puppet 6.21.1 → 6.25.0

data/lib/puppet/settings.rb

@@ -75,11 +75,11 @@ class Puppet::Settings
   end
 
   def self.hostname_fact()
-    Facter.value :hostname
+    Puppet.runtime[:facter].value :hostname
   end
 
   def self.domain_fact()
-    Facter.value :domain
+    Puppet.runtime[:facter].value :domain
   end
 
   def self.default_config_file_name
@@ -862,7 +862,11 @@ class Puppet::Settings
     if self[:user]
       user = Puppet::Type.type(:user).new :name => self[:user], :audit => :ensure
 
-      @service_user_available = user.exists?
+      if user.suitable?
+        @service_user_available = user.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage owner permissions, because the provider for '%{name}' is not functional") % { name: user })
+      end
     else
       @service_user_available = false
     end
@@ -874,7 +878,11 @@ class Puppet::Settings
     if self[:group]
       group = Puppet::Type.type(:group).new :name => self[:group], :audit => :ensure
 
-      @service_group_available = group.exists?
+      if group.suitable?
+        @service_group_available = group.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage group permissions, because the provider for '%{name}' is not functional") % { name: group })
+      end
     else
       @service_group_available = false
     end
@@ -883,9 +891,16 @@ class Puppet::Settings
   # Allow later inspection to determine if the setting was set on the
   # command line, or through some other code path.  Used for the
   # `dns_alt_names` option during cert generate. --daniel 2011-10-18
-  def set_by_cli?(param)
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_by_cli(param)
     param = param.to_sym
-    !@value_sets[:cli].lookup(param).nil?
+    @value_sets[:cli].lookup(param)
+  end
+
+  def set_by_cli?(param)
+    !!set_by_cli(param)
   end
 
   # Get values from a search path entry.
@@ -918,9 +933,13 @@ class Puppet::Settings
     end
   end
 
-  # Allow later inspection to determine if the setting was set by user
-  # config, rather than a default setting.
-  def set_in_section?(param, section)
+  # Allow later inspection to determine if the setting was set in a specific
+  # section
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @param section [Symbol] the section in which to look up the setting
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_in_section(param, section)
     param = param.to_sym
     vals = searchpath_values(SearchPathElement.new(section, :section))
     if vals
@@ -928,6 +947,10 @@ class Puppet::Settings
     end
   end
 
+  def set_in_section?(param, section)
+    !!set_in_section(param, section)
+  end
+
   # Patches the value for a param in a section.
   # This method is required to support the use case of unifying --dns-alt-names and
   # --dns_alt_names in the certificate face. Ideally this should be cleaned up.

data/lib/puppet/test/test_helper.rb

@@ -142,7 +142,9 @@ module Puppet::Test
         },
         "Context for specs")
 
-      Puppet.runtime.clear
+      # trigger `require 'facter'`
+      Puppet.runtime[:facter]
+
       Puppet::Parser::Functions.reset
       Puppet::Application.clear!
       Puppet::Util::Profiler.clear
@@ -169,6 +171,7 @@ module Puppet::Test
 
       Puppet::Util::Storage.clear
       Puppet::Util::ExecutionStub.reset
+      Puppet.runtime.clear
 
       Puppet.clear_deprecation_warnings
 

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/transaction/persistence.rb

@@ -87,7 +87,17 @@ class Puppet::Transaction::Persistence
 
   # Save data from internal class to persistence store on disk.
   def save
-    Puppet::Util::Yaml.dump(@new_data, Puppet[:transactionstorefile])
+    converted_data = Puppet::Pops::Serialization::ToDataConverter.convert(
+      @new_data, {
+        symbol_as_string: false,
+        local_reference: false,
+        type_by_reference: true,
+        force_symbol: true,
+        silence_warnings: true,
+        message_prefix: to_s
+      }
+    )
+    Puppet::Util::Yaml.dump(converted_data, Puppet[:transactionstorefile])
   end
 
   # Use the catalog and run_mode to determine if persistence should be enabled or not

data/lib/puppet/transaction/report.rb

@@ -77,6 +77,10 @@ class Puppet::Transaction::Report
   # @return [String] the environment name
   attr_accessor :environment
 
+  # The name of the environment the agent initially started in
+  # @return [String] the environment name
+  attr_accessor :initial_environment
+
   # Whether there are changes that we decided not to apply because of noop
   # @return [Boolean]
   #
@@ -377,7 +381,17 @@ class Puppet::Transaction::Report
   # @api public
   #
   def raw_summary
-    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
+    report = {
+      "version" => {
+        "config" => configuration_version,
+        "puppet" => Puppet.version
+      },
+      "application" => {
+        "run_mode" => Puppet.run_mode.name.to_s,
+        "initial_environment" => initial_environment,
+        "converged_environment" => environment
+      }
+    }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s

data/lib/puppet/type/exec.rb

@@ -11,7 +11,10 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met.
+        Puppet from running the command unless some condition is met. The
+        `onlyif` and `unless` commands of an `exec` are used in the process of
+        determining whether the `exec` is already in sync, therefore they must be run
+        during a noop Puppet run.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -198,10 +201,20 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique."
+        only uses the resource title to ensure `exec`s are unique.
+
+        On *nix platforms, the command can be specified as an array of
+        strings and Puppet will invoke it using the more secure method of
+        parameterized system calls. For example, rather than executing the
+        malicious injected code, this command will echo it out:
+
+            command => ['/bin/echo', 'hello world; rm -rf /']
+      "
 
       validate do |command|
-        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
+        unless command.is_a?(String) || command.is_a?(Array)
+          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
+        end
       end
     end
 
@@ -454,10 +467,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -510,10 +530,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -562,12 +589,14 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
+      cmd = self[:command]
+      cmd = cmd[0] if cmd.is_a? Array
 
-      self[:command].scan(file_regex) { |str|
+      cmd.scan(file_regex) { |str|
         reqs << str
       }
 
-      self[:command].scan(/^"([^"]+)"/) { |str|
+      cmd.scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -583,6 +612,7 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
+          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }

data/lib/puppet/type/file/mode.rb

@@ -90,9 +90,15 @@ module Puppet
         raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
 
+      # normalizes to symbolic form, e.g. u+a, an octal string without leading 0
       normalize_symbolic_mode(value)
     end
 
+    unmunge do |value|
+      # return symbolic form or octal string *with* leading 0's
+      display_mode(value) if value
+    end
+
     def desired_mode_from_current(desired, current)
       current = current.to_i(8) if current.is_a? String
       is_a_directory = @resource.stat && @resource.stat.directory?

data/lib/puppet/type/file/selcontext.rb

@@ -42,7 +42,7 @@ module Puppet
         return nil
       end
 
-      context = self.get_selinux_default_context(@resource[:path])
+      context = self.get_selinux_default_context(@resource[:path], @resource[:ensure])
       unless context
         return nil
       end

data/lib/puppet/type/file.rb

@@ -93,23 +93,23 @@ Puppet::Type.newtype(:file) do
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
-      puppet master server's filebucket service. This requires declaring a
+      primary Puppet server's filebucket service. This requires declaring a
       filebucket resource and a resource default for the `backup` attribute
       in site.pp:
 
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary Puppet server.
           }
 
           File { backup => main, }
 
-      If you are using multiple puppet master servers, you will want to
+      If you are using multiple primary servers, you will want to
       centralize the contents of the filebucket. Either configure your load
-      balancer to direct all filebucket traffic to a single master, or use
+      balancer to direct all filebucket traffic to a single primary server, or use
       something like an out-of-band rsync task to synchronize the content on all
-      masters.
+      primary servers.
 
       > **Note**: Enabling and using the backup option, and by extension the 
         filebucket resource, requires appropriate planning and management to ensure 
@@ -220,6 +220,23 @@ Puppet::Type.newtype(:file) do
     end
   end
 
+  newparam(:max_files) do
+    desc "In case the resource is a directory and the recursion is enabled, puppet will
+      generate a new resource for each file file found, possible leading to
+      an excessive number of resources generated without any control.
+
+      Setting `max_files` will check the number of file resources that
+      will eventually be created and will raise a resource argument error if the
+      limit will be exceeded.
+
+      Use value `0` to log a warning instead of raising an error.
+
+      Use value `-1` to disable errors and warnings due to max files."
+
+    defaultto 0
+    newvalues(/^[0-9]+$/, /^-1$/)
+  end
+
   newparam(:replace, :boolean => true, :parent => Puppet::Parameter::Boolean) do
     desc "Whether to replace a file or symlink that already exists on the local system but
       whose content doesn't match what the `source` or `content` attribute
@@ -344,7 +361,7 @@ Puppet::Type.newtype(:file) do
       This command must have a fully qualified path, and should contain a
       percent (`%`) token where it would expect an input file. It must exit `0`
       if the syntax is correct, and non-zero otherwise. The command will be
-      run on the target system while applying the catalog, not on the puppet master.
+      run on the target system while applying the catalog, not on the primary Puppet server.
 
       Example:
 
@@ -576,7 +593,7 @@ Puppet::Type.newtype(:file) do
     options = @original_parameters.merge(:path => full_path).reject { |param, value| value.nil? }
 
     # These should never be passed to our children.
-    [:parent, :ensure, :recurse, :recurselimit, :target, :alias, :source].each do |param|
+    [:parent, :ensure, :recurse, :recurselimit, :max_files, :target, :alias, :source].each do |param|
       options.delete(param) if options.include?(param)
     end
 
@@ -753,6 +770,7 @@ Puppet::Type.newtype(:file) do
       :links => self[:links],
       :recurse => (self[:recurse] == :remote ? true : self[:recurse]),
       :recurselimit => self[:recurselimit],
+      :max_files => self[:max_files],
       :source_permissions => self[:source_permissions],
       :ignore => self[:ignore],
       :checksum_type => (self[:source] || self[:content]) ? self[:checksum] : :none,

data/lib/puppet/type/filebucket.rb

@@ -4,8 +4,8 @@ module Puppet
   Type.newtype(:filebucket) do
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
-      be local to each agent node, or centralized on a puppet master server. All
-      puppet masters provide a filebucket service that agent nodes can access
+      be local to each agent node, or centralized on a primary Puppet server. All
+      puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
 
@@ -25,7 +25,7 @@ module Puppet
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary server.
           }
 
           File { backup => main, }

data/lib/puppet/type/group.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require 'puppet/property/keyvalue'
 require 'puppet/parameter/boolean'
 

data/lib/puppet/type/resources.rb

@@ -175,7 +175,7 @@ Puppet::Type.newtype(:resources) do
     end
 
     # Otherwise, use a sensible default based on the OS family
-    @system_users_max_uid ||= case Facter.value(:osfamily)
+    @system_users_max_uid ||= case Puppet.runtime[:facter].value(:osfamily)
       when 'OpenBSD', 'FreeBSD'
         999
       else

data/lib/puppet/type/service.rb

@@ -38,6 +38,12 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
+    feature :delayed_startable, "The provider can set service to delayed start",
+      :methods => [:delayed_start]
+
+    feature :manual_startable, "The provider can set service to manual start",
+      :methods => [:manual_start]
+
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -67,7 +73,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start) do
+      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
         provider.manual_start
       end
 
@@ -81,8 +87,7 @@ module Puppet
         provider.enabled?
       end
 
-      # This only works on Windows systems.
-      newvalue(:delayed, :event => :service_delayed_start) do
+      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
         provider.delayed_start
       end
 
@@ -90,12 +95,6 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
-
-      validate do |value|
-        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
-          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
-        end
-      end
     end
 
     # Handle whether the service should actually be running right now.
@@ -139,23 +138,9 @@ module Puppet
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      munge do |value|
-        return value unless Puppet::Util::Platform.windows?
-        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
-
-        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
-        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
-        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
-
-        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
-
-        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
-          ".\\#{user_information.account}"
-        else
-          user_information.domain_account
-        end
+      def insync?(current)
+        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
+        super(current)
       end
     end
 
@@ -163,18 +148,7 @@ module Puppet
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
-        return unless Puppet::Util::Platform.windows?
-
-        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
-
-        account_info = @resource[:logonaccount].split("\\")
-        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
-
-        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
-
-        provider.logonpassword=(value)
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
       end
 
       sensitive true
@@ -298,9 +272,14 @@ module Puppet
 
     newparam(:timeout, :required_features => :configurable_timeout) do
       desc "Specify an optional minimum timeout (in seconds) for puppet to wait when syncing service properties"
-      defaultto { provider.class.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
-      validate do |value|
-        if (not value.is_a? Integer) || value < 1
+      defaultto { provider.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
+
+      munge do |value|
+        begin
+          value = value.to_i
+          raise if value < 1
+          value
+        rescue
           raise Puppet::Error.new(_("\"%{value}\" is not a positive integer: the timeout parameter must be specified as a positive integer") % { value: value })
         end
       end
@@ -320,5 +299,11 @@ module Puppet
     def self.needs_ensure_retrieved
       false
     end
+
+    validate do
+      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
+      end
+    end
   end
 end

data/lib/puppet/type/tidy.rb

@@ -50,6 +50,22 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
+  newparam(:max_files) do
+    desc "In case the resource is a directory and the recursion is enabled, puppet will
+      generate a new resource for each file file found, possible leading to
+      an excessive number of resources generated without any control.
+
+      Setting `max_files` will check the number of file resources that
+      will eventually be created and will raise a resource argument error if the
+      limit will be exceeded.
+
+      Use value `0` to disable the check. In this case, a warning is logged if
+      the number of files exceeds 1000."
+
+    defaultto 0
+    newvalues(/^[0-9]+$/)
+  end
+
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -128,7 +144,7 @@ Puppet::Type.newtype(:tidy) do
 
     def tidy?(path, stat)
       # If the file's older than we allow, we should get rid of it.
-      (Time.now.to_i - stat.send(resource[:type]).to_i) > value
+      (Time.now.to_i - stat.send(resource[:type]).to_i) >= value
     end
 
     munge do |age|
@@ -256,9 +272,12 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :recurse => true, :recurselimit => self[:recurse] }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true,
+                    :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :recurse => true }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require 'puppet/parameter/boolean'
 require 'puppet/property/list'
 require 'puppet/property/ordered_list'
@@ -67,6 +66,7 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
+        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,6 +695,7 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
+        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -743,25 +744,6 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
-
-      munge do |value|
-        # Resolve string, boolean and symbol forms of true and false to a
-        # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
-
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
-
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
-      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -783,7 +765,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      self[:purge_ssh_keys].
+      munged_unmanaged_keys.
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -795,6 +777,41 @@ module Puppet
         end
     end
 
+    def munged_unmanaged_keys
+      value = self[:purge_ssh_keys]
+
+      # Resolve string, boolean and symbol forms of true and false to a
+      # single representation.
+      test_sym = value.to_s.intern
+      value = test_sym if [:true, :false].include? test_sym
+
+      return [] if value == :false
+
+      home = self[:home]
+      begin
+        home ||= provider.home
+      rescue
+        Puppet.debug("User '#{self[:name]}' does not exist")
+      end
+
+      if home.to_s.empty? || !Dir.exist?(home.to_s)
+        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
+          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
+          return []
+        end
+      end
+
+      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+
+      # value is an array - munge each value
+      [ value ].flatten.map do |entry|
+        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(/^~\//, "#{home}/")
+        entry.gsub!(/^%h\//, "#{home}/")
+        entry
+      end
+    end
+
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.