 +331,7 @@ class Puppet::Settings
     end
 
     option_parser.on('--run_mode',
-                     "The effective 'run mode' of the application: master, agent, or user.",
+                     "The effective 'run mode' of the application: server, agent, or user.",
                      :REQUIRED) do |arg|
       Puppet.settings.preferred_run_mode = arg
     end
@@ -564,7 +565,7 @@ class Puppet::Settings
   # @api private
   def preferred_run_mode=(mode)
     mode = mode.to_s.downcase.intern
-    raise ValidationError, "Invalid run mode '#{mode}'" unless [:master, :agent, :user].include?(mode)
+    raise ValidationError, "Invalid run mode '#{mode}'" unless [:server, :master, :agent, :user].include?(mode)
     @preferred_run_mode_name = mode
     # Changing the run mode has far-reaching consequences. Flush any cached
     # settings so they will be re-generated.
@@ -659,7 +660,7 @@ class Puppet::Settings
     if explicit_config_file?
       return self[:config]
     else
-      return File.join(Puppet::Util::RunMode[:master].conf_dir, config_file_name)
+      return File.join(Puppet::Util::RunMode[:server].conf_dir, config_file_name)
     end
   end
   private :main_config_file
@@ -729,7 +730,8 @@ class Puppet::Settings
       :autosign   => AutosignSetting,
       :server_list => ServerListSetting,
       :http_extra_headers => HttpExtraHeadersSetting,
-      :certificate_revocation => CertificateRevocationSetting
+      :certificate_revocation => CertificateRevocationSetting,
+      :alias => AliasSetting
   }
 
   # Create a new setting.  The value is passed in because it's used to determine
@@ -829,7 +831,16 @@ class Puppet::Settings
       SearchPathElement.new(:cli, :values),
     ]
     searchpath << SearchPathElement.new(environment.intern, :environment) if environment
-    searchpath << SearchPathElement.new(run_mode, :section) if run_mode
+
+    if run_mode
+      if [:master, :server].include?(run_mode)
+        searchpath << SearchPathElement.new(:server, :section)
+        searchpath << SearchPathElement.new(:master, :section)
+      else
+        searchpath << SearchPathElement.new(run_mode, :section)
+      end
+    end
+
     searchpath << SearchPathElement.new(:main, :section)
   end
 
@@ -907,6 +918,16 @@ class Puppet::Settings
     end
   end
 
+  # Allow later inspection to determine if the setting was set by user
+  # config, rather than a default setting.
+  def set_in_section?(param, section)
+    param = param.to_sym
+    vals = searchpath_values(SearchPathElement.new(section, :section))
+    if vals
+      vals.lookup(param)
+    end
+  end
+
   # Patches the value for a param in a section.
   # This method is required to support the use case of unifying --dns-alt-names and
   # --dns_alt_names in the certificate face. Ideally this should be cleaned up.
@@ -1053,6 +1074,11 @@ Generated on #{Time.now}.
   # Create the necessary objects to use a section.  This is idempotent;
   # you can 'use' a section as many times as you want.
   def use(*sections)
+    Puppet.warning(":master section deprecated in favor of :server section") if sections.include?(:master)
+
+    # add :server if sections include :master or :master if sections include :server
+    sections |= [:master, :server] if (sections & [:master, :server]).any?
+
     sections = sections.collect { |s| s.to_sym }
     sections = sections.reject { |s| @used.include?(s) }
 
@@ -1236,27 +1262,37 @@ Generated on #{Time.now}.
   end
 
   def add_environment_resources(catalog, sections)
-    path = self[:environmentpath]
-    envdir = path.split(File::PATH_SEPARATOR).first if path
     configured_environment = self[:environment]
-    if configured_environment == "production" && envdir && Puppet::FileSystem.exist?(envdir)
-      configured_environment_path = File.join(envdir, configured_environment)
-      # If configured_environment_path is a symlink, assume the source path is being managed
-      # elsewhere, so don't do any of this configuration
-      if !Puppet::FileSystem.symlink?(configured_environment_path)
+
+    if configured_environment == "production" && !production_environment_exists?
+      environment_path = self[:environmentpath]
+      first_environment_path = environment_path.split(File::PATH_SEPARATOR).first
+
+      if Puppet::FileSystem.exist?(first_environment_path)
+        production_environment_path = File.join(first_environment_path, configured_environment)
         parameters = { :ensure => 'directory' }
-        unless Puppet::FileSystem.exist?(configured_environment_path)
-          parameters[:mode] = '0750'
-          if Puppet.features.root?
-            parameters[:owner] = Puppet[:user] if service_user_available?
-            parameters[:group] = Puppet[:group] if service_group_available?
-          end
+        parameters[:mode] = '0750'
+        if Puppet.features.root?
+          parameters[:owner] = Puppet[:user] if service_user_available?
+          parameters[:group] = Puppet[:group] if service_group_available?
         end
-        catalog.add_resource(Puppet::Resource.new(:file, configured_environment_path, :parameters => parameters))
+        catalog.add_resource(Puppet::Resource.new(:file, production_environment_path, :parameters => parameters))
       end
     end
   end
 
+  def production_environment_exists?
+    environment_path = self[:environmentpath]
+    paths = environment_path.split(File::PATH_SEPARATOR)
+
+    paths.any? do |path|
+      # If expected_path is a symlink, assume the source path is being managed
+      # elsewhere, so accept it also as a valid production environment path
+      expected_path = File.join(path, 'production')
+      Puppet::FileSystem.directory?(expected_path) || Puppet::FileSystem.symlink?(expected_path)
+    end
+  end
+
   def add_user_resources(catalog, sections)
     return unless Puppet.features.root?
     return if Puppet::Util::Platform.windows?
@@ -1357,6 +1393,12 @@ Generated on #{Time.now}.
         end
       end
 
+      setting  = @defaults[name]
+      if setting.respond_to?(:alias_name)
+        val  = lookup(setting.alias_name)
+        return val if val
+      end
+
       @defaults[name].default
     end