puppet 6.22.1-universal-darwin → 6.23.0-universal-darwin

data/lib/puppet/http/service/file_server.rb

@@ -106,7 +106,7 @@ class Puppet::HTTP::Service::FileServer < Puppet::HTTP::Service
   #   An array with the request response and an array of the deserialized
   #   metadata for each file returned from the server
   #
-  def get_file_metadatas(path: nil, environment:, recurse: :false, recurselimit: nil, ignore: nil, links: :manage, checksum_type: Puppet[:digest_algorithm], source_permissions: :ignore)
+  def get_file_metadatas(path: nil, environment:, recurse: :false, recurselimit: nil, max_files: nil, ignore: nil, links: :manage, checksum_type: Puppet[:digest_algorithm], source_permissions: :ignore)
     validate_path(path)
 
     headers = add_puppet_headers('Accept' => get_mime_types(Puppet::FileServing::Metadata).join(', '))
@@ -117,6 +117,7 @@ class Puppet::HTTP::Service::FileServer < Puppet::HTTP::Service
       params: {
         recurse: recurse,
         recurselimit: recurselimit,
+        max_files: max_files,
         ignore: ignore,
         links: links,
         checksum_type: checksum_type,

data/lib/puppet/indirector/catalog/compiler.rb

@@ -194,6 +194,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
           :source_permissions => resource[:source_permissions] ? resource[:source_permissions].to_sym : :ignore,
           :recurse            => true,
           :recurselimit       => resource[:recurselimit],
+          :max_files          => resource[:max_files],
           :ignore             => resource[:ignore],
         }
 

data/lib/puppet/indirector/file_metadata/rest.rb

@@ -46,6 +46,7 @@ class Puppet::Indirector::FileMetadata::Rest < Puppet::Indirector::REST
       environment: request.environment.to_s,
       recurse: request.options[:recurse],
       recurselimit: request.options[:recurselimit],
+      max_files: request.options[:max_files],
       ignore: request.options[:ignore],
       links: request.options[:links],
       checksum_type: request.options[:checksum_type],

data/lib/puppet/parser/functions/fqdn_rand.rb

@@ -2,13 +2,16 @@ require 'digest/md5'
 require 'digest/sha2'
 
 Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalue, :doc =>
-  "Usage: `fqdn_rand(MAX, [SEED])`. MAX is required and must be a positive
-  integer; SEED is optional and may be any number or string.
+  "Usage: `fqdn_rand(MAX, [SEED], [DOWNCASE])`. MAX is required and must be a positive
+  integer; SEED is optional and may be any number or string; DOWNCASE is optional
+  and should be a boolean true or false.
 
   Generates a random Integer number greater than or equal to 0 and less than MAX,
   combining the `$fqdn` fact and the value of SEED for repeatable randomness.
   (That is, each node will get a different random number from this function, but
-  a given node's result will be the same every time unless its hostname changes.)
+  a given node's result will be the same every time unless its hostname changes.) If
+  DOWNCASE is true, then the `fqdn` fact will be downcased when computing the value
+  so that the result is not sensitive to the case of the `fqdn` fact.
 
   This function is usually used for spacing out runs of resource-intensive cron
   tasks that run on many nodes, which could cause a thundering herd or degrade
@@ -17,7 +20,12 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
   node. (For example, `fqdn_rand(30)`, `fqdn_rand(30, 'expensive job 1')`, and
   `fqdn_rand(30, 'expensive job 2')` will produce totally different numbers.)") do |args|
     max = args.shift.to_i
- 
+    initial_seed = args.shift
+    downcase = !!args.shift
+
+    fqdn = self['::fqdn']
+    fqdn = fqdn.downcase if downcase
+
     # Puppet 5.4's fqdn_rand function produces a different value than earlier versions
     # for the same set of inputs.
     # This causes problems because the values are often written into service configuration files.
@@ -27,9 +35,9 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
     # when running on a non-FIPS enabled platform and only using SHA256 on FIPS enabled
     # platforms.
     if Puppet::Util::Platform.fips_enabled?
-      seed = Digest::SHA256.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::SHA256.hexdigest([fqdn,max,initial_seed].join(':')).hex
     else
-      seed = Digest::MD5.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::MD5.hexdigest([fqdn,max,initial_seed].join(':')).hex
     end
 
     Puppet::Util.deterministic_rand_int(seed,max)

data/lib/puppet/pops/types/p_sem_ver_type.rb

@@ -95,16 +95,22 @@ class PSemVerType < PScalarType
       end
 
       def from_args(major, minor, patch, prerelease = nil, build = nil)
-        SemanticPuppet::Version.new(major, minor, patch, prerelease, build)
+        SemanticPuppet::Version.new(major, minor, patch, to_array(prerelease), to_array(build))
       end
 
       def from_hash(hash)
-        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], hash['prerelease'], hash['build'])
+        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], to_array(hash['prerelease']), to_array(hash['build']))
       end
 
       def on_error(str)
         _("The string '%{str}' cannot be converted to a SemVer") % { str: str }
       end
+
+      private
+
+      def to_array(component)
+        component ? [component] : nil
+      end
     end
   end
 

data/lib/puppet/pops/types/p_sensitive_type.rb

@@ -24,6 +24,16 @@ class PSensitiveType < PTypeWithContainedType
     def inspect
       "#<#{self}>"
     end
+
+    def hash
+      @value.hash
+    end
+
+    def ==(other)
+      other.is_a?(Sensitive) &&
+        other.hash == hash
+    end
+    alias eql? ==
   end
 
   def self.register_ptype(loader, ir)

data/lib/puppet/provider/package/nim.rb

@@ -154,20 +154,25 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
   # I spent a lot of time trying to figure out a solution that didn't
   # require parsing the `nimclient -o showres` output and was unable to
   # do so.
-  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R):(\1)\s+[^\s]+$/
-  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R):(.*)$/
-  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+) \2$/
+  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R|S):(\1)\s+[^\s]+$/
+  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R|S):(.*)$/
+  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+\w*) \2$/
   self::INSTALLP_PACKAGE_REGEX = /^(.*) (.*)$/
 
   # Here is some sample output that shows what the above regexes will be up
   # against:
-  # FOR AN INSTALLP PACKAGE:
+  # FOR AN INSTALLP(bff) PACKAGE:
   #
   #    mypackage.foo                                                           ALL  @@I:mypackage.foo _all_filesets
-  #    @ 1.2.3.1  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.1
   #    + 1.2.3.4  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.4
   #    + 1.2.3.8  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.8
   #
+  # FOR AN INSTALLP(bff) PACKAGE with security update:
+  #
+  #    bos.net                                                                 ALL  @@S:bos.net _all_filesets
+  #    + 7.2.0.1  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.1
+  #    + 7.2.0.2  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.2
+  #
   # FOR AN RPM PACKAGE:
   #
   # mypackage.foo                                                                ALL  @@R:mypackage.foo _all_filesets
@@ -243,7 +248,7 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
     package_string = match.captures[1]
 
     case package_type_flag
-      when "I"
+      when "I","S"
         parse_installp_package_string(package_string)
       when "R"
         parse_rpm_package_string(package_string)

data/lib/puppet/provider/service/systemd.rb

@@ -45,8 +45,13 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def enabled_insync?(current)
     case cached_enabled?[:output]
     when 'static'
-      Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
-      return true
+      # masking static services is OK, but enabling/disabling them is not
+      if @resource[:enable] == :mask
+        current == @resource[:enable]
+      else
+        Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
+        return true
+      end
     when 'indirect'
       Puppet.debug("Service #{@resource[:name]} is in 'indirect' state and cannot be enabled/disabled")
       return true
@@ -159,10 +164,15 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   end
 
   def mask
-    self.disable
+    disable if exist?
     systemctl_change_enable(:mask)
   end
 
+  def exist?
+    result = execute([command(:systemctl), 'cat', '--', @resource[:name]], :failonfail => false)
+    result.exitstatus == 0
+  end
+
   def unmask
     systemctl_change_enable(:unmask)
   end

data/lib/puppet/provider/service/windows.rb

@@ -128,17 +128,55 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     services
   end
 
+  def logonaccount_insync?(current)
+    @normalized_logon_account ||= normalize_logonaccount
+    @resource[:logonaccount] = @normalized_logon_account
+
+    insync = @resource[:logonaccount] == current
+    self.logonpassword = @resource[:logonpassword] if insync
+    insync
+  end
+
   def logonaccount
     return unless Puppet::Util::Windows::Service.exists?(@resource[:name])
     Puppet::Util::Windows::Service.logon_account(@resource[:name])
   end
 
   def logonaccount=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_account: value, logon_password: @resource[:logonpassword]})
     restart if @resource[:ensure] == :running && [:running, :paused].include?(status)
   end
 
   def logonpassword=(value)
+    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_password: value})
   end
+
+  private
+
+  def normalize_logonaccount
+    logon_account = @resource[:logonaccount].sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+    return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(logon_account)
+
+    @logonaccount_information ||= Puppet::Util::Windows::SID.name_to_principal(logon_account)
+    return logon_account unless @logonaccount_information
+    return ".\\#{@logonaccount_information.account}" if @logonaccount_information.domain == Puppet::Util::Windows::ADSI.computer_name
+    @logonaccount_information.domain_account
+  end
+
+  def validate_logon_credentials
+    unless Puppet::Util::Windows::User::localsystem?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is not a valid account") unless @logonaccount_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(@logonaccount_information.account_type)
+
+      user_rights = Puppet::Util::Windows::User::get_rights(@logonaccount_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account)
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+    end
+
+    is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account) || @normalized_logon_account == 'LocalSystem'
+    account_info = @normalized_logon_account.split("\\")
+    able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], @resource[:logonpassword], account_info[0]) unless is_a_predefined_local_account
+    raise Puppet::Error.new("The given password is invalid for user '#{@normalized_logon_account}'.") unless is_a_predefined_local_account || able_to_logon
+  end
 end

data/lib/puppet/provider/user/directoryservice.rb

@@ -435,7 +435,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   ['home', 'uid', 'gid', 'comment', 'shell'].each do |setter_method|
     define_method("#{setter_method}=") do |value|
       if @property_hash[setter_method.intern]
-        if self.class.get_os_version.split('.').last.to_i >= 14 && %w(home uid).include?(setter_method)
+        if %w(home uid).include?(setter_method)
           raise Puppet::Error, "OS X version #{self.class.get_os_version} does not allow changing #{setter_method} using puppet"
         end
         begin
@@ -536,6 +536,14 @@ Puppet::Type.type(:user).provide :directoryservice do
       if (shadow_hash_data.class == Hash) && (shadow_hash_data.has_key?('SALTED-SHA512'))
         shadow_hash_data.delete('SALTED-SHA512')
       end
+
+      # Starting with macOS 11 Big Sur, the AuthenticationAuthority field
+      # could be missing entirely and without it the managed user cannot log in
+      if needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+        Puppet.debug("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user '#{@resource.name}'")
+        merge_attribute_with_dscl('Users', @resource.name, 'AuthenticationAuthority', ERB::Util.html_escape(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY))
+      end
+
       set_salted_pbkdf2(users_plist, shadow_hash_data, 'entropy', value)
     end
   end
@@ -562,6 +570,17 @@ Puppet::Type.type(:user).provide :directoryservice do
     end
   end
 
+  # This method will check if authentication_authority key of a user's plist
+  # needs SALTED_SHA512_PBKDF2 to be added. This is a valid case for macOS 11 (Big Sur)
+  # where users created with `dscl` started to have this field missing
+  def needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+    authority = users_plist['authentication_authority']
+    return false if Puppet::Util::Package.versioncmp(self.class.get_os_version, '11.0.0') < 0 && authority && authority.include?(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY)
+
+    Puppet.debug("User '#{@resource.name}' is missing the 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash")
+    true
+  end
+
   # This method will embed the binary plist data comprising the user's
   # password hash (and Salt/Iterations value if the OS is 10.8 or greater)
   # into the ShadowHashData key of the user's plist.
@@ -572,11 +591,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       users_plist['ShadowHashData'] = [binary_plist]
     end
-    if Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') < 0
-      write_users_plist_to_disk(users_plist)
-    else
-      write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
-    end
+    write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
   end
 
   # This method writes the ShadowHashData plist in a temporary file,
@@ -652,12 +667,6 @@ Puppet::Type.type(:user).provide :directoryservice do
     set_shadow_hash_data(users_plist, binary_plist)
   end
 
-  # This method will accept a plist in XML format, save it to disk, convert
-  # the plist to a binary format, and flush the dscl cache.
-  def write_users_plist_to_disk(users_plist)
-    Puppet::Util::Plist.write_plist_file(users_plist, "#{users_plist_dir}/#{@resource.name}.plist", :binary)
-  end
-
   # This is a simple wrapper method for writing values to a file.
   def write_to_file(filename, value)
     Puppet.deprecation_warning("Puppet::Type.type(:user).provider(:directoryservice).write_to_file is deprecated and will be removed in Puppet 5.")
@@ -667,4 +676,8 @@ Puppet::Type.type(:user).provide :directoryservice do
       raise Puppet::Error, "Could not write to file #{filename}: #{detail}", detail.backtrace
     end
   end
+
+  private
+
+  SHA512_PBKDF2_AUTHENTICATION_AUTHORITY = ';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>'
 end

data/lib/puppet/reference/configuration.rb

@@ -41,7 +41,7 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
     # Leave out the section information; it was apparently confusing people.
     #str << "- **Section**: #{object.section}\n"
     unless val == ""
-      str << "- *Default*: #{val}\n"
+      str << "- *Default*: `#{val}`\n"
     end
     str << "\n"
   end

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/type/file/selcontext.rb

@@ -42,7 +42,7 @@ module Puppet
         return nil
       end
 
-      context = self.get_selinux_default_context(@resource[:path])
+      context = self.get_selinux_default_context(@resource[:path], @resource[:ensure])
       unless context
         return nil
       end

data/lib/puppet/type/file.rb

@@ -220,6 +220,23 @@ Puppet::Type.newtype(:file) do
     end
   end
 
+  newparam(:max_files) do
+    desc "In case the resource is a directory and the recursion is enabled, puppet will
+      generate a new resource for each file file found, possible leading to
+      an excessive number of resources generated without any control.
+
+      Setting `max_files` will check the number of file resources that
+      will eventually be created and will raise a resource argument error if the
+      limit will be exceeded.
+
+      Use value `0` to log a warning instead of raising an error.
+
+      Use value `-1` to disable errors and warnings due to max files."
+
+    defaultto 0
+    newvalues(/^[0-9]+$/, /^-1$/)
+  end
+
   newparam(:replace, :boolean => true, :parent => Puppet::Parameter::Boolean) do
     desc "Whether to replace a file or symlink that already exists on the local system but
       whose content doesn't match what the `source` or `content` attribute
@@ -576,7 +593,7 @@ Puppet::Type.newtype(:file) do
     options = @original_parameters.merge(:path => full_path).reject { |param, value| value.nil? }
 
     # These should never be passed to our children.
-    [:parent, :ensure, :recurse, :recurselimit, :target, :alias, :source].each do |param|
+    [:parent, :ensure, :recurse, :recurselimit, :max_files, :target, :alias, :source].each do |param|
       options.delete(param) if options.include?(param)
     end
 
@@ -753,6 +770,7 @@ Puppet::Type.newtype(:file) do
       :links => self[:links],
       :recurse => (self[:recurse] == :remote ? true : self[:recurse]),
       :recurselimit => self[:recurselimit],
+      :max_files => self[:max_files],
       :source_permissions => self[:source_permissions],
       :ignore => self[:ignore],
       :checksum_type => (self[:source] || self[:content]) ? self[:checksum] : :none,

data/lib/puppet/type/service.rb

@@ -38,6 +38,12 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
+    feature :delayed_startable, "The provider can set service to delayed start",
+      :methods => [:delayed_start]
+
+    feature :manual_startable, "The provider can set service to manual start",
+      :methods => [:manual_start]
+
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -67,7 +73,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start) do
+      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
         provider.manual_start
       end
 
@@ -81,8 +87,7 @@ module Puppet
         provider.enabled?
       end
 
-      # This only works on Windows systems.
-      newvalue(:delayed, :event => :service_delayed_start) do
+      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
         provider.delayed_start
       end
 
@@ -90,12 +95,6 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
-
-      validate do |value|
-        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
-          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
-        end
-      end
     end
 
     # Handle whether the service should actually be running right now.
@@ -139,23 +138,9 @@ module Puppet
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      munge do |value|
-        return value unless Puppet::Util::Platform.windows?
-        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
-
-        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
-        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
-        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
-
-        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
-        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
-
-        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
-          ".\\#{user_information.account}"
-        else
-          user_information.domain_account
-        end
+      def insync?(current)
+        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
+        super(current)
       end
     end
 
@@ -163,18 +148,7 @@ module Puppet
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
-        return unless Puppet::Util::Platform.windows?
-
-        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
-
-        account_info = @resource[:logonaccount].split("\\")
-        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
-
-        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
-
-        provider.logonpassword=(value)
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
       end
 
       sensitive true
@@ -320,5 +294,11 @@ module Puppet
     def self.needs_ensure_retrieved
       false
     end
+
+    validate do
+      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
+      end
+    end
   end
 end

data/lib/puppet/type/tidy.rb

@@ -50,6 +50,22 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
+  newparam(:max_files) do
+    desc "In case the resource is a directory and the recursion is enabled, puppet will
+      generate a new resource for each file file found, possible leading to
+      an excessive number of resources generated without any control.
+
+      Setting `max_files` will check the number of file resources that
+      will eventually be created and will raise a resource argument error if the
+      limit will be exceeded.
+
+      Use value `0` to disable the check. In this case, a warning is logged if
+      the number of files exceeds 1000."
+
+    defaultto 0
+    newvalues(/^[0-9]+$/)
+  end
+
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -256,9 +272,12 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :recurse => true, :recurselimit => self[:recurse] }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true,
+                    :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :recurse => true }
+      parameter = { :max_files => self[:max_files],
+                    :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -67,6 +67,7 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
+        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,6 +696,7 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
+        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -743,25 +745,6 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
-
-      munge do |value|
-        # Resolve string, boolean and symbol forms of true and false to a
-        # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
-
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
-
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
-      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -783,7 +766,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      self[:purge_ssh_keys].
+      munged_unmanaged_keys.
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -795,6 +778,41 @@ module Puppet
         end
     end
 
+    def munged_unmanaged_keys
+      value = self[:purge_ssh_keys]
+
+      # Resolve string, boolean and symbol forms of true and false to a
+      # single representation.
+      test_sym = value.to_s.intern
+      value = test_sym if [:true, :false].include? test_sym
+
+      return [] if value == :false
+
+      home = self[:home]
+      begin
+        home ||= provider.home
+      rescue
+        Puppet.debug("User '#{self[:name]}' does not exist")
+      end
+
+      if home.to_s.empty? || !Dir.exist?(home.to_s)
+        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
+          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
+          return []
+        end
+      end
+
+      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+
+      # value is an array - munge each value
+      [ value ].flatten.map do |entry|
+        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(/^~\//, "#{home}/")
+        entry.gsub!(/^%h\//, "#{home}/")
+        entry
+      end
+    end
+
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.