puppet 6.21.0-x64-mingw32 → 6.24.0-x64-mingw32

data/lib/puppet/network/formats.rb

@@ -183,6 +183,73 @@ Puppet::Network::FormatHandler.create(:console,
   end
 end
 
+Puppet::Network::FormatHandler.create(:flat,
+                                      :mime   => 'text/x-flat-text',
+                                      :weight => 0) do
+
+  def flatten_hash(hash)
+    hash.each_with_object({}) do |(k, v), h|
+      if v.is_a? Hash
+        flatten_hash(v).map do |h_k, h_v|
+          h["#{k}.#{h_k}"] = h_v
+        end
+      elsif v.is_a? Array
+        v.each_with_index do |el, i|
+          if el.is_a? Hash
+            flatten_hash(el).map do |el_k, el_v|
+              h["#{k}.#{i}.#{el_k}"] = el_v
+            end
+          else
+            h["#{k}.#{i}"] = el
+          end
+        end
+      else
+        h[k] = v
+      end
+    end
+  end
+
+  def flatten_array(array)
+    a={}
+    array.each_with_index do |el, i|
+      if el.is_a? Hash
+        flatten_hash(el).map do |el_k, el_v|
+          a["#{i}.#{el_k}"] = el_v
+        end
+      else
+        a["#{i}"] = el
+      end
+    end
+    a
+  end
+
+  def construct_output(data)
+    output = ''
+    data.each do |key, value|
+      output << "#{key}=#{value}"
+      output << "\n"
+    end
+    output
+  end
+
+  def render(datum)
+    return datum if datum.is_a?(String) || datum.is_a?(Numeric)
+    # Simple hash
+    if datum.is_a?(Hash)
+      data = flatten_hash(datum)
+      return construct_output(data)
+    elsif datum.is_a?(Array)
+      data = flatten_array(datum)
+      return construct_output(data)
+    end
+    Puppet::Util::Json.dump(datum, :pretty => true, :quirks_mode => true)
+  end
+  def render_multiple(data)
+    data.collect(&:render).join("\n")
+  end
+end
+
+
 Puppet::Network::FormatHandler.create(:rich_data_json, mime: 'application/vnd.puppet.rich+json', charset: Encoding::UTF_8, weight: 30) do
   def intern(klass, text)
     Puppet.override({:rich_data => true}) do

data/lib/puppet/network/http/factory.rb

@@ -27,6 +27,10 @@ class Puppet::Network::HTTP::Factory
 
     http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
     http.use_ssl = site.use_ssl?
+    if site.use_ssl?
+      http.min_version = OpenSSL::SSL::TLS1_VERSION if http.respond_to?(:min_version)
+      http.ciphers = Puppet[:ciphers]
+    end
     http.read_timeout = Puppet[:http_read_timeout]
     http.open_timeout = Puppet[:http_connect_timeout]
     http.keep_alive_timeout = KEEP_ALIVE_TIMEOUT if http.respond_to?(:keep_alive_timeout=)

data/lib/puppet/parser/functions/fqdn_rand.rb

@@ -2,13 +2,16 @@ require 'digest/md5'
 require 'digest/sha2'
 
 Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalue, :doc =>
-  "Usage: `fqdn_rand(MAX, [SEED])`. MAX is required and must be a positive
-  integer; SEED is optional and may be any number or string.
+  "Usage: `fqdn_rand(MAX, [SEED], [DOWNCASE])`. MAX is required and must be a positive
+  integer; SEED is optional and may be any number or string; DOWNCASE is optional
+  and should be a boolean true or false.
 
   Generates a random Integer number greater than or equal to 0 and less than MAX,
   combining the `$fqdn` fact and the value of SEED for repeatable randomness.
   (That is, each node will get a different random number from this function, but
-  a given node's result will be the same every time unless its hostname changes.)
+  a given node's result will be the same every time unless its hostname changes.) If
+  DOWNCASE is true, then the `fqdn` fact will be downcased when computing the value
+  so that the result is not sensitive to the case of the `fqdn` fact.
 
   This function is usually used for spacing out runs of resource-intensive cron
   tasks that run on many nodes, which could cause a thundering herd or degrade
@@ -17,7 +20,12 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
   node. (For example, `fqdn_rand(30)`, `fqdn_rand(30, 'expensive job 1')`, and
   `fqdn_rand(30, 'expensive job 2')` will produce totally different numbers.)") do |args|
     max = args.shift.to_i
- 
+    initial_seed = args.shift
+    downcase = !!args.shift
+
+    fqdn = self['::fqdn']
+    fqdn = fqdn.downcase if downcase
+
     # Puppet 5.4's fqdn_rand function produces a different value than earlier versions
     # for the same set of inputs.
     # This causes problems because the values are often written into service configuration files.
@@ -27,9 +35,9 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
     # when running on a non-FIPS enabled platform and only using SHA256 on FIPS enabled
     # platforms.
     if Puppet::Util::Platform.fips_enabled?
-      seed = Digest::SHA256.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::SHA256.hexdigest([fqdn,max,initial_seed].join(':')).hex
     else
-      seed = Digest::MD5.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::MD5.hexdigest([fqdn,max,initial_seed].join(':')).hex
     end
 
     Puppet::Util.deterministic_rand_int(seed,max)

data/lib/puppet/pops/types/p_sem_ver_type.rb

@@ -95,16 +95,22 @@ class PSemVerType < PScalarType
       end
 
       def from_args(major, minor, patch, prerelease = nil, build = nil)
-        SemanticPuppet::Version.new(major, minor, patch, prerelease, build)
+        SemanticPuppet::Version.new(major, minor, patch, to_array(prerelease), to_array(build))
       end
 
       def from_hash(hash)
-        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], hash['prerelease'], hash['build'])
+        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], to_array(hash['prerelease']), to_array(hash['build']))
       end
 
       def on_error(str)
         _("The string '%{str}' cannot be converted to a SemVer") % { str: str }
       end
+
+      private
+
+      def to_array(component)
+        component ? [component] : nil
+      end
     end
   end
 

data/lib/puppet/pops/types/p_sensitive_type.rb

@@ -24,6 +24,16 @@ class PSensitiveType < PTypeWithContainedType
     def inspect
       "#<#{self}>"
     end
+
+    def hash
+      @value.hash
+    end
+
+    def ==(other)
+      other.is_a?(Sensitive) &&
+        other.hash == hash
+    end
+    alias eql? ==
   end
 
   def self.register_ptype(loader, ir)

data/lib/puppet/pops/types/type_mismatch_describer.rb

@@ -640,7 +640,7 @@ module Types
           result = ["#{label} expects (#{signature_string(sig)})"]
           result.concat(error_arrays[0].map { |e| "  rejected:#{e.chop_path(0).format}" })
         else
-          result = ["#{label} expects one of:"]
+          result = ["The function #{label} was called with arguments it does not accept. It expects one of:"]
           signatures.each_with_index do |sg, index|
             result << "  (#{signature_string(sg)})"
             result.concat(error_arrays[index].map { |e| "    rejected:#{e.chop_path(0).format}" })

data/lib/puppet/provider/exec/posix.rb

@@ -6,10 +6,22 @@ Puppet::Type.type(:exec).provide :posix, :parent => Puppet::Provider::Exec do
   defaultfor :feature => :posix
 
   desc <<-EOT
-    Executes external binaries directly, without passing through a shell or
-    performing any interpolation. This is a safer and more predictable way
-    to execute most commands, but prevents the use of globbing and shell
-    built-ins (including control logic like "for" and "if" statements).
+    Executes external binaries by invoking Ruby's `Kernel.exec`.
+    When the command is a string, it will be executed directly,
+    without a shell, if it follows these rules:
+     - no meta characters
+     - no shell reserved word and no special built-in
+
+    When the command is an Array of Strings, passed as `[cmdname, arg1, ...]`
+    it will be executed directly(the first element is taken as a command name
+    and the rest are passed as parameters to command with no shell expansion)
+    This is a safer and more predictable way to execute most commands,
+    but prevents the use of globbing and shell built-ins (including control
+    logic like "for" and "if" statements).
+
+    If the use of globbing and shell built-ins is desired, please check
+    the `shell` provider
+
   EOT
 
   # Verify that we have the executable

data/lib/puppet/provider/package/dnfmodule.rb

@@ -93,7 +93,7 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
         # module has no default profile and no profile was requested, so just enable the stream
         # DNF versions prior to 4.2.8 do not need this workaround
         # see https://bugzilla.redhat.com/show_bug.cgi?id=1669527
-        if @resource[:flavor] == nil && e.message =~ /^missing groups or modules: #{Regexp.quote(@resource[:name])}$/
+        if @resource[:flavor] == nil && e.message =~ /^(?:missing|broken) groups or modules: #{Regexp.quote(@resource[:name])}$/
           enable(args)
         else
           raise

data/lib/puppet/provider/package/nim.rb

@@ -154,20 +154,25 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
   # I spent a lot of time trying to figure out a solution that didn't
   # require parsing the `nimclient -o showres` output and was unable to
   # do so.
-  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R):(\1)\s+[^\s]+$/
-  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R):(.*)$/
-  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+) \2$/
+  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R|S):(\1)\s+[^\s]+$/
+  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R|S):(.*)$/
+  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+\w*) \2$/
   self::INSTALLP_PACKAGE_REGEX = /^(.*) (.*)$/
 
   # Here is some sample output that shows what the above regexes will be up
   # against:
-  # FOR AN INSTALLP PACKAGE:
+  # FOR AN INSTALLP(bff) PACKAGE:
   #
   #    mypackage.foo                                                           ALL  @@I:mypackage.foo _all_filesets
-  #    @ 1.2.3.1  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.1
   #    + 1.2.3.4  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.4
   #    + 1.2.3.8  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.8
   #
+  # FOR AN INSTALLP(bff) PACKAGE with security update:
+  #
+  #    bos.net                                                                 ALL  @@S:bos.net _all_filesets
+  #    + 7.2.0.1  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.1
+  #    + 7.2.0.2  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.2
+  #
   # FOR AN RPM PACKAGE:
   #
   # mypackage.foo                                                                ALL  @@R:mypackage.foo _all_filesets
@@ -243,7 +248,7 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
     package_string = match.captures[1]
 
     case package_type_flag
-      when "I"
+      when "I","S"
         parse_installp_package_string(package_string)
       when "R"
         parse_rpm_package_string(package_string)

data/lib/puppet/provider/package/pip.rb

@@ -127,7 +127,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     if self.class.compare_pip_versions(command_version, '1.5.4') == -1
       available_versions_with_old_pip.last
     else
-      available_versions_with_new_pip.last
+      available_versions_with_new_pip(command_version).last
     end
   end
 
@@ -150,15 +150,17 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     if self.class.compare_pip_versions(command_version, '1.5.4') == -1
       available_versions_with_old_pip
     else
-      available_versions_with_new_pip
+      available_versions_with_new_pip(command_version)
     end
   end
 
-  def available_versions_with_new_pip
+  def available_versions_with_new_pip(command_version)
     command = resource_or_provider_command
     self.class.validate_command(command)
 
     command_and_options = [self.class.quote(command), 'install', "#{@resource[:name]}==versionplease"]
+    extra_arg = list_extra_flags(command_version)
+    command_and_options << extra_arg if extra_arg
     command_and_options << install_options if @resource[:install_options]
     execpipe command_and_options do |process|
       process.collect do |line|
@@ -329,4 +331,14 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
       path
     end
   end
+
+  private
+
+  def list_extra_flags(command_version)
+    klass = self.class
+    if klass.compare_pip_versions(command_version, '20.2.4') == 1 &&
+      klass.compare_pip_versions(command_version, '21.1') == -1
+      '--use-deprecated=legacy-resolver'
+    end
+  end
 end

data/lib/puppet/provider/parsedfile.rb

@@ -280,6 +280,9 @@ class Puppet::Provider::ParsedFile < Puppet::Provider
   def self.prefetch_target(target)
     begin
       target_records = retrieve(target)
+      unless target_records
+        raise Puppet::DevError, _("Prefetching %{target} for provider %{name} returned nil") % { target: target, name: self.name }
+      end
     rescue Puppet::Util::FileType::FileReadError => detail
       if @raise_prefetch_errors
         # We will raise an error later in flush_target. This way,

data/lib/puppet/provider/service/systemd.rb

@@ -30,7 +30,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def self.instances
     i = []
     output = systemctl('list-unit-files', '--type', 'service', '--full', '--all',  '--no-pager')
-    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad|static)\s*$/i).each do |m|
+    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad|static)\s*([^-]\S+)?\s*$/i).each do |m|
       Puppet.debug("#{m[0]} marked as bad by `systemctl`. It is recommended to be further checked.") if m[1] == "bad"
       i << new(:name => m[0])
     end
@@ -45,8 +45,13 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def enabled_insync?(current)
     case cached_enabled?[:output]
     when 'static'
-      Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
-      return true
+      # masking static services is OK, but enabling/disabling them is not
+      if @resource[:enable] == :mask
+        current == @resource[:enable]
+      else
+        Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
+        return true
+      end
     when 'indirect'
       Puppet.debug("Service #{@resource[:name]} is in 'indirect' state and cannot be enabled/disabled")
       return true
@@ -159,10 +164,15 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   end
 
   def mask
-    self.disable
+    disable if exist?
     systemctl_change_enable(:mask)
   end
 
+  def exist?
+    result = execute([command(:systemctl), 'cat', '--', @resource[:name]], :failonfail => false)
+    result.exitstatus == 0
+  end
+
   def unmask
     systemctl_change_enable(:unmask)
   end

data/lib/puppet/provider/service/windows.rb

@@ -128,17 +128,55 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     services
   end
 
+  def logonaccount_insync?(current)
+    @normalized_logon_account ||= normalize_logonaccount
+    @resource[:logonaccount] = @normalized_logon_account
+
+    insync = @resource[:logonaccount] == current
+    self.logonpassword = @resource[:logonpassword] if insync
+    insync
+  end
+
   def logonaccount
     return unless Puppet::Util::Windows::Service.exists?(@resource[:name])
     Puppet::Util::Windows::Service.logon_account(@resource[:name])
   end
 
   def logonaccount=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_account: value, logon_password: @resource[:logonpassword]})
     restart if @resource[:ensure] == :running && [:running, :paused].include?(status)
   end
 
   def logonpassword=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_password: value})
   end
+
+  private
+
+  def normalize_logonaccount
+    logon_account = @resource[:logonaccount].sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+    return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(logon_account)
+
+    @logonaccount_information ||= Puppet::Util::Windows::SID.name_to_principal(logon_account)
+    return logon_account unless @logonaccount_information
+    return ".\\#{@logonaccount_information.account}" if @logonaccount_information.domain == Puppet::Util::Windows::ADSI.computer_name
+    @logonaccount_information.domain_account
+  end
+
+  def validate_logon_credentials
+    unless Puppet::Util::Windows::User::localsystem?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is not a valid account") unless @logonaccount_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(@logonaccount_information.account_type)
+
+      user_rights = Puppet::Util::Windows::User::get_rights(@logonaccount_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+    end
+
+    is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account) || @normalized_logon_account == 'LocalSystem'
+    account_info = @normalized_logon_account.split("\\")
+    able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], @resource[:logonpassword], account_info[0]) unless is_a_predefined_local_account
+    raise Puppet::Error.new("The given password is invalid for user '#{@normalized_logon_account}'.") unless is_a_predefined_local_account || able_to_logon
+  end
 end

data/lib/puppet/provider/user/directoryservice.rb

@@ -435,7 +435,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   ['home', 'uid', 'gid', 'comment', 'shell'].each do |setter_method|
     define_method("#{setter_method}=") do |value|
       if @property_hash[setter_method.intern]
-        if self.class.get_os_version.split('.').last.to_i >= 14 && %w(home uid).include?(setter_method)
+        if %w(home uid).include?(setter_method)
           raise Puppet::Error, "OS X version #{self.class.get_os_version} does not allow changing #{setter_method} using puppet"
         end
         begin
@@ -536,6 +536,14 @@ Puppet::Type.type(:user).provide :directoryservice do
       if (shadow_hash_data.class == Hash) && (shadow_hash_data.has_key?('SALTED-SHA512'))
         shadow_hash_data.delete('SALTED-SHA512')
       end
+
+      # Starting with macOS 11 Big Sur, the AuthenticationAuthority field
+      # could be missing entirely and without it the managed user cannot log in
+      if needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+        Puppet.debug("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user '#{@resource.name}'")
+        merge_attribute_with_dscl('Users', @resource.name, 'AuthenticationAuthority', ERB::Util.html_escape(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY))
+      end
+
       set_salted_pbkdf2(users_plist, shadow_hash_data, 'entropy', value)
     end
   end
@@ -562,6 +570,17 @@ Puppet::Type.type(:user).provide :directoryservice do
     end
   end
 
+  # This method will check if authentication_authority key of a user's plist
+  # needs SALTED_SHA512_PBKDF2 to be added. This is a valid case for macOS 11 (Big Sur)
+  # where users created with `dscl` started to have this field missing
+  def needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+    authority = users_plist['authentication_authority']
+    return false if Puppet::Util::Package.versioncmp(self.class.get_os_version, '11.0.0') < 0 && authority && authority.include?(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY)
+
+    Puppet.debug("User '#{@resource.name}' is missing the 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash")
+    true
+  end
+
   # This method will embed the binary plist data comprising the user's
   # password hash (and Salt/Iterations value if the OS is 10.8 or greater)
   # into the ShadowHashData key of the user's plist.
@@ -572,11 +591,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       users_plist['ShadowHashData'] = [binary_plist]
     end
-    if Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') < 0
-      write_users_plist_to_disk(users_plist)
-    else
-      write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
-    end
+    write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
   end
 
   # This method writes the ShadowHashData plist in a temporary file,
@@ -652,12 +667,6 @@ Puppet::Type.type(:user).provide :directoryservice do
     set_shadow_hash_data(users_plist, binary_plist)
   end
 
-  # This method will accept a plist in XML format, save it to disk, convert
-  # the plist to a binary format, and flush the dscl cache.
-  def write_users_plist_to_disk(users_plist)
-    Puppet::Util::Plist.write_plist_file(users_plist, "#{users_plist_dir}/#{@resource.name}.plist", :binary)
-  end
-
   # This is a simple wrapper method for writing values to a file.
   def write_to_file(filename, value)
     Puppet.deprecation_warning("Puppet::Type.type(:user).provider(:directoryservice).write_to_file is deprecated and will be removed in Puppet 5.")
@@ -667,4 +676,8 @@ Puppet::Type.type(:user).provide :directoryservice do
       raise Puppet::Error, "Could not write to file #{filename}: #{detail}", detail.backtrace
     end
   end
+
+  private
+
+  SHA512_PBKDF2_AUTHENTICATION_AUTHORITY = ';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>'
 end