puppet 6.21.1 → 6.25.0

data/lib/puppet/type.rb

@@ -1295,7 +1295,7 @@ class Type
       like it does when running normally. However, if a resource attribute is not in
       the desired state (as declared in the catalog), Puppet will take no
       action, and will instead report the changes it _would_ have made. These
-      simulated changes will appear in the report sent to the puppet master, or
+      simulated changes will appear in the report sent to the primary Puppet server, or
       be shown on the console if running puppet agent or puppet apply in the
       foreground. The simulated changes will not send refresh events to any
       subscribing or notified resources, although Puppet will log that a refresh

data/lib/puppet/util/command_line.rb

@@ -135,7 +135,7 @@ module Puppet
 
               # Puppet requires Facter, which initializes its lookup paths. Reset Facter to
               # pickup the new $LOAD_PATH.
-              Facter.reset
+              Puppet.runtime[:facter].reset
             end
           end
 

data/lib/puppet/util/fact_dif.rb

@@ -1,15 +1,24 @@
 require 'json'
 
 class FactDif
-  def initialize(old_output, new_output, exclude_list = [])
-    @c_facter = JSON.parse(old_output)['values']
-    @next_facter = JSON.parse(new_output)['values']
+  def initialize(old_output, new_output, exclude_list, save_structured)
+    @c_facter = JSON.parse(old_output)
+    @next_facter = JSON.parse(new_output)
     @exclude_list = exclude_list
+    @save_structured = save_structured
+    @flat_diff = []
     @diff = {}
   end
 
   def difs
-    search_hash(@c_facter, [])
+    search_hash(((@c_facter.to_a - @next_facter.to_a) | (@next_facter.to_a - @c_facter.to_a)).to_h)
+
+    @flat_diff.sort_by { |a| a[0] }.each do |pair|
+      fact_path = pair[0]
+      value = pair[1]
+      compare(fact_path, value, @c_facter)
+      compare(fact_path, value, @next_facter)
+    end
 
     @diff
   end
@@ -28,29 +37,39 @@ class FactDif
         path.pop
       end
     else
-      compare(path, sh)
+      @flat_diff.push([path.dup, sh])
     end
   end
 
-  def compare(fact_path, old_value)
-    new_value = @next_facter.dig(*fact_path)
-    if different?(new_value, old_value) && !excluded?(fact_path.join('.'))
-      @diff[fact_path.join('.')] = { new_value: new_value, old_value: old_value }
+  def compare(fact_path, given_value, compared_hash)
+    compared_value = compared_hash.dig(*fact_path)
+    if different?(compared_value, given_value) && !excluded?(fact_path.join('.'))
+      fact_path = fact_path.map{|f| f.to_s.include?('.') ? "\"#{f}\"" : f}.join('.') unless @save_structured
+      if compared_hash == @c_facter
+        bury(*fact_path, { :new_value => given_value, :old_value => compared_value }, @diff)
+      else
+        bury(*fact_path, { :new_value => compared_value, :old_value => given_value }, @diff)
+      end
+    end
+  end
+
+  def bury(*paths, value, hash)
+    if paths.count > 1
+      path = paths.shift
+      hash[path] = Hash.new unless hash.key?(path)
+      bury(*paths, value, hash[path])
+    else
+      hash[*paths] = value
     end
   end
 
   def different?(new, old)
-    if old.is_a?(String) && new.is_a?(String)
+    if old.is_a?(String) && new.is_a?(String) && (old.include?(',') || new.include?(','))
       old_values = old.split(',')
       new_values = new.split(',')
 
-      diff = old_values - new_values
-      # also add new entries only available in Facter 4
-      diff.concat(new_values - old_values)
-
-      return true if diff.any?
-
-      return false
+      diff = (old_values - new_values) | (new_values - old_values)
+      return diff.size.positive?
     end
 
     old != new

data/lib/puppet/util/filetype.rb

@@ -215,7 +215,7 @@ class Puppet::Util::FileType
     # Remove a specific @path's cron tab.
     def remove
       cmd = "#{cmdbase} -r"
-      if %w{Darwin FreeBSD DragonFly}.include?(Facter.value("operatingsystem"))
+      if %w{Darwin FreeBSD DragonFly}.include?(Puppet.runtime[:facter].value("operatingsystem"))
         cmd = "/bin/echo yes | #{cmd}"
       end
 
@@ -244,7 +244,7 @@ class Puppet::Util::FileType
     # Only add the -u flag when the @path is different.  Fedora apparently
     # does not think I should be allowed to set the @path to my own user name
     def cmdbase
-      if @uid == Puppet::Util::SUIDManager.uid || Facter.value(:operatingsystem) == "HP-UX"
+      if @uid == Puppet::Util::SUIDManager.uid || Puppet.runtime[:facter].value(:operatingsystem) == "HP-UX"
         return "crontab"
       else
         return "crontab -u #{@path}"

data/lib/puppet/util/json.rb

@@ -60,6 +60,9 @@ module Puppet::Util
     def self.dump(object, options = {})
       if defined? MultiJson
         MultiJson.dump(object, options)
+      elsif options.is_a?(JSON::State)
+        # we're being called recursively
+        object.to_json(options)
       else
         options.merge!(::JSON::PRETTY_STATE_PROTOTYPE.to_h) if options.delete(:pretty)
         object.to_json(options)

data/lib/puppet/util/log.rb

@@ -2,7 +2,6 @@ require 'puppet/util/tagging'
 require 'puppet/util/classgen'
 require 'puppet/util/psych_support'
 require 'puppet/network/format_support'
-require 'facter'
 
 # Pass feedback to the user.  Log levels are modeled after syslog's, and it is
 # expected that that will be the most common log destination.  Supports
@@ -111,7 +110,7 @@ class Puppet::Util::Log
     @loglevel = @levels.index(level)
 
     # Enable or disable Facter debugging
-    Facter.debugging(level == :debug) if Facter.respond_to? :debugging
+    Puppet.runtime[:facter].debugging(level == :debug)
   end
 
   def Log.levels

data/lib/puppet/util/logging.rb

@@ -2,8 +2,6 @@
 require 'puppet/util/log'
 require 'puppet/error'
 
-require 'facter'
-
 module Puppet::Util
 module Logging
 
@@ -254,29 +252,7 @@ module Logging
   # Sets up Facter logging.
   # This method causes Facter output to be forwarded to Puppet.
   def self.setup_facter_logging!
-    # Only recent versions of Facter support this feature
-    return false unless Facter.respond_to? :on_message
-
-    # The current Facter log levels are: :trace, :debug, :info, :warn, :error, and :fatal.
-    # Convert to the corresponding levels in Puppet
-    Facter.on_message do |level, message|
-      case level
-      when :trace, :debug
-        level = :debug
-      when :info
-        # Same as Puppet
-      when :warn
-        level = :warning
-      when :error
-        level = :err
-      when :fatal
-        level = :crit
-      else
-        next
-      end
-      Puppet::Util::Log.create({:level => level, :source => 'Facter', :message => message})
-      nil
-    end
+    Puppet.runtime[:facter]
     true
   end
 

data/lib/puppet/util/monkey_patches.rb

@@ -32,6 +32,13 @@ end
 # (#19151) Reject all SSLv2 ciphers and handshakes
 require 'puppet/ssl/openssl_loader'
 unless Puppet::Util::Platform.jruby_fips?
+  unless defined?(OpenSSL::SSL::TLS1_VERSION)
+    module OpenSSL::SSL
+      # see https://github.com/ruby/ruby/commit/609103dbb5fb182eec12f052226c43e39b907682#diff-09f822c26289f5347111795ca22ed7ed1cfadd6ebd28f987991d1d414eef565aR2755-R2759
+      OpenSSL::SSL::TLS1_VERSION = 0x301
+    end
+  end
+
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
       DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3

data/lib/puppet/util/pidlock.rb

@@ -46,7 +46,7 @@ class Puppet::Util::Pidlock
   private
 
   def ps_argument_for_current_kernel
-    case Facter.value(:kernel)
+    case Puppet.runtime[:facter].value(:kernel)
       when "Linux"
         "-eq"
       when "AIX"

data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb

@@ -154,7 +154,7 @@ module RDoc::PuppetParserCore
         # fetch comments
         if line =~ /^[ \t]*# ?(.*)$/
           comments += $1 + "\n"
-        elsif line =~ /^[ \t]*Facter.add\(['"](.*?)['"]\)/
+        elsif line =~ /^[ \t]*(Facter.add|Puppet\.runtime\[:facter\].add)\(['"](.*?)['"]\)/
           current_fact = RDoc::Fact.new($1,{})
           look_for_directives_in(container, comments) unless comments.empty?
           current_fact.comment = comments

data/lib/puppet/util/selinux.rb

@@ -13,6 +13,10 @@ require 'pathname'
 
 module Puppet::Util::SELinux
 
+  S_IFREG = 0100000
+  S_IFDIR = 0040000
+  S_IFLNK = 0120000
+
   def self.selinux_support?
     return false unless defined?(Selinux)
     if Selinux.is_selinux_enabled == 1
@@ -38,7 +42,7 @@ module Puppet::Util::SELinux
 
   # Retrieve and return the default context of the file.  If we don't have
   # SELinux support or if the SELinux call fails to file a default then return nil.
-  def get_selinux_default_context(file)
+  def get_selinux_default_context(file, resource_ensure=nil)
     return nil unless selinux_support?
     # If the filesystem has no support for SELinux labels, return a default of nil
     # instead of what matchpathcon would return
@@ -48,8 +52,14 @@ module Puppet::Util::SELinux
     begin
       filestat = file_lstat(file)
       mode = filestat.mode
-    rescue Errno::EACCES, Errno::ENOENT
+    rescue Errno::EACCES
       mode = 0
+    rescue Errno::ENOENT
+      if resource_ensure
+        mode = get_create_mode(resource_ensure)
+      else
+        mode = 0
+      end
     end
 
     retval = Selinux.matchpathcon(file, mode)
@@ -136,8 +146,8 @@ module Puppet::Util::SELinux
   # Puppet uses.  This will set the file's SELinux context to the policy's
   # default context (if any) if it differs from the context currently on
   # the file.
-  def set_selinux_default_context(file)
-    new_context = get_selinux_default_context(file)
+  def set_selinux_default_context(file, resource_ensure=nil)
+    new_context = get_selinux_default_context(file, resource_ensure)
     return nil unless new_context
     cur_context = get_selinux_current_context(file)
     if new_context != cur_context
@@ -198,6 +208,22 @@ module Puppet::Util::SELinux
     filesystems.include?(fstype)
   end
 
+  # Get mode file type bits set based on ensure on
+  # the file resource. This helps SELinux determine
+  # what context a new resource being created should have.
+  def get_create_mode(resource_ensure)
+    mode = 0
+    case resource_ensure
+    when :present, :file
+      mode |= S_IFREG
+    when :directory
+      mode |= S_IFDIR
+    when :link
+      mode |= S_IFLNK
+    end
+    mode
+  end
+
   # Internal helper function to read and parse /proc/mounts
   def read_mounts
     mounts = ""

data/lib/puppet/util/suidmanager.rb

@@ -1,4 +1,3 @@
-require 'facter'
 require 'puppet/util/warnings'
 require 'forwardable'
 require 'etc'
@@ -18,7 +17,7 @@ module Puppet::Util::SUIDManager
 
   def osx_maj_ver
     return @osx_maj_ver unless @osx_maj_ver.nil?
-    @osx_maj_ver = Facter.value('macosx_productversion_major') || false
+    @osx_maj_ver = Puppet.runtime[:facter].value('macosx_productversion_major') || false
   end
   module_function :osx_maj_ver
 

data/lib/puppet/util/symbolic_file_mode.rb

@@ -19,25 +19,37 @@ module SymbolicFileMode
     return false
   end
 
+  def display_mode(value)
+    if value =~ /^0?[0-7]{1,4}$/
+      value.rjust(4, "0")
+    else
+      value
+    end
+  end
+
   def normalize_symbolic_mode(value)
     return nil if value.nil?
 
     # We need to treat integers as octal numbers.
-    if value.is_a? Numeric then
-      return value.to_s(8)
-    elsif value =~ /^0?[0-7]{1,4}$/ then
-      return value.to_i(8).to_s(8)
+    #
+    # "A numeric mode is from one to four octal digits (0-7), derived by adding
+    # up the bits with values 4, 2, and 1. Omitted digits are assumed to be
+    # leading zeros."
+    if value.is_a? Numeric
+      value.to_s(8)
+    elsif value =~ /^0?[0-7]{1,4}$/
+      value.to_i(8).to_s(8) # strip leading 0's
     else
-      return value
+      value
     end
   end
 
   def symbolic_mode_to_int(modification, to_mode = 0, is_a_directory = false)
-    if modification.nil? or modification == '' then
+    if modification.nil? or modification == ''
       raise Puppet::Error, _("An empty mode string is illegal")
-    end
-    if modification =~ /^[0-7]+$/ then return modification.to_i(8) end
-    if modification =~ /^\d+$/ then
+    elsif modification =~ /^[0-7]+$/
+      return modification.to_i(8)
+    elsif modification =~ /^\d+$/
       raise Puppet::Error, _("Numeric modes must be in octal, not decimal!")
     end
 
@@ -84,31 +96,31 @@ module SymbolicFileMode
 
           dsl.split('').each do |op|
             case op
-            when /[-+=]/ then
+            when /[-+=]/
               action = op
               # Clear all bits, if this is assignment
               value  = 0 if op == '='
 
-            when /[ugo]/ then
+            when /[ugo]/
               value = actions[action].call(value, snapshot_mode[op])
 
-            when /[rwx]/ then
+            when /[rwx]/
               value = actions[action].call(value, SymbolicMode[op])
 
-            when 'X' then
+            when 'X'
               # Only meaningful in combination with "set" actions.
-              if action != '+' then
+              if action != '+'
                 raise Puppet::Error, _("X only works with the '+' operator")
               end
 
               # As per the BSD manual page, set if this is a directory, or if
               # any execute bit is set on the original (unmodified) mode.
               # Ignored otherwise; it is "add if", not "add or clear".
-              if is_a_directory or original_mode['any x?'] then
+              if is_a_directory or original_mode['any x?']
                 value = actions[action].call(value, ExecBit)
               end
 
-            when /[st]/ then
+            when /[st]/
               bit = SymbolicSpecialToBit[op][who] or fail _("internal error")
               final_mode['s'] = actions[action].call(final_mode['s'], bit)
 
@@ -122,7 +134,7 @@ module SymbolicFileMode
         end
 
       rescue Puppet::Error => e
-        if part.inspect != modification.inspect then
+        if part.inspect != modification.inspect
           rest = " at #{part.inspect}"
         else
           rest = ''

data/lib/puppet/util/tagging.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'puppet/util/tag_set'
 
 module Puppet::Util::Tagging

data/lib/puppet/util/windows/adsi.rb

@@ -504,6 +504,43 @@ module Puppet::Util::Windows::ADSI
       user_name
     end
 
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/ne-secext-extended_name_format
+    NameUnknown           = 0
+    NameFullyQualifiedDN  = 1
+    NameSamCompatible     = 2
+    NameDisplay           = 3
+    NameUniqueId          = 6
+    NameCanonical         = 7
+    NameUserPrincipal     = 8
+    NameCanonicalEx       = 9
+    NameServicePrincipal  = 10
+    NameDnsDomain         = 12
+    NameGivenName         = 13
+    NameSurname           = 14
+
+    def self.current_user_name_with_format(format)
+      user_name = ''
+      max_length = 1024
+
+      FFI::MemoryPointer.new(:lpwstr, max_length * 2 + 1) do |buffer|
+        FFI::MemoryPointer.new(:dword, 1) do |buffer_size|
+          buffer_size.write_dword(max_length + 1)
+
+          if GetUserNameExW(format.to_i, buffer, buffer_size) == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(_("Failed to get user name"), FFI.errno)
+          end
+
+          user_name = buffer.read_wide_string(buffer_size.read_dword).chomp
+        end
+      end
+
+      user_name
+    end
+
+    def self.current_sam_compatible_user_name
+      current_user_name_with_format(NameSamCompatible)
+    end
+
     def self.current_user_sid
       Puppet::Util::Windows::SID.name_to_principal(current_user_name)
     end
@@ -518,6 +555,15 @@ module Puppet::Util::Windows::ADSI
     ffi_lib :advapi32
     attach_function_private :GetUserNameW,
       [:lpwstr, :lpdword], :win32_bool
+
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexa
+    # BOOLEAN SEC_ENTRY GetUserNameExA(
+    #   EXTENDED_NAME_FORMAT NameFormat,
+    #   LPSTR                lpNameBuffer,
+    #   PULONG               nSize
+    # );type
+    ffi_lib :secur32
+    attach_function_private :GetUserNameExW, [:uint16, :lpwstr, :pointer], :win32_bool
   end
 
   class UserProfile

data/lib/puppet/util/windows/api_types.rb

@@ -19,7 +19,7 @@ module Puppet::Util::Windows::APITypes
 
   class ::FFI::Pointer
     NULL_HANDLE = 0
-    WCHAR_NULL = "\0\0".encode('UTF-16LE').freeze
+    WCHAR_NULL = "\0\0".force_encoding('UTF-16LE').freeze
 
     def self.from_string_to_wide_string(str, &block)
       str = Puppet::Util::Windows::String.wide_string(str)

data/lib/puppet/util/windows/principal.rb

@@ -44,7 +44,8 @@ module Puppet::Util::Windows::SID
     ERROR_INVALID_PARAMETER   = 87
     ERROR_INSUFFICIENT_BUFFER = 122
 
-    def self.lookup_account_name(system_name = nil, account_name)
+    def self.lookup_account_name(system_name = nil, sanitize = true, account_name)
+      account_name = sanitize_account_name(account_name) if sanitize
       system_name_ptr = FFI::Pointer::NULL
       begin
         if system_name
@@ -146,6 +147,13 @@ module Puppet::Util::Windows::SID
       end
     end
 
+    # Sanitize the given account name for lookup to avoid known issues
+    def self.sanitize_account_name(account_name)
+      return account_name unless account_name.start_with?('APPLICATION PACKAGE AUTHORITY\\')
+      account_name.split('\\').last
+    end
+    private_class_method :sanitize_account_name
+
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx
@@ -191,4 +199,3 @@ module Puppet::Util::Windows::SID
       [:lpcwstr, :pointer, :lpwstr, :lpdword, :lpwstr, :lpdword, :pointer], :win32_bool
   end
 end
-

data/lib/puppet/util/windows/sid.rb

@@ -74,11 +74,15 @@ module Puppet::Util::Windows
         string_to_sid_ptr(name) do |sid_ptr|
           raw_sid_bytes = sid_ptr.read_array_of_uchar(get_length_sid(sid_ptr))
         end
-      rescue
+      rescue => e
+        # Avoid debug logs pollution with valid account names
+        # https://docs.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertstringsidtosidw#return-value
+        Puppet.debug("Could not retrieve raw SID bytes from '#{name}': #{e.message}") unless e.code == ERROR_INVALID_SID_STRUCTURE
       end
 
       raw_sid_bytes ? Principal.lookup_account_sid(raw_sid_bytes) : Principal.lookup_account_name(name)
-    rescue
+    rescue => e
+      Puppet.debug("#{e.message}")
       (allow_unresolved && raw_sid_bytes) ? unresolved_principal(name, raw_sid_bytes) : nil
     end
     module_function :name_to_principal

data/lib/puppet/util/windows/user.rb

@@ -1,6 +1,4 @@
 require 'puppet/util/windows'
-
-require 'facter'
 require 'ffi'
 
 module Puppet::Util::Windows::User

data/lib/puppet/util.rb

@@ -763,12 +763,13 @@ module Util
   # Executes a block of code, wrapped around Facter.load_external(false) and
   # Facter.load_external(true) which will cause Facter to not evaluate external facts.
   def skip_external_facts
-    return yield unless Facter.respond_to? :load_external
+    return yield unless Puppet.runtime[:facter].load_external?
+
     begin
-      Facter.load_external(false)
+      Puppet.runtime[:facter].load_external(false)
       yield
     ensure
-      Facter.load_external(true)
+      Puppet.runtime[:facter].load_external(true)
     end
   end
   module_function :skip_external_facts

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.21.1'
+  PUPPETVERSION = '6.25.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet.rb

@@ -12,7 +12,6 @@ $LOAD_PATH.extend(Puppet::Concurrent::Synchronized)
 # see the bottom of the file for further inclusions
 # Also see the new Vendor support - towards the end
 #
-require 'facter'
 require 'puppet/error'
 require 'puppet/util'
 require 'puppet/util/autoload'
@@ -88,9 +87,6 @@ module Puppet
   require 'puppet/util/logging'
   extend Puppet::Util::Logging
 
-  # Setup facter's logging
-  Puppet::Util::Logging.setup_facter_logging!
-
   # The feature collection
   @features = Puppet::Util::Feature.new('puppet/feature')
 
@@ -199,15 +195,15 @@ module Puppet
   def self.initialize_facts
     # Add the puppetversion fact; this is done before generating the hash so it is
     # accessible to custom facts.
-    Facter.add(:puppetversion) do
+    Puppet.runtime[:facter].add(:puppetversion) do
       setcode { Puppet.version.to_s }
     end
 
-    Facter.add(:agent_specified_environment) do
+    Puppet.runtime[:facter].add(:agent_specified_environment) do
       setcode do
-        if Puppet.settings.set_by_config?(:environment)
-          Puppet[:environment]
-        end
+        Puppet.settings.set_by_cli(:environment) ||
+          Puppet.settings.set_in_section(:environment, :agent) ||
+          Puppet.settings.set_in_section(:environment, :main)
       end
     end
   end