puppet 6.19.1 → 6.23.0

data/lib/puppet/face/config.rb

@@ -159,6 +159,16 @@ https://puppet.com/docs/puppet/latest/configuration.html#environment
         report_section_and_environment(options[:section], Puppet.settings[:environment])
       end
 
+      # only validate settings we recognize
+      setting = Puppet.settings.setting(name.to_sym)
+      if setting
+        # set the value, which will call `on_*_and_write` hooks, if any
+        Puppet.settings[setting.name] = value
+
+        # read the value to trigger interpolation and munge validation logic
+        Puppet.settings[setting.name]
+      end
+
       path = Puppet::FileSystem.pathname(Puppet.settings.which_configuration_file)
       Puppet::FileSystem.touch(path)
       Puppet::FileSystem.open(path, nil, 'r+:UTF-8') do |file|

data/lib/puppet/face/epp.rb

@@ -440,7 +440,12 @@ Puppet::Face.define(:epp, '0.0.1') do
 
   def render_inline(epp_source, compiler, options)
     template_args = get_values(compiler, options)
-    Puppet::Pops::Evaluator::EppEvaluator.inline_epp(compiler.topscope, epp_source, template_args)
+    result = Puppet::Pops::Evaluator::EppEvaluator.inline_epp(compiler.topscope, epp_source, template_args)
+    if result.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      result.unwrap
+    else
+      result
+    end
   end
 
   def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
@@ -457,7 +462,12 @@ Puppet::Face.define(:epp, '0.0.1') do
       if template_file.nil? && Puppet::FileSystem.exist?(epp_template_name)
         epp_template_name = File.expand_path(epp_template_name)
       end
-      output << Puppet::Pops::Evaluator::EppEvaluator.epp(compiler.topscope, epp_template_name, compiler.environment, template_args)
+      result = Puppet::Pops::Evaluator::EppEvaluator.epp(compiler.topscope, epp_template_name, compiler.environment, template_args)
+      if result.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+        output << result.unwrap
+      else
+        output << result
+      end
     rescue Puppet::ParseError => detail
       Puppet.err("--- #{epp_template_name}") if show_filename
       raise detail

data/lib/puppet/face/facts.rb

@@ -1,5 +1,21 @@
 require 'puppet/indirector/face'
 require 'puppet/node/facts'
+require 'puppet/util/fact_dif'
+
+EXCLUDE_LIST = %w[ ^facterversion$
+  ^load_averages\..*$
+  ^processors\.speed$
+  ^swapfree$ ^swapfree_mb$
+  ^memoryfree$ ^memoryfree_mb$
+  ^memory\.swap\.available_bytes$ ^memory\.swap\.used_bytes$
+  ^memory\.swap\.available$ ^memory\.swap\.capacity$ ^memory\.swap\.used$
+  ^memory\.system\.available_bytes$ ^memory\.system\.used_bytes$
+  ^memory\.system\.available$ ^memory\.system\.capacity$ ^memory\.system\.used$
+  ^mountpoints\..*\.available.*$ ^mountpoints\..*\.capacity$ ^mountpoints\..*\.used.*$
+  ^sp_uptime$ ^system_profiler\.uptime$
+  ^uptime$ ^uptime_days$ ^uptime_hours$ ^uptime_seconds$
+  ^system_uptime\.uptime$ ^system_uptime\.days$ ^system_uptime\.hours$ ^system_uptime\.seconds$
+]
 
 Puppet::Indirector::Face.define(:facts, '0.0.1') do
   copyright "Puppet Inc.", 2011
@@ -87,4 +103,146 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
       nil
     end
   end
+
+  action(:diff) do
+    summary _("Compare Facter 3 output with Facter 4 output")
+    description <<-'EOT'
+    Compares output from facter 3 with Facter 4 and prints the differences
+    EOT
+    returns "Differences between Facter 3 and Facter 4 output as an array."
+    notes <<-'EOT'
+    EOT
+    examples <<-'EOT'
+    get differences between facter versions:
+    $ puppet facts diff
+    EOT
+
+    option("--structured") do
+      default_to { false }
+      summary _("Render the different facts as structured.")
+    end
+
+    option("--exclude " + _("<regex>")) do
+      summary _("Regex used to exclude specific facts from diff.")
+    end
+
+    when_invoked do |*args|
+      options = args.pop
+
+      Puppet.settings.preferred_run_mode = :agent
+      Puppet::Node::Facts.indirection.terminus_class = :facter
+
+      if Puppet::Util::Package.versioncmp(Facter.value('facterversion'), '4.0.0') < 0
+        cmd_flags = '--render-as json --show-legacy'
+
+        # puppet/ruby are in PATH since it was updated in the wrapper script
+        puppet_show_cmd  = "puppet facts show"
+        if Puppet::Util::Platform.windows?
+          puppet_show_cmd = "ruby -S -- #{puppet_show_cmd}"
+        end
+
+        facter_3_result = Puppet::Util::Execution.execute("#{puppet_show_cmd} --no-facterng #{cmd_flags}", combine: false)
+        facter_ng_result = Puppet::Util::Execution.execute("#{puppet_show_cmd} --facterng #{cmd_flags}", combine: false)
+
+        exclude_list = options[:exclude].nil? ? EXCLUDE_LIST : EXCLUDE_LIST + [ options[:exclude] ]
+        fact_diff = FactDif.new(facter_3_result, facter_ng_result, exclude_list, options[:structured])
+        fact_diff.difs
+      else
+        Puppet.warning _("Already using Facter 4. To use `puppet facts diff` remove facterng from the .conf file or run `puppet config set facterng false`.")
+        exit 0
+      end
+    end
+
+    when_rendering :console do |result|
+      case result
+      when Array, Hash
+        Puppet::Util::Json.dump(result, :pretty => true)
+      else
+        result
+      end
+    end
+  end
+
+  action(:show) do
+    summary _("Retrieve current node's facts.")
+    arguments _("[<facts>]")
+    description <<-'EOT'
+    Reads facts from the local system using `facter` terminus.
+    A query can be provided to retrieve just a specific fact or a set of facts.
+    EOT
+    returns "The output of facter with added puppet specific facts."
+    notes <<-'EOT'
+
+    EOT
+    examples <<-'EOT'
+    retrieve facts:
+
+    $ puppet facts show os
+    EOT
+
+    option("--config-file " + _("<path>")) do
+      default_to { nil }
+      summary _("The location of the config file for Facter.")
+    end
+
+    option("--custom-dir " + _("<path>")) do
+      default_to { nil }
+      summary _("The path to a directory that contains custom facts.")
+    end
+
+    option("--external-dir " + _("<path>")) do
+      default_to { nil }
+      summary _("The path to a directory that contains external facts.")
+    end
+
+    option("--no-block") do
+      summary _("Disable fact blocking mechanism.")
+    end
+
+    option("--no-cache") do
+      summary _("Disable fact caching mechanism.")
+    end
+
+    option("--show-legacy") do
+      summary _("Show legacy facts when querying all facts.")
+    end
+
+    option("--value-only") do
+      summary _("Show only the value when the action is called with a single query")
+    end
+
+    when_invoked do |*args|
+      options = args.pop
+
+      Puppet.settings.preferred_run_mode = :agent
+      Puppet::Node::Facts.indirection.terminus_class = :facter
+
+      if options[:value_only] && !args.count.eql?(1)
+        options[:value_only] = nil
+        Puppet.warning("Incorrect use of --value-only argument; it can only be used when querying for a single fact!")
+      end
+
+      options[:user_query] = args
+      options[:resolve_options] = true
+      result = Puppet::Node::Facts.indirection.find(Puppet.settings[:certname], options)
+
+      if options[:value_only]
+        result.values.values.first
+      else
+        result.values
+      end
+    end
+
+    when_rendering :console do |result|
+      # VALID_TYPES = [Integer, Float, TrueClass, FalseClass, NilClass, Symbol, String, Array, Hash].freeze
+      # from https://github.com/puppetlabs/facter/blob/4.0.49/lib/facter/custom_facts/util/normalization.rb#L8
+
+      case result
+      when Array, Hash
+        Puppet::Util::Json.dump(result, :pretty => true)
+      else # one of VALID_TYPES above
+        result
+      end
+    end
+  end
 end

data/lib/puppet/ffi/posix.rb

@@ -0,0 +1,10 @@
+require 'ffi'
+
+module Puppet
+  module FFI
+    module POSIX
+      require 'puppet/ffi/posix/functions'
+      require 'puppet/ffi/posix/constants'
+    end
+  end
+end

data/lib/puppet/ffi/posix/constants.rb

@@ -0,0 +1,14 @@
+require 'puppet/ffi/posix'
+
+module Puppet::FFI::POSIX
+  module Constants
+    extend FFI::Library
+  
+    # Maximum number of supplementary groups (groups
+    # that a user can be in plus its primary group)
+    # (64 + 1 primary group)
+    # Chosen a reasonable middle number from the list
+    # https://www.j3e.de/ngroups.html
+    MAXIMUM_NUMBER_OF_GROUPS = 65
+  end
+end

data/lib/puppet/ffi/posix/functions.rb

@@ -0,0 +1,24 @@
+require 'puppet/ffi/posix'
+
+module Puppet::FFI::POSIX
+  module Functions
+
+    extend FFI::Library
+
+    ffi_convention :stdcall
+
+    # https://man7.org/linux/man-pages/man3/getgrouplist.3.html
+    # int getgrouplist (
+    #   const char *user,
+    #   gid_t group,
+    #   gid_t *groups,
+    #   int *ngroups
+    # );
+    begin
+      ffi_lib FFI::Library::LIBC
+      attach_function :getgrouplist, [:string, :uint, :pointer, :pointer], :int
+    rescue FFI::NotFoundError
+      # Do nothing
+    end
+  end
+end

data/lib/puppet/file_serving/fileset.rb

@@ -5,7 +5,7 @@ require 'puppet/file_serving/metadata'
 # Operate recursively on a path, returning a set of file paths.
 class Puppet::FileServing::Fileset
   attr_reader :path, :ignore, :links
-  attr_accessor :recurse, :recurselimit, :checksum_type
+  attr_accessor :recurse, :recurselimit, :max_files, :checksum_type
 
   # Produce a hash of files, with merged so that earlier files
   # with the same postfix win.  E.g., /dir1/subfile beats /dir2/subfile.
@@ -40,6 +40,7 @@ class Puppet::FileServing::Fileset
     self.links = :manage
     @recurse = false
     @recurselimit = :infinite
+    @max_files = 0
 
     if options.is_a?(Puppet::Indirector::Request)
       initialize_from_request(options)
@@ -58,6 +59,17 @@ class Puppet::FileServing::Fileset
   # level deep, which Find doesn't do.
   def files
     files = perform_recursion
+    soft_max_files = 1000
+
+    # munged_max_files is needed since puppet http handler is keeping negative numbers as strings
+    # https://github.com/puppetlabs/puppet/blob/main/lib/puppet/network/http/handler.rb#L196-L197
+    munged_max_files = max_files == '-1' ? -1 : max_files
+
+    if munged_max_files > 0 && files.size > munged_max_files
+      raise Puppet::Error.new _("The directory '%{path}' contains %{entries} entries, which exceeds the limit of %{munged_max_files} specified by the max_files parameter for this resource. The limit may be increased, but be aware that large number of file resources can result in excessive resource consumption and degraded performance. Consider using an alternate method to manage large directory trees") % { path: path, entries: files.size, munged_max_files: munged_max_files }
+    elsif munged_max_files == 0 && files.size > soft_max_files
+      Puppet.warning _("The directory '%{path}' contains %{entries} entries, which exceeds the default soft limit %{soft_max_files} and may cause excessive resource consumption and degraded performance. To remove this warning set a value for `max_files` parameter or consider using an alternate method to manage large directory trees") % { path: path, entries: files.size, soft_max_files: soft_max_files }
+    end
 
     # Now strip off the leading path, so each file becomes relative, and remove
     # any slashes that might end up at the beginning of the path.
@@ -96,7 +108,7 @@ class Puppet::FileServing::Fileset
   end
 
   def initialize_from_request(request)
-    [:links, :ignore, :recurse, :recurselimit, :checksum_type].each do |param|
+    [:links, :ignore, :recurse, :recurselimit, :max_files, :checksum_type].each do |param|
       if request.options.include?(param) # use 'include?' so the values can be false
         value = request.options[param]
       elsif request.options.include?(param.to_s)

data/lib/puppet/file_system/memory_file.rb

@@ -7,6 +7,13 @@ class Puppet::FileSystem::MemoryFile
     new(path, :exist? => false, :executable? => false)
   end
 
+  def self.a_missing_directory(path)
+    new(path,
+        :exist? => false,
+        :executable? => false,
+        :directory? => true)
+  end
+
   def self.a_regular_file_containing(path, content)
     new(path, :exist? => true, :executable? => false, :content => content)
   end
@@ -18,7 +25,7 @@ class Puppet::FileSystem::MemoryFile
   def self.a_directory(path, children = [])
     new(path,
         :exist? => true,
-        :excutable? => true,
+        :executable? => true,
         :directory? => true,
         :children => children)
   end

data/lib/puppet/file_system/windows.rb

@@ -128,6 +128,8 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
     end
 
     current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+    current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name) unless current_sid
+
     dacl = case mode
            when 0644
              dacl = secure_dacl(current_sid)

data/lib/puppet/functions/all.rb

@@ -51,7 +51,7 @@
 # notice $data.all |$key, $value| { $value % 10 == 0  and $key =~ /^abc/ }
 # ```
 #
-# Would notice true.
+# Would notice `true`.
 #
 # For an general examples that demonstrates iteration, see the Puppet
 # [iteration](https://puppet.com/docs/puppet/latest/lang_iteration.html)

data/lib/puppet/functions/camelcase.rb

@@ -3,7 +3,7 @@
 # This function is compatible with the stdlib function with the same name.
 #
 # The function does the following:
-# * For a `String` the conversion replaces all combinations of *_<char>* with an upcased version of the
+# * For a `String` the conversion replaces all combinations of `*_<char>*` with an upcased version of the
 #   character following the _.  This is done using Ruby system locale which handles some, but not all
 #   special international up-casing rules (for example German double-s ß is upcased to "Ss").
 # * For an `Iterable[Variant[String, Numeric]]` (for example an `Array`) each value is capitalized and the conversion is not recursive.

data/lib/puppet/functions/capitalize.rb

@@ -18,14 +18,14 @@
 # 'hello'.capitalize()
 # upcase('hello')
 # ```
-# Would both result in "Hello"
+# Would both result in `"Hello"`
 #
 # @example Capitalizing strings in an Array
 # ```puppet
 # ['abc', 'bcd'].capitalize()
 # capitalize(['abc', 'bcd'])
 # ```
-# Would both result in ['Abc', 'Bcd']
+# Would both result in `['Abc', 'Bcd']`
 #
 Puppet::Functions.create_function(:capitalize) do
 

data/lib/puppet/functions/downcase.rb

@@ -22,14 +22,14 @@
 # 'HELLO'.downcase()
 # downcase('HEllO')
 # ```
-# Would both result in "hello"
+# Would both result in `"hello"`
 #
 # @example Converting an Array to lower case
 # ```puppet
 # ['A', 'B'].downcase()
 # downcase(['A', 'B'])
 # ```
-# Would both result in ['a', 'b']
+# Would both result in `['a', 'b']`
 #
 # @example Converting a Hash to lower case
 # ```puppet

data/lib/puppet/functions/epp.rb

@@ -40,6 +40,7 @@ Puppet::Functions.create_function(:epp, Puppet::Functions::InternalFunction) do
     scope_param
     param 'String', :path
     optional_param 'Hash[Pattern[/^\w+$/], Any]', :parameters
+    return_type 'Variant[String, Sensitive[String]]'
   end
 
   def epp(scope, path, parameters = nil)

data/lib/puppet/functions/get.rb

@@ -23,20 +23,20 @@
 # #get($facts, 'os.family')
 # $facts.get('os.family')
 # ```
-# Would both result in the value of $facts['os']['family']
+# Would both result in the value of `$facts['os']['family']`
 #
 # @example Getting the value from an expression
 # ```puppet
 # get([1,2,[{'name' =>'waldo'}]], '2.0.name')
 # ```
-# Would result in 'waldo'
+# Would result in `'waldo'`
 #
 # @example Using a default value
 # ```puppet
 # get([1,2,[{'name' =>'waldo'}]], '2.1.name', 'not waldo')
 #
 # ```
-# Would result in 'not waldo'
+# Would result in `'not waldo'`
 #
 # @example Quoting a key with period
 # ```puppet
@@ -128,8 +128,8 @@ Puppet::Functions.create_function(:get, Puppet::Functions::InternalFunction) do
 
     # Note: split_key always processes the initial segment as a string even if it could be an integer.
     # This since it is designed for lookup keys. For a numeric first segment
-    # like '0.1' the wanted result is [0,1], not ["0", 1]. The workaround here is to
-    # prefix the navigation with "x." thus giving split_key a first segment that is a string.
+    # like '0.1' the wanted result is `[0,1]`, not `["0", 1]`. The workaround here is to
+    # prefix the navigation with `"x."` thus giving split_key a first segment that is a string.
     # The fake segment is then dropped.
     segments = split_key("x." + navigation) {|err| _("Syntax error in dotted-navigation string")}
     segments.shift