puppet 6.22.1-x86-mingw32 → 6.23.0-x86-mingw32

data/spec/unit/http/service/compiler_spec.rb

@@ -1,3 +1,4 @@
+
 # coding: utf-8
 require 'spec_helper'
 require 'puppet/http'
@@ -258,6 +259,128 @@ describe Puppet::HTTP::Service::Compiler do
     end
   end
 
+  context 'when posting for a v4 catalog' do
+    let(:uri) {"https://compiler.example.com:8140/puppet/v4/catalog"}
+    let(:persistence) {{ facts: true, catalog: true }}
+    let(:facts) {{ 'foo' => 'bar' }}
+    let(:trusted_facts) {{}}
+    let(:uuid) { "ec3d2844-b236-4287-b0ad-632fbb4d1ff0" }
+    let(:job_id) { "1" }
+    let(:payload) {{
+      environment: environment,
+      persistence: persistence,
+      facts: facts,
+      trusted_facts: trusted_facts,
+      transaction_uuid: uuid,
+      job_id: job_id,
+      options: {
+        prefer_requested_environment: false,
+        capture_logs: false
+      }
+    }}
+    let(:serialized_catalog) {{ 'catalog' => catalog.to_data_hash }.to_json}
+    let(:catalog_response) {{ body: serialized_catalog, headers: {'Content-Type' => formatter.mime }}}
+
+    it 'includes default HTTP headers' do
+      stub_request(:post, uri).with do |request|
+        expect(request.headers).to include({'X-Puppet-Version' => /./, 'User-Agent' => /./})
+        expect(request.headers).to_not include('X-Puppet-Profiling')
+      end.to_return(**catalog_response)
+
+      subject.post_catalog4(certname, **payload)
+    end
+
+    it 'defaults the server and port based on settings' do
+      Puppet[:server] = 'compiler2.example.com'
+      Puppet[:serverport] = 8141
+
+      stub_request(:post, "https://compiler2.example.com:8141/puppet/v4/catalog")
+        .to_return(**catalog_response)
+
+      subject.post_catalog4(certname, **payload)
+    end
+
+    it 'includes puppet headers set via the :http_extra_headers and :profile settings' do
+      stub_request(:post, uri).with(headers: {'Example-Header' => 'real-thing', 'another' => 'thing', 'X-Puppet-Profiling' => 'true'}).
+        to_return(**catalog_response)
+
+      Puppet[:http_extra_headers] = 'Example-Header:real-thing,another:thing'
+      Puppet[:profile] = true
+
+      subject.post_catalog4(certname, **payload)
+    end
+
+    it 'returns a deserialized catalog' do
+      stub_request(:post, uri)
+        .to_return(**catalog_response)
+
+      _, cat, _ = subject.post_catalog4(certname, **payload)
+      expect(cat).to be_a(Puppet::Resource::Catalog)
+      expect(cat.name).to eq(certname)
+    end
+
+    it 'returns the request response' do
+      stub_request(:post, uri)
+        .to_return(**catalog_response)
+
+      resp, _, _ = subject.post_catalog4(certname, **payload)
+      expect(resp).to be_a(Puppet::HTTP::Response)
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, uri)
+        .to_return(status: [500, "Server Error"])
+
+      expect {
+        subject.post_catalog4(certname, **payload)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq('Server Error')
+        expect(err.response.code).to eq(500)
+      end
+    end
+
+    it 'raises a response error when server response is not JSON' do
+      stub_request(:post, uri)
+        .to_return(body: "this isn't valid JSON", headers: {'Content-Type' => 'application/json'})
+
+      expect {
+        subject.post_catalog4(certname, **payload)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::SerializationError)
+        expect(err.message).to match(/Failed to deserialize catalog from puppetserver response/)
+      end
+    end
+
+    it 'raises a response error when server response a JSON serialized catalog' do
+      stub_request(:post, uri)
+        .to_return(body: {oops: 'bad response data'}.to_json, headers: {'Content-Type' => 'application/json'})
+
+      expect {
+        subject.post_catalog4(certname, **payload)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::SerializationError)
+        expect(err.message).to match(/Failed to deserialize catalog from puppetserver response/)
+      end
+    end
+
+    it 'raises ArgumentError when the `persistence` hash does not contain required keys' do
+      payload[:persistence].delete(:facts)
+      expect { subject.post_catalog4(certname, **payload) }.to raise_error do |err|
+        expect(err).to be_an_instance_of(ArgumentError)
+        expect(err.message).to match(/The 'persistence' hash is missing the keys: facts/)
+      end
+    end
+
+    it 'raises ArgumentError when `facts` are not a Hash' do
+      payload[:facts] = Puppet::Node::Facts.new(certname)
+      expect { subject.post_catalog4(certname, **payload) }.to raise_error do |err|
+        expect(err).to be_an_instance_of(ArgumentError)
+        expect(err.message).to match(/Facts must be a Hash not a Puppet::Node::Facts/)
+      end
+    end
+  end
+
   context 'when getting a node' do
     let(:uri) { %r{/puppet/v3/node/ziggy} }
     let(:node_response) { { body: formatter.render(node), headers: {'Content-Type' => formatter.mime } } }

data/spec/unit/indirector/catalog/compiler_spec.rb

@@ -909,9 +909,10 @@ describe Puppet::Resource::Catalog::Compiler do
         it "inlines child metadata" do
           catalog = compile_to_catalog(<<-MANIFEST, node)
             file { '#{path}':
-              ensure  => directory,
-              recurse => true,
-              source  => '#{source_dir}'
+              ensure    => directory,
+              recurse   => true,
+              source    => '#{source_dir}',
+              max_files => 1234,
             }
           MANIFEST
 
@@ -925,6 +926,7 @@ describe Puppet::Resource::Catalog::Compiler do
             :source_permissions => :ignore,
             :recurse            => true,
             :recurselimit       => nil,
+            :max_files          => 1234,
             :ignore             => nil,
           }
           expect(Puppet::FileServing::Metadata.indirection).to receive(:search).with(source_dir, options).and_return([metadata, child_metadata])
@@ -938,14 +940,15 @@ describe Puppet::Resource::Catalog::Compiler do
         it "uses resource parameters when inlining metadata" do
           catalog = compile_to_catalog(<<-MANIFEST, node)
             file { '#{path}':
-              ensure  => directory,
-              recurse => true,
-              source  => '#{source_dir}',
-              checksum => sha256,
+              ensure             => directory,
+              recurse            => true,
+              source             => '#{source_dir}',
+              checksum           => sha256,
               source_permissions => use_when_creating,
-              recurselimit => 2,
-              ignore => 'foo.+',
-              links => follow,
+              recurselimit       => 2,
+              max_files          => 4321,
+              ignore             => 'foo.+',
+              links              => follow,
             }
           MANIFEST
 
@@ -956,6 +959,7 @@ describe Puppet::Resource::Catalog::Compiler do
             :source_permissions => :use_when_creating,
             :recurse            => true,
             :recurselimit       => 2,
+            :max_files          => 4321,
             :ignore             => 'foo.+',
           }
           expect(Puppet::FileServing::Metadata.indirection).to receive(:search).with(source_dir, options).and_return([metadata, child_metadata])

data/spec/unit/parser/functions/fqdn_rand_spec.rb

@@ -61,12 +61,26 @@ describe "the fqdn_rand function" do
     expect(fqdn_rand(5000, :extra_identifier => ['expensive job 33'])).to eql(2389)
   end
 
+  it "returns the same value if only host differs by case" do
+    val1 = fqdn_rand(1000000000, :host => "host.example.com", :extra_identifier => [nil, true])
+    val2 = fqdn_rand(1000000000, :host => "HOST.example.com", :extra_identifier => [nil, true])
+
+    expect(val1).to eql(val2)
+  end
+
+  it "returns the same value if only host differs by case and an initial seed is given" do
+    val1 = fqdn_rand(1000000000, :host => "host.example.com", :extra_identifier => ['a seed', true])
+    val2 = fqdn_rand(1000000000, :host => "HOST.example.com", :extra_identifier => ['a seed', true])
+
+    expect(val1).to eql(val2)
+  end
+
   def fqdn_rand(max, args = {})
     host = args[:host] || '127.0.0.1'
     extra = args[:extra_identifier] || []
 
     scope = create_test_scope_for_node('localhost')
-    allow(scope).to receive(:[]).with("::fqdn").and_return(host)
+    scope.compiler.topscope['fqdn'] = host.freeze
 
     scope.function_fqdn_rand([max] + extra)
   end

data/spec/unit/pops/types/p_sem_ver_type_spec.rb

@@ -125,6 +125,24 @@ describe 'Semantic Versions' do
         expect(eval_and_collect_notices(code)).to eql(['true', 'false'])
       end
 
+      it 'can be compared to another instance created from arguments' do
+        code = <<-CODE
+          $x = SemVer('1.2.3-rc4+5')
+          $y = SemVer(1, 2, 3, 'rc4', '5')
+          notice($x == $y)
+        CODE
+        expect(eval_and_collect_notices(code)).to eql(['true'])
+      end
+
+      it 'can be compared to another instance created from a hash' do
+        code = <<-CODE
+          $x = SemVer('1.2.3-rc4+5')
+          $y = SemVer(major => 1, minor => 2, patch => 3, prerelease => 'rc4', build => '5')
+          notice($x == $y)
+        CODE
+        expect(eval_and_collect_notices(code)).to eql(['true'])
+      end
+
       it 'can be compared to another instance for magnitude' do
         code = <<-CODE
           $x = SemVer('1.1.1')

data/spec/unit/pops/types/p_sensitive_type_spec.rb

@@ -113,6 +113,24 @@ describe 'Sensitive Type' do
       expect(eval_and_collect_notices(code)).to eq(['Sensitive[Integer] != Sensitive[String]'])
     end
 
+    it 'equals another instance with the same value' do
+      code =<<-CODE
+        $i = Sensitive('secret')
+        $o = Sensitive('secret')
+        notice($i == $o)
+      CODE
+      expect(eval_and_collect_notices(code)).to eq(['true'])
+    end
+
+    it 'has equal hash keys for same values' do
+      code =<<-CODE
+        $i = Sensitive('secret')
+        $o = Sensitive('secret')
+        notice({$i => 1} == {$o => 1})
+      CODE
+      expect(eval_and_collect_notices(code)).to eq(['true'])
+    end
+
     it 'can be created from another sensitive instance ' do
       code =<<-CODE
         $o = Sensitive("hunter2")

data/spec/unit/provider/package/nim_spec.rb

@@ -191,6 +191,27 @@ OUTPUT
           expect(versions[version]).to eq(:rpm)
         end
       end
+
+      it "should be able to parse RPM package listings with letters in version" do
+        showres_output = <<END
+cairo                                                              ALL  @@R:cairo _all_filesets
+   @@R:cairo-1.14.6-2waixX11 1.14.6-2waixX11
+END
+        packages = subject.send(:parse_showres_output, showres_output)
+        expect(Set.new(packages.keys)).to eq(Set.new(['cairo']))
+        versions = packages['cairo']
+        expect(versions.has_key?('1.14.6-2waixX11')).to eq(true)
+        expect(versions['1.14.6-2waixX11']).to eq(:rpm)
+      end
+
+      it "should raise error when parsing invalid RPM package listings" do
+              showres_output = <<END
+cairo                                                              ALL  @@R:cairo _all_filesets
+   @@R:cairo-invalid_version invalid_version
+END
+        expect{ subject.send(:parse_showres_output, showres_output) }.to raise_error(Puppet::Error,
+          /Unable to parse output from nimclient showres: package string does not match expected rpm package string format/)
+      end
     end
 
     context "#determine_latest_version" do
@@ -220,6 +241,27 @@ END
       it "should return :installp for installp/bff packages" do
         expect(subject.send(:determine_package_type, bff_showres_output, 'mypackage.foo', '1.2.3.4')).to eq(:installp)
       end
+
+      it "should return :installp for security updates" do
+        nimclient_showres_output = <<END
+bos.net                                                            ALL  @@S:bos.net _all_filesets
+ + 7.2.0.1  TCP/IP ntp Applications                                     @@S:bos.net.tcp.ntp 7.2.0.1
+ + 7.2.0.2  TCP/IP ntp Applications                                     @@S:bos.net.tcp.ntp 7.2.0.2
+
+END
+        expect(subject.send(:determine_package_type, nimclient_showres_output, 'bos.net.tcp.ntp', '7.2.0.2')).to eq(:installp)
+      end
+
+      it "should raise error when invalid header format is given" do
+        nimclient_showres_output = <<END
+bos.net                                                            ALL  @@INVALID_TYPE:bos.net _all_filesets
+ + 7.2.0.1  TCP/IP ntp Applications                                     @@INVALID_TYPE:bos.net.tcp.ntp 7.2.0.1
+ + 7.2.0.2  TCP/IP ntp Applications                                     @@INVALID_TYPE:bos.net.tcp.ntp 7.2.0.2
+
+END
+        expect{ subject.send(:determine_package_type, nimclient_showres_output, 'bos.net.tcp.ntp', '7.2.0.2') }.to raise_error(
+          Puppet::Error, /Unable to parse output from nimclient showres: line does not match expected package header format/)
+      end
     end
   end
 end

data/spec/unit/provider/service/init_spec.rb

@@ -83,6 +83,7 @@ describe 'Puppet::Type::Service::Provider::Init',
       allow(provider_class).to receive(:defpath).and_return('tmp')
 
       @services = ['one', 'two', 'three', 'four', 'umountfs']
+      allow(Dir).to receive(:entries).and_call_original
       allow(Dir).to receive(:entries).with('tmp').and_return(@services)
       expect(FileTest).to receive(:directory?).with('tmp').and_return(true)
       allow(FileTest).to receive(:executable?).and_return(true)

data/spec/unit/provider/service/openwrt_spec.rb

@@ -32,6 +32,7 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
     allow(File).to receive(:directory?).with('/etc/init.d').and_return(true)
 
     allow(Puppet::FileSystem).to receive(:exist?).with('/etc/init.d/myservice').and_return(true)
+    allow(FileTest).to receive(:file?).and_call_original
     allow(FileTest).to receive(:file?).with('/etc/init.d/myservice').and_return(true)
     allow(FileTest).to receive(:executable?).with('/etc/init.d/myservice').and_return(true)
   end
@@ -47,7 +48,8 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
     let(:services) {['dnsmasq', 'dropbear', 'firewall', 'led', 'puppet', 'uhttpd' ]}
 
     before :each do
-      allow(Dir).to receive(:entries).and_return(services)
+      allow(Dir).to receive(:entries).and_call_original
+      allow(Dir).to receive(:entries).with('/etc/init.d').and_return(services)
       allow(FileTest).to receive(:directory?).and_return(true)
       allow(FileTest).to receive(:executable?).and_return(true)
     end

data/spec/unit/provider/service/systemd_spec.rb

@@ -357,6 +357,9 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
   describe "#mask" do
     it "should run systemctl to disable and mask a service" do
       provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service'))
+      expect(provider).to receive(:execute).
+                            with(['/bin/systemctl','cat', '--', 'sshd.service'], :failonfail => false).
+                            and_return(Puppet::Util::Execution::ProcessOutput.new("# /lib/systemd/system/sshd.service\n...", 0))
       # :disable is the only call in the provider that uses a symbol instead of
       # a string.
       # This should be made consistent in the future and all tests updated.
@@ -364,6 +367,15 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
       expect(provider).to receive(:systemctl).with(:mask, '--', 'sshd.service')
       provider.mask
     end
+
+    it "masks a service that doesn't exist" do
+      provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'doesnotexist.service'))
+      expect(provider).to receive(:execute).
+                            with(['/bin/systemctl','cat', '--', 'doesnotexist.service'], :failonfail => false).
+                            and_return(Puppet::Util::Execution::ProcessOutput.new("No files found for doesnotexist.service.\n", 1))
+      expect(provider).to receive(:systemctl).with(:mask, '--', 'doesnotexist.service')
+      provider.mask
+    end
   end
 
   # Note: systemd provider does not care about hasstatus or a custom status
@@ -467,17 +479,39 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
     context 'when service state is static' do
       let(:service_state) { 'static' }
 
-      it 'is always enabled_insync even if current value is the same as expected' do
-        expect(provider).to be_enabled_insync(:false)
-      end
+      context 'when enable is not mask' do
+        it 'is always enabled_insync even if current value is the same as expected' do
+          expect(provider).to be_enabled_insync(:false)
+        end
 
-      it 'is always enabled_insync even if current value is not the same as expected' do
-        expect(provider).to be_enabled_insync(:true)
+        it 'is always enabled_insync even if current value is not the same as expected' do
+          expect(provider).to be_enabled_insync(:true)
+        end
+
+        it 'logs a debug messsage' do
+          expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
+          provider.enabled_insync?(:true)
+        end
       end
 
-      it 'logs a debug messsage' do
-        expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
-        provider.enabled_insync?(:true)
+      context 'when enable is mask' do
+        let(:provider) do
+          provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service',
+                                                             :enable => 'mask'))
+        end
+
+        it 'is enabled_insync if current value is the same as expected' do
+          expect(provider).to be_enabled_insync(:mask)
+        end
+
+        it 'is not enabled_insync if current value is not the same as expected' do
+          expect(provider).not_to be_enabled_insync(:true)
+        end
+
+        it 'logs no debug messsage' do
+          expect(Puppet).not_to receive(:debug)
+          provider.enabled_insync?(:true)
+        end
       end
     end
 

data/spec/unit/provider/service/windows_spec.rb

@@ -271,4 +271,206 @@ describe 'Puppet::Type::Service::Provider::Windows',
       }.to raise_error(Puppet::Error, /Cannot enable #{name}/)
     end
   end
+
+  describe "when managing logon credentials" do
+    before do
+      allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
+      allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
+      allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
+    end
+
+    let(:computer_name) { 'myPC' }
+
+    describe "#logonaccount=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
+        resource[:logonaccount] = user_input
+        provider.logonaccount_insync?(user_input)
+      end
+
+      let(:user_input) { principal.account }
+      let(:principal) do
+        Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
+      end
+
+      context "when given user is 'myUser'" do
+        it "should fail when the `Log On As A Service` right is missing from given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
+        end
+
+        it "should fail when the `Log On As A Service` right is set to denied for given user" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
+        end
+
+        it "should not fail when given user has the `Log On As A Service` right" do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
+            allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq(".\\myUser")
+          end
+        end
+      end
+
+      context "when given user is a system account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
+        end
+
+        let(:user_input) { principal.account }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+        end
+
+        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
+          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
+          expect { provider.logonaccount=(user_input) }.not_to raise_error
+        end
+
+        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
+          let(:user_input) { user_input_variant }
+
+          it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('LocalSystem')
+          end
+        end
+      end
+
+      context "when domain is different from computer name" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
+        end
+
+        context "when given user is from AD" do
+          let(:user_input) { 'myRemoteUser' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
+          end
+
+          it "should not raise any error" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+          end
+
+          it "should succesfully be munged" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
+          end
+        end
+
+        context "when given user is LocalService" do
+          let(:user_input) { 'LocalService' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
+          end
+
+          it "should succesfully munge well known user" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
+          end
+        end
+
+        context "when given user is in SID form" do
+          let(:user_input) { 'S-1-5-20' }
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
+          end
+
+          it "should succesfully munge" do
+            expect { provider.logonaccount=(user_input) }.not_to raise_error
+            expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
+          end
+        end
+
+        context "when given user is actually a group" do
+          let(:principal) do
+            Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
+          end
+          let(:user_input) { 'Administrators' }
+
+          it "should fail when sid type is not user or well known user" do
+            expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
+          end
+        end
+      end
+    end
+
+    describe "#logonpassword=" do
+      before do
+        allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        resource[:logonaccount] = account
+        resource[:logonpassword] = user_input
+        provider.logonaccount_insync?(account)
+      end
+
+      let(:account) { 'LocalSystem' }
+
+      describe "when given logonaccount is a predefined_local_account" do
+        let(:user_input) { 'pass' }
+        let(:principal) { nil }
+
+        it "should pass validation when given account is 'LocalSystem'" do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
+
+          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+          expect { provider.logonpassword=(user_input) }.not_to raise_error
+        end
+
+        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
+          describe "when given account is #{predefined_local_account}" do
+            let(:account) { 'predefined_local_account' }
+            let(:principal) do
+              Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
+            end
+
+            it "should pass validation" do
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
+
+              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+              expect { provider.logonpassword=(user_input) }.not_to raise_error
+            end
+          end
+        end
+      end
+
+      describe "when given logonaccount is not a predefined local account" do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
+        end
+
+        let(:account) { 'myUser' }
+        let(:principal) do
+          Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
+        end
+
+        describe "when password is proven correct" do
+          let(:user_input) { 'myPass' }
+          it "should pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
+            expect { provider.logonpassword=(user_input) }.not_to raise_error
+          end
+        end
+
+        describe "when password is not proven correct" do
+          let(:user_input) { 'myWrongPass' }
+          it "should not pass validation" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
+            expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
+          end
+        end
+      end
+    end
+  end
 end