puppet 6.23.0-universal-darwin → 6.24.0-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24dd689f664e60e622d2fbbda9d4b461428e6478c917e325eef0c83967f25a4c
-  data.tar.gz: 858fc1cc963b92ed1bb79f75285565020bd114d5c6eed9fdabecd697fcae23b2
+  metadata.gz: eb648b41d0fbdd10edaa4efcceec83b7fb164bbf5ced5a0c9d1ad4c86d899e53
+  data.tar.gz: 67ae631f70383a88f3c279d227413120ce7aa6aee98fedbb678c195631349094
 SHA512:
-  metadata.gz: daebd0e8b02ad1345b567dbc145d7c968f69af1131dec93a18344fec41ef34314eaac36f55d1013f48e77f64e954fe7077b72df999a226a399a40d8fbce09d10
-  data.tar.gz: 74a993b2c402b3cb31706af8d3c6931cc3f208b61121f28901cde795b977082dfc2ff9fc30718ea5c0db5161ea128978a3465202b3c1b24f56744e447d0dc0cf
+  metadata.gz: 263bd6b402cbc719f48b5e6a378e3cdccfb7b80fdc99614b8939c67c588c84561ab532ca61585bf9f036cc72e1bd2e18286cdc0891c228c4ae17249335d7f904
+  data.tar.gz: 1d9ae6cc1005a034aa8eb6d4dbe18de985586037b5d4444c5fb8c3aa0ecfc107c2c07aff4029d0f6650c37b6fad21c1b4f68012344292ee906e4f9cf40980924

data/CONTRIBUTING.md

@@ -38,12 +38,12 @@ the [puppet-dev mailing list](https://groups.google.com/forum/#!forum/puppet-dev
 ## Making Changes
 
 * Create a topic branch from where you want to base your work.
-  * This is usually the master branch.
+  * This is usually the main branch.
   * Only target release branches if you are certain your fix must be on that
     branch.
-  * To quickly create a topic branch based on master, run `git checkout -b
-    fix/master/my_contribution master`. Please avoid working directly on the
-    `master` branch.
+  * To quickly create a topic branch based on main, run `git checkout -b
+    fix/main/my_contribution main`. Please avoid working directly on the
+    `main` branch.
 * Make commits of logical and atomic units.
 * Check for unnecessary whitespace with `git diff --check` before committing.
 * Make sure your commit messages are in the proper format. If the commit
@@ -65,7 +65,7 @@ the [puppet-dev mailing list](https://groups.google.com/forum/#!forum/puppet-dev
       why this is a problem, and how the patch fixes the problem when applied.
   ```
 * Make sure you have added the necessary tests for your changes.
-* For details on how to run tests, please see [the quickstart guide](https://github.com/puppetlabs/puppet/blob/master/docs/quickstart.md)
+* For details on how to run tests, please see [the quickstart guide](https://github.com/puppetlabs/puppet/blob/main/docs/quickstart.md)
 
 ## Writing Translatable Code
 

data/Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: git://github.com/puppetlabs/packaging
-  revision: 9ddc3c730023911b5ef015dc55a4d2e9a55e4a6c
+  revision: 4d6d51947f44bfa2fc282658836c15f69672e757
   branch: 1.0.x
   specs:
-    packaging (0.99.77)
+    packaging (0.99.78.4.g4d6d519)
       artifactory (~> 2)
       csv (= 3.1.5)
       rake (>= 12.3)
@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (6.23.0)
+    puppet (6.24.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -28,7 +28,7 @@ GEM
   remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     artifactory (2.8.2)
     ast (2.4.2)
@@ -40,11 +40,11 @@ GEM
     deep_merge (1.2.1)
     diff-lcs (1.4.4)
     docopt (0.6.1)
-    facter (4.2.1)
+    facter (4.2.2)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
-    ffi (1.15.1)
+    ffi (1.15.3)
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
@@ -81,14 +81,14 @@ GEM
     public_suffix (4.0.6)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (1.9.5)
+    puppetserver-ca (1.10.0)
       facter (>= 2.0.1, < 5)
     racc (1.4.9)
     rainbow (2.2.2)
       rake
     rake (12.3.3)
     rdiscount (2.2.0.2)
-    rdoc (6.3.1)
+    rdoc (6.3.2)
     release-metrics (1.1.0)
       csv
       docopt

data/README.md

@@ -33,16 +33,16 @@ see the [Quick Start to Developing on Puppet](docs/quickstart.md) guide.
 
 We'd love to get contributions from you! For a quick guide to getting your
 system setup for developing, take a look at our [Quickstart
-Guide](https://github.com/puppetlabs/puppet/blob/master/docs/quickstart.md). Once you are up and running, take a look at the
-[Contribution Documents](https://github.com/puppetlabs/puppet/blob/master/CONTRIBUTING.md) to see how to get your changes merged
+Guide](https://github.com/puppetlabs/puppet/blob/main/docs/quickstart.md). Once you are up and running, take a look at the
+[Contribution Documents](https://github.com/puppetlabs/puppet/blob/main/CONTRIBUTING.md) to see how to get your changes merged
 in.
 
 For more complete docs on developing with Puppet, take a look at the
-rest of the [developer documents](https://github.com/puppetlabs/puppet/blob/master/docs/index.md).
+rest of the [developer documents](https://github.com/puppetlabs/puppet/blob/main/docs/index.md).
 
 ## Licensing
 
-See [LICENSE](https://github.com/puppetlabs/puppet/blob/master/LICENSE) file. Puppet is licensed by Puppet, Inc. under the Apache license. Puppet, Inc. can be contacted at: info@puppet.com
+See [LICENSE](https://github.com/puppetlabs/puppet/blob/main/LICENSE) file. Puppet is licensed by Puppet, Inc. under the Apache license. Puppet, Inc. can be contacted at: info@puppet.com
 
 ## Support
 

data/ext/project_data.yaml

@@ -13,6 +13,7 @@ gem_files: '[A-Z]* install.rb bin lib conf man examples ext tasks spec locales'
 gem_test_files: 'spec/**/*'
 gem_executables: 'puppet'
 gem_default_executables: 'puppet'
+gem_license: 'Apache-2.0'
 gem_forge_project: 'puppet'
 gem_required_ruby_version: '>= 2.3.0'
 gem_required_rubygems_version: '> 1.3.1'

data/lib/puppet/application/filebucket.rb

@@ -1,6 +1,7 @@
 require 'puppet/application'
 
 class Puppet::Application::Filebucket < Puppet::Application
+  environment_mode :not_required
 
   option("--bucket BUCKET","-b")
   option("--debug","-d")

data/lib/puppet/application/resource.rb

@@ -1,6 +1,7 @@
 require 'puppet/application'
 
 class Puppet::Application::Resource < Puppet::Application
+  environment_mode :not_required
 
   attr_accessor :host, :extra_params
 
@@ -14,8 +15,9 @@ class Puppet::Application::Resource < Puppet::Application
   option("--to_yaml","-y")
 
   option("--types", "-t") do |arg|
+    env = Puppet.lookup(:environments).get(Puppet[:environment]) || create_default_environment
     types = []
-    Puppet::Type.loadall
+    Puppet::Type.typeloader.loadall(env)
     Puppet::Type.eachtype do |t|
       next if t.name == :component
       types << t.name.to_s
@@ -134,7 +136,9 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def main
-    env = Puppet.lookup(:environments).get(Puppet[:environment])
+    # If the specified environment does not exist locally, fall back to the default (production) environment
+    env = Puppet.lookup(:environments).get(Puppet[:environment]) || create_default_environment
+
     Puppet.override(:current_environment => env, :loaders => Puppet::Pops::Loaders.new(env)) do
       type, name, params = parse_args(command_line.args)
 
@@ -209,6 +213,15 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
     [type, name, params]
   end
 
+  def create_default_environment
+    Puppet.debug("Specified environment '#{Puppet[:environment]}' does not exist on the filesystem, defaulting to 'production'")
+    Puppet[:environment] = :production
+    basemodulepath = Puppet::Node::Environment.split_path(Puppet[:basemodulepath])
+    modulepath = Puppet[:modulepath]
+    modulepath = (modulepath.nil? || modulepath.empty?) ? basemodulepath : Puppet::Node::Environment.split_path(modulepath)
+    Puppet::Node::Environment.create(Puppet[:environment], modulepath, Puppet::Node::Environment::NO_MANIFEST)
+  end
+
   def find_or_save_resources(type, name, params)
     key = local_key(type, name)
 

data/lib/puppet/application/ssl.rb

@@ -117,6 +117,7 @@ HELP
     end
 
     Puppet::SSL::Oids.register_puppet_oids
+    Puppet::SSL::Oids.load_custom_oid_file(Puppet[:trusted_oid_mapping_file])
 
     certname = Puppet[:certname]
     action = command_line.args.first

data/lib/puppet/environments.rb

@@ -356,6 +356,16 @@ module Puppet::Environments
       # Evict all that have expired, in the same way as `get`
       clear_all_expired
 
+      # Evict all that was removed from diks
+      cached_envs = @cache.keys.map!(&:to_sym)
+      loader_envs = @loader.list.map!(&:name)
+      removed_envs = cached_envs - loader_envs
+
+      removed_envs.each do |env_name|
+        Puppet.debug { "Environment no longer exists '#{env_name}'"}
+        clear(env_name)
+      end
+
       @loader.list.map do |env|
         name = env.name
         old_entry = @cache[name]

data/lib/puppet/face/help/action.erb

@@ -54,6 +54,7 @@ undocumented option
 	end
 	unless action.options.empty?
       action.options.sort.each do |name|
+        next if name == :extra
         option = action.get_option name -%>
 <%= "  " + option.optparse.join(" | ")[0,(optionroom - 1)].ljust(optionroom) + ' - ' -%>
 <%     if !(option.summary) -%>

data/lib/puppet/face/help/face.erb

@@ -49,6 +49,7 @@ undocumented option
 	end
  	unless face.options.empty?
       face.options.sort.each do |name|
+        next if name == :extra
         option = face.get_option name -%>
 <%= "  " + option.optparse.join(" | ")[0,(optionroom - 1)].ljust(optionroom) + ' - ' -%>
 <%     if !(option.summary) -%>

data/lib/puppet/face/node/clean.rb

@@ -47,6 +47,17 @@ Puppet::Face.define(:node, '0.0.1') do
   end
 
   class LoggerIO
+    def debug(message)
+      Puppet.debug(message)
+    end
+
+    # Notice: For Puppet 6.x, the function below does not matter as it
+    # does not have any functionality.  But we decided to keep it here
+    # for the ease of merge up to 7.x and having the same code base.
+    def warn(message)
+      Puppet.warning(message) unless message =~ /cadir is currently configured to be inside/
+    end
+
     def err(message)
       Puppet.err(message) unless message =~ /^\s*Error:\s*/
     end

data/lib/puppet/file_system/file_impl.rb

@@ -84,7 +84,7 @@ class Puppet::FileSystem::FileImpl
   end
 
   def read_preserve_line_endings(path)
-    read(path)
+    read(path, encoding: "bom|#{Encoding.default_external.name}")
   end
 
   def binread(path)

data/lib/puppet/file_system/windows.rb

@@ -109,8 +109,8 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   end
 
   def read_preserve_line_endings(path)
-    contents = path.read( :mode => 'rb', :encoding => Encoding::UTF_8)
-    contents = path.read( :mode => 'rb', :encoding => Encoding::default_external) unless contents.valid_encoding?
+    contents = path.read( :mode => 'rb', :encoding => 'bom|utf-8')
+    contents = path.read( :mode => 'rb', :encoding => "bom|#{Encoding::default_external.name}") unless contents.valid_encoding?
     contents = path.read unless contents.valid_encoding?
 
     contents

data/lib/puppet/forge.rb

@@ -70,7 +70,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
         uri = decode_uri(result['pagination']['next'])
         matches.concat result['results']
       else
-        raise ResponseError.new(:uri => URI.parse(@host).merge(uri), :response => response)
+        raise ResponseError.new(:uri => response.url, :response => response)
       end
     end
 
@@ -105,7 +105,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       if response.code == 200
         response = Puppet::Util::Json.load(response.body)
       else
-        raise ResponseError.new(:uri => URI.parse(@host).merge(uri), :response => response)
+        raise ResponseError.new(:uri => response.url, :response => response)
       end
 
       releases.concat(process(response['results']))
@@ -208,7 +208,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       response = @source.make_http_request(uri, destination)
       destination.flush and destination.close
       unless response.code == 200
-        raise Puppet::Forge::Errors::ResponseError.new(:uri => uri, :response => response)
+        raise Puppet::Forge::Errors::ResponseError.new(:uri => response.url, :response => response)
       end
     end
 

data/lib/puppet/functions/empty.rb

@@ -26,6 +26,10 @@ Puppet::Functions.create_function(:empty) do
     param 'Collection', :coll
   end
 
+  dispatch :sensitive_string_empty do
+    param 'Sensitive[String]', :str
+  end
+
   dispatch :string_empty do
     param 'String', :str
   end
@@ -46,6 +50,10 @@ Puppet::Functions.create_function(:empty) do
     coll.empty?
   end
 
+  def sensitive_string_empty(str)
+    str.unwrap.empty?
+  end
+
   def string_empty(str)
     str.empty?
   end

data/lib/puppet/functions/strftime.rb

@@ -105,6 +105,7 @@
 # **Seconds since the Epoch:**
 #
 # | Format | Meaning |
+# | ------ | ------- |
 # | s | Number of seconds since 1970-01-01 00:00:00 UTC. |
 #
 # **Literal string:**

data/lib/puppet/functions/unwrap.rb

@@ -1,4 +1,5 @@
 # Unwraps a Sensitive value and returns the wrapped object.
+# Returns the Value itself, if it is not Sensitive.
 #
 # @example Usage of unwrap
 #
@@ -28,12 +29,17 @@
 # @since 4.0.0
 #
 Puppet::Functions.create_function(:unwrap) do
-  dispatch :unwrap do
+  dispatch :from_sensitive do
     param 'Sensitive', :arg
     optional_block_param
   end
 
-  def unwrap(arg)
+  dispatch :from_any do
+    param 'Any', :arg
+    optional_block_param
+  end
+
+  def from_sensitive(arg)
     unwrapped = arg.unwrap
     if block_given?
       yield(unwrapped)
@@ -41,4 +47,13 @@ Puppet::Functions.create_function(:unwrap) do
       unwrapped
     end
   end
+
+  def from_any(arg)
+    unwrapped = arg
+    if block_given?
+      yield(unwrapped)
+    else
+      unwrapped
+    end
+  end
 end

data/lib/puppet/indirector/resource/ral.rb

@@ -24,7 +24,12 @@ class Puppet::Resource::Ral < Puppet::Indirector::Code
     type(request).instances.map do |res|
       res.to_resource
     end.find_all do |res|
-      conditions.all? {|property, value| res.to_resource[property].to_s == value.to_s}
+      conditions.all? do |property, value|
+        # even though `res` is an instance of Puppet::Resource, calling
+        # `res[:name]` on it returns nil, and for some reason it is necessary
+        # to invoke the Puppet::Resource#copy_as_resource copy constructor...
+        res.copy_as_resource[property].to_s == value.to_s
+      end
     end.sort_by(&:title)
   end
 

data/lib/puppet/interface/documentation.rb

@@ -76,6 +76,7 @@ class Puppet::Interface
         s.text(" ")
 
         options.each do |option|
+          next if option == :extra
           option = get_option(option)
           wrap = option.required? ? %w{ < > } : %w{ [ ] }
 

data/lib/puppet/module_tool/applications/installer.rb

@@ -59,6 +59,10 @@ module Puppet::ModuleTool
         results = { :action => :install, :module_name => name, :module_version => version }
 
         begin
+          if !@local_tarball && name !~ /-/
+            raise InvalidModuleNameError.new(module_name: @name, suggestion: "puppetlabs-#{@name}", action: :install)
+          end
+
           installed_module = installed_modules[name]
           if installed_module
             unless forced?

data/lib/puppet/module_tool/errors/shared.rb

@@ -127,6 +127,23 @@ module Puppet::ModuleTool::Errors
     end
   end
 
+  class InvalidModuleNameError < ModuleToolError
+    def initialize(options)
+      @module_name = options[:module_name]
+      @suggestion = options[:suggestion]
+      @action = options[:action]
+      super _("Could not %{action} '%{module_name}', did you mean '%{suggestion}'?") % { action: @action, module_name: @module_name, suggestion: @suggestion }
+    end
+
+    def multiline
+      message = []
+      message << _("Could not %{action} module '%{module_name}'") % { action: @action, module_name: @module_name }
+      message << _("  The name '%{module_name}' is invalid") % { module_name: @module_name }
+      message << _("    Did you mean `puppet module %{action} %{suggestion}`?") % { action: @action, suggestion: @suggestion }
+      message.join("\n")
+    end
+  end
+
   class NotInstalledError < ModuleToolError
     def initialize(options)
       @module_name = options[:module_name]

data/lib/puppet/pops/types/type_mismatch_describer.rb

@@ -640,7 +640,7 @@ module Types
           result = ["#{label} expects (#{signature_string(sig)})"]
           result.concat(error_arrays[0].map { |e| "  rejected:#{e.chop_path(0).format}" })
         else
-          result = ["#{label} expects one of:"]
+          result = ["The function #{label} was called with arguments it does not accept. It expects one of:"]
           signatures.each_with_index do |sg, index|
             result << "  (#{signature_string(sg)})"
             result.concat(error_arrays[index].map { |e| "    rejected:#{e.chop_path(0).format}" })

data/lib/puppet/provider/exec/posix.rb

@@ -6,10 +6,22 @@ Puppet::Type.type(:exec).provide :posix, :parent => Puppet::Provider::Exec do
   defaultfor :feature => :posix
 
   desc <<-EOT
-    Executes external binaries directly, without passing through a shell or
-    performing any interpolation. This is a safer and more predictable way
-    to execute most commands, but prevents the use of globbing and shell
-    built-ins (including control logic like "for" and "if" statements).
+    Executes external binaries by invoking Ruby's `Kernel.exec`.
+    When the command is a string, it will be executed directly,
+    without a shell, if it follows these rules:
+     - no meta characters
+     - no shell reserved word and no special built-in
+
+    When the command is an Array of Strings, passed as `[cmdname, arg1, ...]`
+    it will be executed directly(the first element is taken as a command name
+    and the rest are passed as parameters to command with no shell expansion)
+    This is a safer and more predictable way to execute most commands,
+    but prevents the use of globbing and shell built-ins (including control
+    logic like "for" and "if" statements).
+
+    If the use of globbing and shell built-ins is desired, please check
+    the `shell` provider
+
   EOT
 
   # Verify that we have the executable

data/lib/puppet/provider/package/pip.rb

@@ -127,7 +127,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     if self.class.compare_pip_versions(command_version, '1.5.4') == -1
       available_versions_with_old_pip.last
     else
-      available_versions_with_new_pip.last
+      available_versions_with_new_pip(command_version).last
     end
   end
 
@@ -150,15 +150,17 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     if self.class.compare_pip_versions(command_version, '1.5.4') == -1
       available_versions_with_old_pip
     else
-      available_versions_with_new_pip
+      available_versions_with_new_pip(command_version)
     end
   end
 
-  def available_versions_with_new_pip
+  def available_versions_with_new_pip(command_version)
     command = resource_or_provider_command
     self.class.validate_command(command)
 
     command_and_options = [self.class.quote(command), 'install', "#{@resource[:name]}==versionplease"]
+    extra_arg = list_extra_flags(command_version)
+    command_and_options << extra_arg if extra_arg
     command_and_options << install_options if @resource[:install_options]
     execpipe command_and_options do |process|
       process.collect do |line|
@@ -329,4 +331,14 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
       path
     end
   end
+
+  private
+
+  def list_extra_flags(command_version)
+    klass = self.class
+    if klass.compare_pip_versions(command_version, '20.2.4') == 1 &&
+      klass.compare_pip_versions(command_version, '21.1') == -1
+      '--use-deprecated=legacy-resolver'
+    end
+  end
 end

data/lib/puppet/provider/parsedfile.rb

@@ -280,6 +280,9 @@ class Puppet::Provider::ParsedFile < Puppet::Provider
   def self.prefetch_target(target)
     begin
       target_records = retrieve(target)
+      unless target_records
+        raise Puppet::DevError, _("Prefetching %{target} for provider %{name} returned nil") % { target: target, name: self.name }
+      end
     rescue Puppet::Util::FileType::FileReadError => detail
       if @raise_prefetch_errors
         # We will raise an error later in flush_target. This way,

data/lib/puppet/settings.rb

@@ -862,7 +862,11 @@ class Puppet::Settings
     if self[:user]
       user = Puppet::Type.type(:user).new :name => self[:user], :audit => :ensure
 
-      @service_user_available = user.exists?
+      if user.suitable?
+        @service_user_available = user.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage owner permissions, because the provider for '%{name}' is not functional") % { name: user })
+      end
     else
       @service_user_available = false
     end
@@ -874,7 +878,11 @@ class Puppet::Settings
     if self[:group]
       group = Puppet::Type.type(:group).new :name => self[:group], :audit => :ensure
 
-      @service_group_available = group.exists?
+      if group.suitable?
+        @service_group_available = group.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage group permissions, because the provider for '%{name}' is not functional") % { name: group })
+      end
     else
       @service_group_available = false
     end
@@ -883,9 +891,16 @@ class Puppet::Settings
   # Allow later inspection to determine if the setting was set on the
   # command line, or through some other code path.  Used for the
   # `dns_alt_names` option during cert generate. --daniel 2011-10-18
-  def set_by_cli?(param)
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_by_cli(param)
     param = param.to_sym
-    !@value_sets[:cli].lookup(param).nil?
+    @value_sets[:cli].lookup(param)
+  end
+
+  def set_by_cli?(param)
+    !!set_by_cli(param)
   end
 
   # Get values from a search path entry.
@@ -918,9 +933,13 @@ class Puppet::Settings
     end
   end
 
-  # Allow later inspection to determine if the setting was set by user
-  # config, rather than a default setting.
-  def set_in_section?(param, section)
+  # Allow later inspection to determine if the setting was set in a specific
+  # section
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @param section [Symbol] the section in which to look up the setting
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_in_section(param, section)
     param = param.to_sym
     vals = searchpath_values(SearchPathElement.new(section, :section))
     if vals
@@ -928,6 +947,10 @@ class Puppet::Settings
     end
   end
 
+  def set_in_section?(param, section)
+    !!set_in_section(param, section)
+  end
+
   # Patches the value for a param in a section.
   # This method is required to support the use case of unifying --dns-alt-names and
   # --dns_alt_names in the certificate face. Ideally this should be cleaned up.

data/lib/puppet/type/exec.rb

@@ -201,7 +201,9 @@ module Puppet
         only uses the resource title to ensure `exec`s are unique."
 
       validate do |command|
-        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
+        unless command.is_a?(String) || command.is_a?(Array)
+          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
+        end
       end
     end
 
@@ -458,6 +460,10 @@ module Puppet
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -514,6 +520,10 @@ module Puppet
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -562,12 +572,14 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
+      cmd = self[:command]
+      cmd = cmd[0] if cmd.is_a? Array
 
-      self[:command].scan(file_regex) { |str|
+      cmd.scan(file_regex) { |str|
         reqs << str
       }
 
-      self[:command].scan(/^"([^"]+)"/) { |str|
+      cmd.scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -583,6 +595,7 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
+          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }