puppet 6.19.1-x64-mingw32 → 6.23.0-x64-mingw32

data/lib/puppet/type/tidy.rb

@@ -50,6 +50,22 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
+  newparam(:max_files) do
+    desc "In case the resource is a directory and the recursion is enabled, puppet will
+      generate a new resource for each file file found, possible leading to
+      an excessive number of resources generated without any control.
+
+      Setting `max_files` will check the number of file resources that
+      will eventually be created and will raise a resource argument error if the
+      limit will be exceeded.
+
+      Use value `0` to disable the check. In this case, a warning is logged if
+      the number of files exceeds 1000."
+
+    defaultto 0
+    newvalues(/^[0-9]+$/)
+  end
+
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -256,9 +272,12 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :recurse => true, :recurselimit => self[:recurse] }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true,
+                    :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :recurse => true }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -67,6 +67,7 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
+        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,6 +696,7 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
+        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -743,25 +745,6 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
-
-      munge do |value|
-        # Resolve string, boolean and symbol forms of true and false to a
-        # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
-
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
-
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
-      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -783,7 +766,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      self[:purge_ssh_keys].
+      munged_unmanaged_keys.
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -795,6 +778,41 @@ module Puppet
         end
     end
 
+    def munged_unmanaged_keys
+      value = self[:purge_ssh_keys]
+
+      # Resolve string, boolean and symbol forms of true and false to a
+      # single representation.
+      test_sym = value.to_s.intern
+      value = test_sym if [:true, :false].include? test_sym
+
+      return [] if value == :false
+
+      home = self[:home]
+      begin
+        home ||= provider.home
+      rescue
+        Puppet.debug("User '#{self[:name]}' does not exist")
+      end
+
+      if home.to_s.empty? || !Dir.exist?(home.to_s)
+        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
+          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
+          return []
+        end
+      end
+
+      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+
+      # value is an array - munge each value
+      [ value ].flatten.map do |entry|
+        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(/^~\//, "#{home}/")
+        entry.gsub!(/^%h\//, "#{home}/")
+        entry
+      end
+    end
+
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.

data/lib/puppet/util/autoload.rb

@@ -166,14 +166,7 @@ class Puppet::Util::Autoload
     # Normalize a path. This converts ALT_SEPARATOR to SEPARATOR on Windows
     # and eliminates unnecessary parts of a path.
     def cleanpath(path)
-      # There are two cases here because cleanpath does not handle absolute
-      # paths correctly on windows (c:\ and c:/ are treated as distinct) but
-      # we don't want to convert relative paths to absolute
-      if Puppet::Util.absolute_path?(path)
-        File.expand_path(path)
-      else
-        Pathname.new(path).cleanpath.to_s
-      end
+      Pathname.new(path).cleanpath.to_s
     end
   end
 

data/lib/puppet/util/fact_dif.rb

@@ -0,0 +1,81 @@
+require 'json'
+
+class FactDif
+  def initialize(old_output, new_output, exclude_list, save_structured)
+    @c_facter = JSON.parse(old_output)
+    @next_facter = JSON.parse(new_output)
+    @exclude_list = exclude_list
+    @save_structured = save_structured
+    @flat_diff = []
+    @diff = {}
+  end
+
+  def difs
+    search_hash(((@c_facter.to_a - @next_facter.to_a) | (@next_facter.to_a - @c_facter.to_a)).to_h)
+
+    @flat_diff.sort_by { |a| a[0] }.each do |pair|
+      fact_path = pair[0]
+      value = pair[1]
+      compare(fact_path, value, @c_facter)
+      compare(fact_path, value, @next_facter)
+    end
+
+    @diff
+  end
+
+  private
+
+  def search_hash(sh, path = [])
+    if sh.is_a?(Hash)
+      sh.each do |k, v|
+        search_hash(v, path.push(k))
+        path.pop
+      end
+    elsif sh.is_a?(Array)
+      sh.each_with_index do |v, index|
+        search_hash(v, path.push(index))
+        path.pop
+      end
+    else
+      @flat_diff.push([path.dup, sh])
+    end
+  end
+
+  def compare(fact_path, given_value, compared_hash)
+    compared_value = compared_hash.dig(*fact_path)
+    if different?(compared_value, given_value) && !excluded?(fact_path.join('.'))
+      fact_path = fact_path.map{|f| f.to_s.include?('.') ? "\"#{f}\"" : f}.join('.') unless @save_structured
+      if compared_hash == @c_facter
+        bury(*fact_path, { :new_value => given_value, :old_value => compared_value }, @diff)
+      else
+        bury(*fact_path, { :new_value => compared_value, :old_value => given_value }, @diff)
+      end
+    end
+  end
+
+  def bury(*paths, value, hash)
+    if paths.count > 1
+      path = paths.shift
+      hash[path] = Hash.new unless hash.key?(path)
+      bury(*paths, value, hash[path])
+    else
+      hash[*paths] = value
+    end
+  end
+
+  def different?(new, old)
+    if old.is_a?(String) && new.is_a?(String) && (old.include?(',') || new.include?(','))
+      old_values = old.split(',')
+      new_values = new.split(',')
+
+      diff = (old_values - new_values) | (new_values - old_values)
+      return diff.size.positive?
+    end
+
+    old != new
+  end
+
+  def excluded?(fact_name)
+    @exclude_list.any? {|excluded_fact| fact_name =~ /#{excluded_fact}/}
+  end
+end

data/lib/puppet/util/monkey_patches.rb

@@ -32,6 +32,13 @@ end
 # (#19151) Reject all SSLv2 ciphers and handshakes
 require 'puppet/ssl/openssl_loader'
 unless Puppet::Util::Platform.jruby_fips?
+  unless defined?(OpenSSL::SSL::TLS1_VERSION)
+    module OpenSSL::SSL
+      # see https://github.com/ruby/ruby/commit/609103dbb5fb182eec12f052226c43e39b907682#diff-09f822c26289f5347111795ca22ed7ed1cfadd6ebd28f987991d1d414eef565aR2755-R2759
+      OpenSSL::SSL::TLS1_VERSION = 0x301
+    end
+  end
+
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
       DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3

data/lib/puppet/util/posix.rb

@@ -12,11 +12,18 @@ module Puppet::Util::POSIX
   class << self
     # Returns an array of all the groups that the user's a member of.
     def groups_of(user)
-      groups = []
-      Puppet::Etc.group do |group|
-        groups << group.name if group.mem.include?(user)
+      begin
+        require 'puppet/ffi/posix'
+        groups = get_groups_list(user)
+      rescue StandardError, LoadError => e
+        Puppet.debug("Falling back to Puppet::Etc.group: #{e.message}")
+
+        groups = []
+        Puppet::Etc.group do |group|
+          groups << group.name if group.mem.include?(user)
+        end
       end
-  
+
       uniq_groups = groups.uniq
       if uniq_groups != groups
         Puppet.debug(_('Removing any duplicate group entries'))
@@ -24,6 +31,39 @@ module Puppet::Util::POSIX
 
       uniq_groups
     end
+
+    private
+    def get_groups_list(user)
+      raise LoadError, "The 'getgrouplist' method is not available" unless Puppet::FFI::POSIX::Functions.respond_to?(:getgrouplist)
+
+      user_gid = Puppet::Etc.getpwnam(user).gid
+      ngroups = Puppet::FFI::POSIX::Constants::MAXIMUM_NUMBER_OF_GROUPS
+
+      while true do # rubocop:disable Lint/LiteralInCondition
+        FFI::MemoryPointer.new(:int) do |ngroups_ptr|
+          FFI::MemoryPointer.new(:uint, ngroups) do |groups_ptr|
+            old_ngroups = ngroups
+            ngroups_ptr.write_int(ngroups)
+
+            if Puppet::FFI::POSIX::Functions::getgrouplist(user, user_gid, groups_ptr, ngroups_ptr) != -1
+              groups_gids = groups_ptr.get_array_of_uint(0, ngroups_ptr.read_int)
+
+              result = []
+              groups_gids.each do |group_gid|
+                group_info = Puppet::Etc.getgrgid(group_gid)
+                result |= [group_info.name] if group_info.mem.include?(user)
+              end
+              return result
+            end
+
+            ngroups = ngroups_ptr.read_int
+            if ngroups <= old_ngroups
+              ngroups *= 2
+            end
+          end
+        end
+      end
+    end
   end
 
   # Retrieve a field from a POSIX Etc object.  The id can be either an integer
@@ -144,8 +184,17 @@ module Puppet::Util::POSIX
       name = get_posix_field(location, :name, id)
       check_value = name
     end
+
     if check_value != field
-      return search_posix_field(location, id_field, field)
+      check_value_id = get_posix_field(location, id_field, check_value) if check_value
+
+      if id == check_value_id
+        Puppet.debug("Multiple entries found for resource: '#{location}' with #{id_field}: #{id}")
+        return id
+      else
+        Puppet.debug("The value retrieved: '#{check_value}' is different than the required state: '#{field}', searching in all entries")
+        return search_posix_field(location, id_field, field)
+      end
     else
       return id
     end

data/lib/puppet/util/rubygems.rb

@@ -41,7 +41,11 @@ module Puppet::Util::RubyGems
     def directories
       # `require 'mygem'` will consider and potentially load
       # prerelease gems, so we need to match that behavior.
-      Gem::Specification.latest_specs(true).collect do |spec|
+      #
+      # Just load the stub which points to the gem path, and
+      # delay loading the full specification until if/when the
+      # gem is required.
+      Gem::Specification.stubs.collect do |spec|
         File.join(spec.full_gem_path, 'lib')
       end
     end

data/lib/puppet/util/selinux.rb

@@ -13,6 +13,10 @@ require 'pathname'
 
 module Puppet::Util::SELinux
 
+  S_IFREG = 0100000
+  S_IFDIR = 0040000
+  S_IFLNK = 0120000
+
   def self.selinux_support?
     return false unless defined?(Selinux)
     if Selinux.is_selinux_enabled == 1
@@ -38,7 +42,7 @@ module Puppet::Util::SELinux
 
   # Retrieve and return the default context of the file.  If we don't have
   # SELinux support or if the SELinux call fails to file a default then return nil.
-  def get_selinux_default_context(file)
+  def get_selinux_default_context(file, resource_ensure=nil)
     return nil unless selinux_support?
     # If the filesystem has no support for SELinux labels, return a default of nil
     # instead of what matchpathcon would return
@@ -48,8 +52,14 @@ module Puppet::Util::SELinux
     begin
       filestat = file_lstat(file)
       mode = filestat.mode
-    rescue Errno::EACCES, Errno::ENOENT
+    rescue Errno::EACCES
       mode = 0
+    rescue Errno::ENOENT
+      if resource_ensure
+        mode = get_create_mode(resource_ensure)
+      else
+        mode = 0
+      end
     end
 
     retval = Selinux.matchpathcon(file, mode)
@@ -136,8 +146,8 @@ module Puppet::Util::SELinux
   # Puppet uses.  This will set the file's SELinux context to the policy's
   # default context (if any) if it differs from the context currently on
   # the file.
-  def set_selinux_default_context(file)
-    new_context = get_selinux_default_context(file)
+  def set_selinux_default_context(file, resource_ensure=nil)
+    new_context = get_selinux_default_context(file, resource_ensure)
     return nil unless new_context
     cur_context = get_selinux_current_context(file)
     if new_context != cur_context
@@ -198,6 +208,22 @@ module Puppet::Util::SELinux
     filesystems.include?(fstype)
   end
 
+  # Get mode file type bits set based on ensure on
+  # the file resource. This helps SELinux determine
+  # what context a new resource being created should have.
+  def get_create_mode(resource_ensure)
+    mode = 0
+    case resource_ensure
+    when :present, :file
+      mode |= S_IFREG
+    when :directory
+      mode |= S_IFDIR
+    when :link
+      mode |= S_IFLNK
+    end
+    mode
+  end
+
   # Internal helper function to read and parse /proc/mounts
   def read_mounts
     mounts = ""

data/lib/puppet/util/windows/adsi.rb

@@ -504,6 +504,43 @@ module Puppet::Util::Windows::ADSI
       user_name
     end
 
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/ne-secext-extended_name_format
+    NameUnknown           = 0
+    NameFullyQualifiedDN  = 1
+    NameSamCompatible     = 2
+    NameDisplay           = 3
+    NameUniqueId          = 6
+    NameCanonical         = 7
+    NameUserPrincipal     = 8
+    NameCanonicalEx       = 9
+    NameServicePrincipal  = 10
+    NameDnsDomain         = 12
+    NameGivenName         = 13
+    NameSurname           = 14
+
+    def self.current_user_name_with_format(format)
+      user_name = ''
+      max_length = 1024
+
+      FFI::MemoryPointer.new(:lpwstr, max_length * 2 + 1) do |buffer|
+        FFI::MemoryPointer.new(:dword, 1) do |buffer_size|
+          buffer_size.write_dword(max_length + 1)
+
+          if GetUserNameExW(format.to_i, buffer, buffer_size) == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(_("Failed to get user name"), FFI.errno)
+          end
+
+          user_name = buffer.read_wide_string(buffer_size.read_dword).chomp
+        end
+      end
+
+      user_name
+    end
+
+    def self.current_sam_compatible_user_name
+      current_user_name_with_format(NameSamCompatible)
+    end
+
     def self.current_user_sid
       Puppet::Util::Windows::SID.name_to_principal(current_user_name)
     end
@@ -518,6 +555,15 @@ module Puppet::Util::Windows::ADSI
     ffi_lib :advapi32
     attach_function_private :GetUserNameW,
       [:lpwstr, :lpdword], :win32_bool
+
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexa
+    # BOOLEAN SEC_ENTRY GetUserNameExA(
+    #   EXTENDED_NAME_FORMAT NameFormat,
+    #   LPSTR                lpNameBuffer,
+    #   PULONG               nSize
+    # );type
+    ffi_lib :secur32
+    attach_function_private :GetUserNameExW, [:uint16, :lpwstr, :pointer], :win32_bool
   end
 
   class UserProfile