RubyGems - puppet - Versions diffs - 6.19.1-x64-mingw32 → 6.23.0-x64-mingw32 - Mend

puppet 6.19.1-x64-mingw32 → 6.23.0-x64-mingw32

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (293) hide show

checksums.yaml +4 -4
data/CODEOWNERS +2 -16
data/Gemfile +3 -1
data/Gemfile.lock +51 -40
data/ext/osx/puppet.plist +2 -0
data/ext/project_data.yaml +2 -2
data/lib/puppet/application.rb +10 -6
data/lib/puppet/application/agent.rb +12 -4
data/lib/puppet/application/apply.rb +4 -2
data/lib/puppet/application/device.rb +2 -0
data/lib/puppet/application/filebucket.rb +2 -2
data/lib/puppet/application/resource.rb +2 -1
data/lib/puppet/application/script.rb +2 -0
data/lib/puppet/application/ssl.rb +11 -0
data/lib/puppet/application_support.rb +7 -0
data/lib/puppet/configurer.rb +28 -18
data/lib/puppet/configurer/downloader.rb +2 -1
data/lib/puppet/defaults.rb +51 -23
data/lib/puppet/environments.rb +54 -55
data/lib/puppet/face/config.rb +10 -0
data/lib/puppet/face/epp.rb +12 -2
data/lib/puppet/face/facts.rb +158 -0
data/lib/puppet/ffi/posix.rb +10 -0
data/lib/puppet/ffi/posix/constants.rb +14 -0
data/lib/puppet/ffi/posix/functions.rb +24 -0
data/lib/puppet/file_serving/fileset.rb +14 -2
data/lib/puppet/file_system/memory_file.rb +8 -1
data/lib/puppet/file_system/windows.rb +2 -0
data/lib/puppet/functions/all.rb +1 -1
data/lib/puppet/functions/camelcase.rb +1 -1
data/lib/puppet/functions/capitalize.rb +2 -2
data/lib/puppet/functions/downcase.rb +2 -2
data/lib/puppet/functions/epp.rb +1 -0
data/lib/puppet/functions/get.rb +5 -5
data/lib/puppet/functions/group_by.rb +13 -5
data/lib/puppet/functions/inline_epp.rb +1 -0
data/lib/puppet/functions/lest.rb +1 -1
data/lib/puppet/functions/new.rb +100 -100
data/lib/puppet/functions/partition.rb +12 -4
data/lib/puppet/functions/require.rb +5 -5
data/lib/puppet/functions/sort.rb +3 -3
data/lib/puppet/functions/tree_each.rb +7 -9
data/lib/puppet/functions/type.rb +4 -4
data/lib/puppet/functions/upcase.rb +2 -2
data/lib/puppet/http/resolver/server_list.rb +15 -4
data/lib/puppet/http/service/compiler.rb +69 -0
data/lib/puppet/http/service/file_server.rb +2 -1
data/lib/puppet/indirector/catalog/compiler.rb +1 -0
data/lib/puppet/indirector/fact_search.rb +60 -0
data/lib/puppet/indirector/facts/facter.rb +24 -3
data/lib/puppet/indirector/facts/json.rb +27 -0
data/lib/puppet/indirector/facts/yaml.rb +3 -58
data/lib/puppet/indirector/file_metadata/rest.rb +1 -0
data/lib/puppet/indirector/json.rb +5 -1
data/lib/puppet/indirector/node/json.rb +8 -0
data/lib/puppet/indirector/report/json.rb +34 -0
data/lib/puppet/module_tool/applications/installer.rb +48 -2
data/lib/puppet/module_tool/errors/shared.rb +17 -2
data/lib/puppet/network/formats.rb +69 -1
data/lib/puppet/network/http/factory.rb +4 -0
data/lib/puppet/pal/pal_impl.rb +70 -17
data/lib/puppet/parser/ast/leaf.rb +3 -2
data/lib/puppet/parser/functions/fqdn_rand.rb +14 -6
data/lib/puppet/parser/templatewrapper.rb +1 -1
data/lib/puppet/pops/evaluator/deferred_resolver.rb +5 -3
data/lib/puppet/pops/evaluator/evaluator_impl.rb +22 -3
data/lib/puppet/pops/model/ast_transformer.rb +1 -1
data/lib/puppet/pops/types/p_sem_ver_type.rb +8 -2
data/lib/puppet/pops/types/p_sensitive_type.rb +10 -0
data/lib/puppet/property/list.rb +1 -1
data/lib/puppet/provider/group/groupadd.rb +13 -8
data/lib/puppet/provider/package/apt.rb +34 -2
data/lib/puppet/provider/package/aptitude.rb +6 -0
data/lib/puppet/provider/package/dnfmodule.rb +1 -1
data/lib/puppet/provider/package/nim.rb +11 -6
data/lib/puppet/provider/service/debian.rb +2 -0
data/lib/puppet/provider/service/systemd.rb +14 -4
data/lib/puppet/provider/service/windows.rb +38 -0
data/lib/puppet/provider/user/aix.rb +2 -2
data/lib/puppet/provider/user/directoryservice.rb +25 -12
data/lib/puppet/provider/user/useradd.rb +62 -8
data/lib/puppet/reference/configuration.rb +7 -6
data/lib/puppet/settings.rb +33 -28
data/lib/puppet/settings/alias_setting.rb +37 -0
data/lib/puppet/settings/base_setting.rb +26 -2
data/lib/puppet/settings/environment_conf.rb +1 -0
data/lib/puppet/transaction/additional_resource_generator.rb +1 -1
data/lib/puppet/type/file.rb +19 -1
data/lib/puppet/type/file/selcontext.rb +1 -1
data/lib/puppet/type/package.rb +3 -3
data/lib/puppet/type/service.rb +18 -38
data/lib/puppet/type/tidy.rb +21 -2
data/lib/puppet/type/user.rb +38 -20
data/lib/puppet/util/autoload.rb +1 -8
data/lib/puppet/util/fact_dif.rb +81 -0
data/lib/puppet/util/monkey_patches.rb +7 -0
data/lib/puppet/util/posix.rb +54 -5
data/lib/puppet/util/rubygems.rb +5 -1
data/lib/puppet/util/selinux.rb +30 -4
data/lib/puppet/util/windows/adsi.rb +46 -0
data/lib/puppet/util/windows/api_types.rb +1 -1
data/lib/puppet/util/windows/principal.rb +9 -2
data/lib/puppet/util/windows/service.rb +1 -1
data/lib/puppet/util/windows/sid.rb +4 -2
data/lib/puppet/version.rb +1 -1
data/locales/puppet.pot +372 -288
data/man/man5/puppet.conf.5 +282 -254
data/man/man8/puppet-agent.8 +2 -2
data/man/man8/puppet-apply.8 +2 -2
data/man/man8/puppet-catalog.8 +1 -1
data/man/man8/puppet-config.8 +1 -1
data/man/man8/puppet-describe.8 +1 -1
data/man/man8/puppet-device.8 +2 -2
data/man/man8/puppet-doc.8 +1 -1
data/man/man8/puppet-epp.8 +1 -1
data/man/man8/puppet-facts.8 +90 -1
data/man/man8/puppet-filebucket.8 +3 -3
data/man/man8/puppet-generate.8 +1 -1
data/man/man8/puppet-help.8 +1 -1
data/man/man8/puppet-key.8 +1 -1
data/man/man8/puppet-lookup.8 +1 -1
data/man/man8/puppet-man.8 +1 -1
data/man/man8/puppet-module.8 +1 -1
data/man/man8/puppet-node.8 +4 -1
data/man/man8/puppet-parser.8 +1 -1
data/man/man8/puppet-plugin.8 +1 -1
data/man/man8/puppet-report.8 +4 -1
data/man/man8/puppet-resource.8 +1 -1
data/man/man8/puppet-script.8 +2 -2
data/man/man8/puppet-ssl.8 +5 -1
data/man/man8/puppet-status.8 +1 -1
data/man/man8/puppet.8 +2 -2
data/spec/fixtures/integration/application/agent/cached_deferred_catalog.json +91 -0
data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -57
data/spec/fixtures/ssl/127.0.0.1.pem +52 -31
data/spec/fixtures/ssl/bad-basic-constraints.pem +57 -35
data/spec/fixtures/ssl/bad-int-basic-constraints.pem +57 -35
data/spec/fixtures/ssl/ca.pem +57 -35
data/spec/fixtures/ssl/crl.pem +28 -18
data/spec/fixtures/ssl/ec-key.pem +11 -11
data/spec/fixtures/ssl/ec.pem +33 -24
data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
data/spec/fixtures/ssl/encrypted-key.pem +108 -58
data/spec/fixtures/ssl/intermediate-agent-crl.pem +28 -19
data/spec/fixtures/ssl/intermediate-agent.pem +57 -36
data/spec/fixtures/ssl/intermediate-crl.pem +31 -21
data/spec/fixtures/ssl/intermediate.pem +57 -36
data/spec/fixtures/ssl/pluto-key.pem +107 -57
data/spec/fixtures/ssl/pluto.pem +52 -30
data/spec/fixtures/ssl/request-key.pem +107 -57
data/spec/fixtures/ssl/request.pem +47 -26
data/spec/fixtures/ssl/revoked-key.pem +107 -57
data/spec/fixtures/ssl/revoked.pem +52 -30
data/spec/fixtures/ssl/signed-key.pem +107 -57
data/spec/fixtures/ssl/signed.pem +52 -30
data/spec/fixtures/ssl/tampered-cert.pem +52 -30
data/spec/fixtures/ssl/tampered-csr.pem +47 -26
data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -57
data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -29
data/spec/fixtures/ssl/unknown-ca-key.pem +107 -57
data/spec/fixtures/ssl/unknown-ca.pem +55 -33
data/spec/fixtures/unit/provider/service/systemd/list_unit_files_services_vendor_preset +9 -0
data/spec/fixtures/unit/provider/user/aix/aix_passwd_file.out +4 -0
data/spec/integration/application/agent_spec.rb +160 -3
data/spec/integration/application/apply_spec.rb +19 -0
data/spec/integration/application/plugin_spec.rb +1 -1
data/spec/integration/application/resource_spec.rb +30 -0
data/spec/integration/defaults_spec.rb +0 -7
data/spec/integration/environments/setting_hooks_spec.rb +1 -1
data/spec/integration/http/client_spec.rb +12 -0
data/spec/integration/indirector/direct_file_server_spec.rb +1 -3
data/spec/integration/resource/type_collection_spec.rb +2 -6
data/spec/integration/transaction_spec.rb +4 -9
data/spec/integration/util/windows/adsi_spec.rb +21 -1
data/spec/integration/util/windows/principal_spec.rb +21 -0
data/spec/integration/util/windows/registry_spec.rb +6 -10
data/spec/lib/puppet/test_ca.rb +2 -2
data/spec/lib/puppet_spec/settings.rb +6 -1
data/spec/spec_helper.rb +12 -5
data/spec/unit/agent_spec.rb +8 -6
data/spec/unit/application/agent_spec.rb +7 -3
data/spec/unit/application/config_spec.rb +224 -4
data/spec/unit/application/facts_spec.rb +482 -3
data/spec/unit/application/filebucket_spec.rb +0 -2
data/spec/unit/application/ssl_spec.rb +23 -0
data/spec/unit/application_spec.rb +51 -9
data/spec/unit/configurer/downloader_spec.rb +6 -0
data/spec/unit/configurer_spec.rb +23 -0
data/spec/unit/confine/feature_spec.rb +1 -1
data/spec/unit/confine_spec.rb +8 -2
data/spec/unit/defaults_spec.rb +36 -1
data/spec/unit/environments_spec.rb +221 -68
data/spec/unit/face/config_spec.rb +27 -32
data/spec/unit/face/facts_spec.rb +4 -0
data/spec/unit/face/node_spec.rb +0 -11
data/spec/unit/file_serving/configuration/parser_spec.rb +0 -1
data/spec/unit/file_serving/fileset_spec.rb +60 -0
data/spec/unit/file_serving/metadata_spec.rb +3 -3
data/spec/unit/file_serving/terminus_helper_spec.rb +11 -4
data/spec/unit/file_system_spec.rb +9 -0
data/spec/unit/forge/module_release_spec.rb +2 -7
data/spec/unit/functions/inline_epp_spec.rb +26 -1
data/spec/unit/gettext/config_spec.rb +12 -0
data/spec/unit/http/service/compiler_spec.rb +172 -0
data/spec/unit/http/service_spec.rb +1 -1
data/spec/unit/indirector/catalog/compiler_spec.rb +14 -10
data/spec/unit/indirector/face_spec.rb +0 -1
data/spec/unit/indirector/facts/facter_spec.rb +95 -1
data/spec/unit/indirector/facts/json_spec.rb +255 -0
data/spec/unit/indirector/file_bucket_file/selector_spec.rb +26 -8
data/spec/unit/indirector/indirection_spec.rb +8 -12
data/spec/unit/indirector/key/file_spec.rb +0 -1
data/spec/unit/indirector/node/json_spec.rb +33 -0
data/spec/{integration/indirector/report/yaml.rb → unit/indirector/report/json_spec.rb} +13 -24
data/spec/unit/indirector/report/yaml_spec.rb +72 -8
data/spec/unit/indirector_spec.rb +2 -2
data/spec/unit/module_tool/applications/installer_spec.rb +66 -0
data/spec/unit/network/authconfig_spec.rb +0 -3
data/spec/unit/network/formats_spec.rb +41 -0
data/spec/unit/network/http/api/indirected_routes_spec.rb +0 -9
data/spec/unit/network/http/factory_spec.rb +19 -0
data/spec/unit/network/http/handler_spec.rb +0 -5
data/spec/unit/parser/compiler_spec.rb +3 -19
data/spec/unit/parser/functions/fqdn_rand_spec.rb +15 -1
data/spec/unit/parser/resource_spec.rb +14 -8
data/spec/unit/parser/templatewrapper_spec.rb +4 -3
data/spec/unit/pops/evaluator/deferred_resolver_spec.rb +20 -0
data/spec/unit/pops/types/p_sem_ver_type_spec.rb +18 -0
data/spec/unit/pops/types/p_sensitive_type_spec.rb +18 -0
data/spec/unit/property_spec.rb +1 -0
data/spec/unit/provider/group/groupadd_spec.rb +5 -2
data/spec/unit/provider/nameservice_spec.rb +66 -65
data/spec/unit/provider/package/apt_spec.rb +28 -23
data/spec/unit/provider/package/aptitude_spec.rb +1 -1
data/spec/unit/provider/package/base_spec.rb +6 -5
data/spec/unit/provider/package/dnfmodule_spec.rb +10 -1
data/spec/unit/provider/package/nim_spec.rb +42 -0
data/spec/unit/provider/package/pacman_spec.rb +18 -12
data/spec/unit/provider/package/pip_spec.rb +6 -11
data/spec/unit/provider/package/pkgdmg_spec.rb +0 -4
data/spec/unit/provider/service/init_spec.rb +1 -0
data/spec/unit/provider/service/openwrt_spec.rb +3 -1
data/spec/unit/provider/service/systemd_spec.rb +53 -8
data/spec/unit/provider/service/windows_spec.rb +202 -0
data/spec/unit/provider/user/aix_spec.rb +5 -0
data/spec/unit/provider/user/directoryservice_spec.rb +67 -35
data/spec/unit/provider/user/hpux_spec.rb +1 -1
data/spec/unit/provider/user/pw_spec.rb +2 -0
data/spec/unit/provider/user/useradd_spec.rb +71 -3
data/spec/unit/provider_spec.rb +8 -10
data/spec/unit/puppet_pal_catalog_spec.rb +45 -0
data/spec/unit/resource/capability_finder_spec.rb +6 -1
data/spec/unit/resource/catalog_spec.rb +1 -1
data/spec/unit/resource/type_spec.rb +1 -1
data/spec/unit/resource_spec.rb +11 -10
data/spec/unit/settings_spec.rb +419 -242
data/spec/unit/ssl/base_spec.rb +0 -1
data/spec/unit/ssl/host_spec.rb +0 -5
data/spec/unit/ssl/ssl_provider_spec.rb +14 -8
data/spec/unit/ssl/state_machine_spec.rb +19 -5
data/spec/unit/transaction/additional_resource_generator_spec.rb +3 -9
data/spec/unit/transaction/event_manager_spec.rb +14 -11
data/spec/unit/transaction_spec.rb +18 -11
data/spec/unit/type/file/content_spec.rb +0 -1
data/spec/unit/type/file/selinux_spec.rb +3 -5
data/spec/unit/type/file_spec.rb +0 -6
data/spec/unit/type/group_spec.rb +13 -6
data/spec/unit/type/resources_spec.rb +7 -7
data/spec/unit/type/service_spec.rb +60 -189
data/spec/unit/type/tidy_spec.rb +17 -8
data/spec/unit/type/user_spec.rb +45 -0
data/spec/unit/type_spec.rb +2 -2
data/spec/unit/util/at_fork_spec.rb +2 -2
data/spec/unit/util/autoload_spec.rb +5 -1
data/spec/unit/util/backups_spec.rb +1 -2
data/spec/unit/util/execution_spec.rb +15 -11
data/spec/unit/util/inifile_spec.rb +6 -14
data/spec/unit/util/log_spec.rb +8 -7
data/spec/unit/util/logging_spec.rb +3 -3
data/spec/unit/util/posix_spec.rb +363 -15
data/spec/unit/util/rubygems_spec.rb +2 -2
data/spec/unit/util/selinux_spec.rb +163 -68
data/spec/unit/util/storage_spec.rb +3 -1
data/spec/unit/util/suidmanager_spec.rb +44 -41
data/spec/unit/util/windows/sid_spec.rb +6 -0
data/spec/unit/util_spec.rb +13 -6
data/tasks/generate_cert_fixtures.rake +2 -2
metadata +33 -16
data/spec/integration/application/config_spec.rb +0 -74
data/spec/lib/matchers/include.rb +0 -27
data/spec/lib/matchers/include_spec.rb +0 -32
data/spec/unit/face/catalog_spec.rb +0 -6
data/spec/unit/face/module_spec.rb +0 -3

data/spec/unit/provider/service/windows_spec.rb CHANGED Viewed

@@ -271,4 +271,206 @@ describe 'Puppet::Type::Service::Provider::Windows',
       }.to raise_error(Puppet::Error, /Cannot enable #{name}/)
     end
   end
+  describe "when managing logon credentials" do
+    before do
+      allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
+      allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
+    end
+    let(:computer_name) { 'myPC' }
+    describe "#logonaccount=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
+        resource[:logonaccount] = user_input
+        provider.logonaccount_insync?(user_input)
+      end
+      let(:user_input) { principal.account }
+      let(:principal) do
+        Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
+      end
+      context "when given user is 'myUser'" do
+        it "should fail when the `Log On As A Service` right is missing from given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
+        end
+        it "should fail when the `Log On As A Service` right is set to denied for given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
+        end
+        it "should not fail when given user has the `Log On As A Service` right" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+        ['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+          it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
+            allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq(".\\myUser")
+          end
+        end
+      end
+      context "when given user is a system account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
+        end
+        let(:user_input) { principal.account }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+        end
+        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
+          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+          it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('LocalSystem')
+          end
+        end
+      end
+      context "when domain is different from computer name" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
+        end
+        context "when given user is from AD" do
+          let(:user_input) { 'myRemoteUser' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
+          end
+          it "should not raise any error" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+          end
+          it "should succesfully be munged" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
+          end
+        end
+        context "when given user is LocalService" do
+          let(:user_input) { 'LocalService' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
+          end
+          it "should succesfully munge well known user" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
+          end
+        end
+        context "when given user is in SID form" do
+          let(:user_input) { 'S-1-5-20' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+          end
+          it "should succesfully munge" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
+          end
+        end
+        context "when given user is actually a group" do
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
+          end
+          let(:user_input) { 'Administrators' }
+          it "should fail when sid type is not user or well known user" do
+            expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
+          end
+        end
+      end
+    end
+    describe "#logonpassword=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        resource[:logonaccount] = account
+        resource[:logonpassword] = user_input
+        provider.logonaccount_insync?(account)
+      end
+      let(:account) { 'LocalSystem' }
+      describe "when given logonaccount is a predefined_local_account" do
+        let(:user_input) { 'pass' }
+        let(:principal) { nil }
+        it "should pass validation when given account is 'LocalSystem'" do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
+          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+          expect { provider.logonpassword=(user_input) }.not_to raise_error
+        end
+        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
+          describe "when given account is #{predefined_local_account}" do
+            let(:account) { 'predefined_local_account' }
+            let(:principal) do
+              Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
+            end
+            it "should pass validation" do
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
+              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+              expect { provider.logonpassword=(user_input) }.not_to raise_error
+            end
+          end
+        end
+      end
+      describe "when given logonaccount is not a predefined local account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
+        end
+        let(:account) { 'myUser' }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
+        end
+        describe "when password is proven correct" do
+          let(:user_input) { 'myPass' }
+          it "should pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
+            expect { provider.logonpassword=(user_input) }.not_to raise_error
+          end
+        end
+        describe "when password is not proven correct" do
+          let(:user_input) { 'myWrongPass' }
+          it "should not pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
+            expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
+          end
+        end
+      end
+    end
+  end
 end

data/spec/unit/provider/user/aix_spec.rb CHANGED Viewed

@@ -143,6 +143,11 @@ describe 'Puppet::Type::User::Provider::Aix' do
     it "returns the user's password" do
       expect(call_parse_password).to eql('some_password')
     end
+    it "returns the user's password with tabs" do
+      resource[:name] = 'tab_password_user'
+      expect(call_parse_password).to eql('some_password')
+    end
   end
   # TODO: If we move from using Mocha to rspec's mocks,

data/spec/unit/provider/user/directoryservice_spec.rb CHANGED Viewed

@@ -925,28 +925,75 @@ end
       }
     end
-    it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.7')
-      expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
-      provider.write_password_to_users_plist(sha512_password_hash)
+    before do
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
     end
-    it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
-      expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
-      expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS 11 (Big Sur) or greater' do
+      before do
+        allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
+      end
+      it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
+        expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
-    it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
-      expect(provider).to receive(:get_users_plist).and_return('users_plist')
-      expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
-      expect(provider.class).to receive(:get_os_version).and_return('10.8')
-      expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
-      provider.write_password_to_users_plist(pbkdf2_password_hash)
+    describe 'when on macOS version lower than 11' do
+      before do
+        allow(provider.class).to receive(:get_os_version)
+        allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+      end
+      it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
+        expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+      it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.7')
+        expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
+        provider.write_password_to_users_plist(sha512_password_hash)
+      end
+      it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
+        expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
+        expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
+      it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
+        expect(provider).to receive(:get_users_plist).and_return('users_plist')
+        expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
+        expect(provider.class).to receive(:get_os_version).and_return('10.8')
+        expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
+        provider.write_password_to_users_plist(pbkdf2_password_hash)
+      end
     end
   end
@@ -974,16 +1021,7 @@ end
   describe '#set_shadow_hash_data' do
     let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
-    it 'should flush the plist data to disk on OS X < 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.12')
-      expect(provider).to receive(:write_users_plist_to_disk)
-      provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
-    end
-    it 'should flush the plist data a temporary file on OS X >= 10.15' do
-      allow(provider.class).to receive(:get_os_version).and_return('10.15')
+    it 'should flush the plist data to a temporary file' do
       expect(provider).to receive(:write_and_import_shadow_hash_data)
       provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
     end
@@ -1033,13 +1071,6 @@ end
     end
   end
-  describe '#write_users_plist_to_disk' do
-    it 'should save the passed plist to disk and convert it to a binary plist' do
-      expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
-      provider.write_users_plist_to_disk(user_plist_xml)
-    end
-  end
   describe '#write_and_import_shadow_hash_data' do
     it 'should save the passed plist to a temporary file and import it' do
       tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
@@ -1203,6 +1234,7 @@ end
     before :each do
       allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
       allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
+      allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
       provider.class.prefetch({})
     end

data/spec/unit/provider/user/hpux_spec.rb CHANGED Viewed

@@ -33,7 +33,7 @@ describe Puppet::Type.type(:user).provider(:hpuxuseradd),
     before :each do
       allow(Etc).to receive(:getpwent).and_return(pwent)
       allow(Etc).to receive(:getpwnam).and_return(pwent)
-      allow(resource).to receive(:command).with(:modify).and_return('/usr/sam/lbin/usermod.sam')
+      allow(provider).to receive(:command).with(:modify).and_return('/usr/sam/lbin/usermod.sam')
     end
     it "should have feature manages_passwords" do

data/spec/unit/provider/user/pw_spec.rb CHANGED Viewed

@@ -53,12 +53,14 @@ describe Puppet::Type.type(:user).provider(:pw) do
     it "should use -G with the correct argument when the groups property is set" do
       resource[:groups] = "group1"
+      allow(Puppet::Util::POSIX).to receive(:groups_of).with('testuser').and_return([])
       expect(provider).to receive(:execute).with(include("-G").and(include("group1")), kind_of(Hash))
       provider.create
     end
     it "should use -G with all the given groups when the groups property is set to an array" do
       resource[:groups] = ["group1", "group2"]
+      allow(Puppet::Util::POSIX).to receive(:groups_of).with('testuser').and_return([])
       expect(provider).to receive(:execute).with(include("-G").and(include("group1,group2")), kind_of(Hash))
       provider.create
     end

data/spec/unit/provider/user/useradd_spec.rb CHANGED Viewed

@@ -4,6 +4,7 @@ RSpec::Matchers.define_negated_matcher :excluding, :include
 describe Puppet::Type.type(:user).provider(:useradd) do
   before :each do
+    allow(Puppet::Util::POSIX).to receive(:groups_of).and_return([])
     allow(described_class).to receive(:command).with(:password).and_return('/usr/bin/chage')
     allow(described_class).to receive(:command).with(:localpassword).and_return('/usr/sbin/lchage')
     allow(described_class).to receive(:command).with(:add).and_return('/usr/sbin/useradd')
@@ -151,6 +152,7 @@ describe Puppet::Type.type(:user).provider(:useradd) do
       it "should not use -G for luseradd and should call usermod with -G after luseradd when groups property is set" do
         resource[:groups] = ['group1', 'group2']
+        allow(provider).to receive(:localgroups)
         expect(provider).to receive(:execute).with(include('/usr/sbin/luseradd').and(excluding('-G')), hash_including(custom_environment: hash_including('LIBUSER_CONF')))
         expect(provider).to receive(:execute).with(include('/usr/sbin/usermod').and(include('-G')), hash_including(custom_environment: hash_including('LIBUSER_CONF')))
         provider.create
@@ -336,7 +338,8 @@ describe Puppet::Type.type(:user).provider(:useradd) do
     it "should return the local comment string when forcelocal is true" do
       resource[:forcelocal] = true
-      allow(File).to receive(:read).with('/etc/passwd').and_return(content)
+      allow(Puppet::FileSystem).to receive(:exist?).with('/etc/passwd').and_return(true)
+      allow(Puppet::FileSystem).to receive(:each_line).with('/etc/passwd').and_yield(content)
       expect(provider.comment).to eq('local comment')
     end
@@ -348,8 +351,73 @@ describe Puppet::Type.type(:user).provider(:useradd) do
     end
   end
+  describe "#gid" do
+    before { described_class.has_feature :manages_local_users_and_groups }
+    let(:content) { "myuser:x:x:999:x:x:x" }
+    it "should return the local GID when forcelocal is true" do
+      resource[:forcelocal] = true
+      allow(Puppet::FileSystem).to receive(:exist?).with('/etc/passwd').and_return(true)
+      allow(Puppet::FileSystem).to receive(:each_line).with('/etc/passwd').and_yield(content)
+      expect(provider.gid).to eq(999)
+    end
+    it "should fall back to nameservice GID when forcelocal is false" do
+      resource[:forcelocal] = false
+      allow(provider).to receive(:get).with(:gid).and_return(1234)
+      expect(provider).not_to receive(:localgid)
+      expect(provider.gid).to eq(1234)
+    end
+  end
+  describe "#groups" do
+    before { described_class.has_feature :manages_local_users_and_groups }
+    let(:content) do
+      StringIO.new(<<~EOF)
+      group1:x:0:myuser
+      group2:x:999:
+      group3:x:998:myuser
+      EOF
+    end
+    let(:content_with_empty_line) do
+      StringIO.new(<<~EOF)
+      group1:x:0:myuser
+      group2:x:999:
+      group3:x:998:myuser
+      EOF
+    end
+    it "should return the local groups string when forcelocal is true" do
+      resource[:forcelocal] = true
+      allow(Puppet::FileSystem).to receive(:exist?).with('/etc/group').and_return(true)
+      allow(File).to receive(:open).with(Pathname.new('/etc/group')).and_yield(content)
+      expect(provider.groups).to eq(['group1', 'group3'])
+    end
+    it "does not raise when parsing empty lines in /etc/group" do
+      resource[:forcelocal] = true
+      allow(Puppet::FileSystem).to receive(:exist?).with('/etc/group').and_return(true)
+      allow(File).to receive(:open).with(Pathname.new('/etc/group')).and_yield(content_with_empty_line)
+      expect { provider.groups }.not_to raise_error
+    end
+    it "should fall back to nameservice groups when forcelocal is false" do
+      resource[:forcelocal] = false
+      allow(Puppet::Util::POSIX).to receive(:groups_of).with('myuser').and_return(['remote groups'])
+      expect(provider).not_to receive(:localgroups)
+      expect(provider.groups).to eq('remote groups')
+    end
+  end
   describe "#finduser" do
-    before { allow(File).to receive(:read).with('/etc/passwd').and_return(content) }
+    before do
+      allow(Puppet::FileSystem).to receive(:exist?).with('/etc/passwd').and_return(true)
+      allow(Puppet::FileSystem).to receive(:each_line).with('/etc/passwd').and_yield(content)
+    end
     let(:content) { "sample_account:sample_password:sample_uid:sample_gid:sample_gecos:sample_directory:sample_shell" }
     let(:output) do
@@ -375,7 +443,7 @@ describe Puppet::Type.type(:user).provider(:useradd) do
     end
     it "reads the user file only once per resource" do
-      expect(File).to receive(:read).with('/etc/passwd').once
+      expect(Puppet::FileSystem).to receive(:each_line).with('/etc/passwd').once
       5.times { provider.finduser(:account, 'sample_account') }
     end
   end