puppet 6.23.0 → 6.26.0

data/lib/puppet/provider/user/aix.rb

@@ -265,6 +265,50 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
     end
   end
 
+  # Lists all instances of the given object, taking in an optional set
+  # of ia_module arguments. Returns an array of hashes, each hash
+  # having the schema
+  #   {
+  #     :name => <object_name>
+  #     :home => <object_home>
+  #   }
+  def list_all_homes(ia_module_args = [])
+    cmd = [command(:list), '-c', *ia_module_args, '-a', 'home', 'ALL']
+    parse_aix_objects(execute(cmd)).to_a.map do |object|
+      name = object[:name]
+      home = object[:attributes].delete(:home)
+
+      { name: name, home: home }
+    end
+  rescue => e
+    Puppet.debug("Could not list home of all users: #{e.message}")
+    {}
+  end
+
+  # Deletes this instance resource
+  def delete
+    homedir = home
+    super
+    return unless @resource.managehome?
+
+    if !Puppet::Util.absolute_path?(homedir) || File.realpath(homedir) == '/' || Puppet::FileSystem.symlink?(homedir)
+      Puppet.debug("Can not remove home directory '#{homedir}' of user '#{@resource[:name]}'. Please make sure the path is not relative, symlink or '/'.")
+      return
+    end
+
+    affected_home = list_all_homes.find { |info| info[:home].start_with?(File.realpath(homedir)) }
+    if affected_home
+      Puppet.debug("Can not remove home directory '#{homedir}' of user '#{@resource[:name]}' as it would remove the home directory '#{affected_home[:home]}' of user '#{affected_home[:name]}' also.")
+      return
+    end
+
+    FileUtils.remove_entry_secure(homedir, true)
+  end
+
+  def deletecmd
+    [self.class.command(:delete), '-p'] + ia_module_args + [@resource[:name]]
+  end
+
   # UNSUPPORTED
   #- **profile_membership**
   #    Whether specified roles should be treated as the only roles
@@ -314,5 +358,4 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
   #    be treated as the minimum membership list.  Valid values are
   #    `inclusive`, `minimum`.
   # UNSUPPORTED
-
 end

data/lib/puppet/provider/user/directoryservice.rb

@@ -159,7 +159,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   end
 
   def self.get_os_version
-    @os_version ||= Facter.value(:macosx_productversion_major)
+    @os_version ||= Puppet.runtime[:facter].value(:macosx_productversion_major)
   end
 
   # Use dscl to retrieve an array of hashes containing attributes about all

data/lib/puppet/provider/user/useradd.rb

@@ -7,9 +7,12 @@ require 'puppet/error'
 Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameService::ObjectAdd do
   desc "User management via `useradd` and its ilk.  Note that you will need to
     install Ruby's shadow password library (often known as `ruby-libshadow`)
-    if you wish to manage user passwords."
+    if you wish to manage user passwords.
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage"
+    To use the `forcelocal` parameter, you need to install the `libuser` package (providing
+    `/usr/sbin/lgroupadd` and `/usr/sbin/luseradd`)."
+
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage", :chpasswd  => "chpasswd"
 
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
@@ -21,13 +24,13 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
   options :expiry, :method => :sp_expire,
     :munge => proc { |value|
       if value == :absent
-        if Facter.value(:operatingsystem)=='SLES' && Facter.value(:operatingsystemmajrelease) == "11"
+        if Puppet.runtime[:facter].value(:operatingsystem)=='SLES' && Puppet.runtime[:facter].value(:operatingsystemmajrelease) == "11"
           -1
         else
           ''
         end
       else
-        case Facter.value(:operatingsystem)
+        case Puppet.runtime[:facter].value(:operatingsystem)
         when 'Solaris'
           # Solaris uses %m/%d/%Y for useradd/usermod
           expiry_year, expiry_month, expiry_day = value.split('-')
@@ -69,6 +72,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
      get(:comment)
   end
 
+  def shell
+    return localshell if @resource.forcelocal?
+    get(:shell)
+  end
+
+  def home
+    return localhome if @resource.forcelocal?
+    get(:home)
+  end
+
   def groups
      return localgroups if @resource.forcelocal?
      super
@@ -120,6 +133,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     user[:gecos]
   end
 
+  def localshell
+    user = finduser(:account, resource[:name])
+    user[:shell]
+  end
+
+  def localhome
+    user = finduser(:account, resource[:name])
+    user[:directory]
+  end
+
   def localgroups
     @groups_of ||= {}
     group_file = '/etc/group'
@@ -152,6 +175,38 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     set(:groups, value)
   end
 
+  def password=(value)
+    user = @resource[:name]
+    tempfile = Tempfile.new('puppet', :encoding => Encoding::UTF_8)
+    begin
+      # Puppet execute does not support strings as input, only files.
+      # The password is expected to be in an encrypted format given -e is specified:
+      tempfile << "#{user}:#{value}\n"
+      tempfile.flush
+
+      # Options '-e' use encrypted password
+      # Must receive "user:enc_password" as input
+      # command, arguments = {:failonfail => true, :combine => true}
+      cmd = [command(:chpasswd), '-e']
+      execute_options = {
+        :failonfail => false,
+        :combine => true,
+        :stdinfile => tempfile.path,
+        :sensitive => has_sensitive_data?
+      }
+      output = execute(cmd, execute_options)
+
+    rescue => detail
+      tempfile.close
+      tempfile.delete
+      raise Puppet::Error, "Could not set password on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
+    end
+
+    # chpasswd can return 1, even on success (at least on AIX 6.1); empty output
+    # indicates success
+    raise Puppet::ExecutionFailure, "chpasswd said #{output}" if output != ''
+  end
+
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end
@@ -161,7 +216,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
   end
 
   has_features :manages_homedir, :allows_duplicates, :manages_expiry
-  has_features :system_users unless %w{HP-UX Solaris}.include? Facter.value(:operatingsystem)
+  has_features :system_users unless %w{HP-UX Solaris}.include? Puppet.runtime[:facter].value(:operatingsystem)
 
   has_features :manages_passwords, :manages_password_age if Puppet.features.libshadow?
   has_features :manages_shell
@@ -196,8 +251,8 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       # libuser does not implement the -m flag
       cmd << "-m" unless @resource.forcelocal?
     else
-      osfamily = Facter.value(:osfamily)
-      osversion = Facter.value(:operatingsystemmajrelease).to_i
+      osfamily = Puppet.runtime[:facter].value(:osfamily)
+      osversion = Puppet.runtime[:facter].value(:operatingsystemmajrelease).to_i
       # SLES 11 uses pwdutils instead of shadow, which does not have -M
       # Solaris and OpenBSD use different useradd flavors
       unless osfamily =~ /Solaris|OpenBSD/ || osfamily == 'Suse' && osversion <= 11
@@ -215,13 +270,15 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     end
   end
 
+  # Add properties and flags but skipping password related properties due to
+  # security risks
   def add_properties
     cmd = []
     # validproperties is a list of properties in undefined order
     # sort them to have a predictable command line in tests
     Puppet::Type.type(:user).validproperties.sort.each do |property|
       value = get_value_for_property(property)
-      next if value.nil?
+      next if value.nil? || property == :password
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       cmd << flag(property) << munge(property, value)
@@ -293,7 +350,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       cmd = [command(:delete)]
     end
     # Solaris `userdel -r` will fail if the homedir does not exist.
-    if @resource.managehome? && (('Solaris' != Facter.value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
+    if @resource.managehome? && (('Solaris' != Puppet.runtime[:facter].value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
       cmd << '-r'
     end
     cmd << @resource[:name]
@@ -331,13 +388,12 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     if @resource[:shell]
       check_valid_shell
     end
-     super
-     if @resource.forcelocal? && self.groups?
-       set(:groups, @resource[:groups])
-     end
-     if @resource.forcelocal? && @resource[:expiry]
-       set(:expiry, @resource[:expiry])
-     end
+    super
+    if @resource.forcelocal?
+      set(:groups, @resource[:groups]) if self.groups?
+      set(:expiry, @resource[:expiry]) if @resource[:expiry]
+    end
+    set(:password, @resource[:password]) if @resource[:password]
   end
 
   def groups?

data/lib/puppet/provider.rb

@@ -302,7 +302,7 @@ class Puppet::Provider
   #   values. Given one or more Regexp instances, fact is compared via the basic
   #   pattern-matching operator.
   def self.fact_match(fact, values)
-    fact_val = Facter.value(fact).to_s.downcase
+    fact_val = Puppet.runtime[:facter].value(fact).to_s.downcase
     if fact_val.empty?
       return false
     else

data/lib/puppet/reference/providers.rb

@@ -15,7 +15,7 @@ providers = Puppet::Util::Reference.newreference :providers, :title => "Provider
   # Throw some facts in there, so we know where the report is from.
   ["Ruby Version", "Puppet Version", "Operating System", "Operating System Release"].each do |label|
     name = label.gsub(/\s+/, '')
-    value = Facter.value(name)
+    value = Puppet.runtime[:facter].value(name)
     ret << option(label, value)
   end
   ret << "\n"
@@ -61,7 +61,7 @@ providers = Puppet::Util::Reference.newreference :providers, :title => "Provider
               if Puppet.settings.valid?(name)
                 details << _("  - Setting %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Puppet.settings.value(name).inspect, facts: facts.join(", ") }
               else
-                details << _("  - Fact %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Facter.value(name).inspect, facts: facts.join(", ") }
+                details << _("  - Fact %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Puppet.runtime[:facter].value(name).inspect, facts: facts.join(", ") }
               end
             end
           when :true

data/lib/puppet/resource/catalog.rb

@@ -315,7 +315,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     super()
     @name = name
     @catalog_uuid = SecureRandom.uuid
-    @catalog_format = 1
+    @catalog_format = 2
     @metadata = {}
     @recursive_metadata = {}
     @classes = []

data/lib/puppet/resource/type_collection.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'puppet/parser/type_loader'
 require 'puppet/util/file_watcher'
 require 'puppet/util/warnings'

data/lib/puppet/resource.rb

@@ -11,7 +11,7 @@ class Puppet::Resource
   include Puppet::Util::PsychSupport
 
   include Enumerable
-  attr_accessor :file, :line, :catalog, :exported, :virtual, :strict
+  attr_accessor :file, :line, :catalog, :exported, :virtual, :strict, :kind
   attr_reader :type, :title, :parameters
 
   # @!attribute [rw] sensitive_parameters
@@ -29,11 +29,16 @@ class Puppet::Resource
   EMPTY_ARRAY = [].freeze
   EMPTY_HASH = {}.freeze
 
-  ATTRIBUTES = [:file, :line, :exported].freeze
+  ATTRIBUTES = [:file, :line, :exported, :kind].freeze
   TYPE_CLASS = 'Class'.freeze
   TYPE_NODE  = 'Node'.freeze
   TYPE_SITE  = 'Site'.freeze
 
+  CLASS_STRING = 'class'.freeze
+  DEFINED_TYPE_STRING = 'defined_type'.freeze
+  COMPILABLE_TYPE_STRING = 'compilable_type'.freeze
+  UNKNOWN_TYPE_STRING  = 'unknown'.freeze
+
   PCORE_TYPE_KEY = '__ptype'.freeze
   VALUE_KEY = 'value'.freeze
 
@@ -194,6 +199,18 @@ class Puppet::Resource
     resource_type.is_a?(Puppet::CompilableResourceType)
   end
 
+  def self.to_kind(resource_type)
+    if resource_type == CLASS_STRING
+      CLASS_STRING
+    elsif resource_type.is_a?(Puppet::Resource::Type) && resource_type.type == :definition
+      DEFINED_TYPE_STRING
+    elsif resource_type.is_a?(Puppet::CompilableResourceType)
+      COMPILABLE_TYPE_STRING
+    else
+      UNKNOWN_TYPE_STRING
+    end
+  end
+
   # Iterate over each param/value pair, as required for Enumerable.
   def each
     parameters.each { |p,v| yield p, v }
@@ -248,6 +265,7 @@ class Puppet::Resource
       src = type
       self.file = src.file
       self.line = src.line
+      self.kind = src.kind
       self.exported = src.exported
       self.virtual = src.virtual
       self.set_tags(src)
@@ -310,6 +328,7 @@ class Puppet::Resource
 
       rt = resource_type
 
+      self.kind = self.class.to_kind(rt) unless kind
       if strict? && rt.nil?
         if self.class?
           raise ArgumentError, _("Could not find declared class %{title}") % { title: title }
@@ -493,10 +512,24 @@ class Puppet::Resource
     ref
   end
 
-  # Convert our resource to a RAL resource instance.  Creates component
-  # instances for resource types that don't exist.
+  # Convert our resource to a RAL resource instance. Creates component
+  # instances for resource types that are not of a compilable_type kind. In case
+  # the resource doesn’t exist and it’s compilable_type kind, raise an error.
+  # There are certain cases where a resource won't be in a catalog, such as 
+  # when we create a resource directly by using Puppet::Resource.new(...), so we 
+  # must check its kind before deciding whether the catalog format is of an older
+  # version or not.
   def to_ral
-    typeklass = Puppet::Type.type(self.type) || Puppet::Type.type(:component)
+    if self.kind == COMPILABLE_TYPE_STRING
+      typeklass = Puppet::Type.type(self.type)
+    elsif self.catalog && self.catalog.catalog_format >= 2
+      typeklass = Puppet::Type.type(:component)
+    else
+      typeklass =  Puppet::Type.type(self.type) || Puppet::Type.type(:component)
+    end
+
+    raise(Puppet::Error, "Resource type '#{self.type}' was not found") unless typeklass
+
     typeklass.new(self)
   end
 

data/lib/puppet/runtime.rb

@@ -1,4 +1,5 @@
 require 'puppet/http'
+require 'puppet/facter_impl'
 require 'singleton'
 
 # Provides access to runtime implementations.
@@ -17,11 +18,20 @@ class Puppet::Runtime
         else
           Puppet::HTTP::ExternalClient.new(klass)
         end
-      end
+      end,
+      facter: proc { Puppet::FacterImpl.new }
     }
   end
   private :initialize
 
+  # Loads all runtime implementations.
+  #
+  # @return Array[Symbol] the names of loaded implementations
+  # @api private
+  def load_services
+    @runtime_services.keys.each { |key| self[key] }
+  end
+
   # Get a runtime implementation.
   #
   # @param name [Symbol] the name of the implementation

data/lib/puppet/settings.rb

@@ -75,11 +75,11 @@ class Puppet::Settings
   end
 
   def self.hostname_fact()
-    Facter.value :hostname
+    Puppet.runtime[:facter].value :hostname
   end
 
   def self.domain_fact()
-    Facter.value :domain
+    Puppet.runtime[:facter].value :domain
   end
 
   def self.default_config_file_name
@@ -862,7 +862,11 @@ class Puppet::Settings
     if self[:user]
       user = Puppet::Type.type(:user).new :name => self[:user], :audit => :ensure
 
-      @service_user_available = user.exists?
+      if user.suitable?
+        @service_user_available = user.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage owner permissions, because the provider for '%{name}' is not functional") % { name: user })
+      end
     else
       @service_user_available = false
     end
@@ -874,7 +878,11 @@ class Puppet::Settings
     if self[:group]
       group = Puppet::Type.type(:group).new :name => self[:group], :audit => :ensure
 
-      @service_group_available = group.exists?
+      if group.suitable?
+        @service_group_available = group.exists?
+      else
+        raise Puppet::Error, (_("Cannot manage group permissions, because the provider for '%{name}' is not functional") % { name: group })
+      end
     else
       @service_group_available = false
     end
@@ -883,9 +891,16 @@ class Puppet::Settings
   # Allow later inspection to determine if the setting was set on the
   # command line, or through some other code path.  Used for the
   # `dns_alt_names` option during cert generate. --daniel 2011-10-18
-  def set_by_cli?(param)
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_by_cli(param)
     param = param.to_sym
-    !@value_sets[:cli].lookup(param).nil?
+    @value_sets[:cli].lookup(param)
+  end
+
+  def set_by_cli?(param)
+    !!set_by_cli(param)
   end
 
   # Get values from a search path entry.
@@ -918,9 +933,13 @@ class Puppet::Settings
     end
   end
 
-  # Allow later inspection to determine if the setting was set by user
-  # config, rather than a default setting.
-  def set_in_section?(param, section)
+  # Allow later inspection to determine if the setting was set in a specific
+  # section
+  #
+  # @param param [String, Symbol] the setting to look up
+  # @param section [Symbol] the section in which to look up the setting
+  # @return [Object, nil] the value of the setting or nil if unset
+  def set_in_section(param, section)
     param = param.to_sym
     vals = searchpath_values(SearchPathElement.new(section, :section))
     if vals
@@ -928,6 +947,10 @@ class Puppet::Settings
     end
   end
 
+  def set_in_section?(param, section)
+    !!set_in_section(param, section)
+  end
+
   # Patches the value for a param in a section.
   # This method is required to support the use case of unifying --dns-alt-names and
   # --dns_alt_names in the certificate face. Ideally this should be cleaned up.

data/lib/puppet/ssl/verifier.rb

@@ -115,6 +115,12 @@ class Puppet::SSL::Verifier
         return false
       end
 
+    # ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
+    # store_context error when the cert is mismatched
+    when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
+      @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+      return false
+
     when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
       crl = store_context.current_crl
       if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS

data/lib/puppet/test/test_helper.rb

@@ -142,7 +142,9 @@ module Puppet::Test
         },
         "Context for specs")
 
-      Puppet.runtime.clear
+      # trigger `require 'facter'`
+      Puppet.runtime[:facter]
+
       Puppet::Parser::Functions.reset
       Puppet::Application.clear!
       Puppet::Util::Profiler.clear
@@ -169,6 +171,7 @@ module Puppet::Test
 
       Puppet::Util::Storage.clear
       Puppet::Util::ExecutionStub.reset
+      Puppet.runtime.clear
 
       Puppet.clear_deprecation_warnings
 

data/lib/puppet/transaction/persistence.rb

@@ -6,6 +6,26 @@ require 'puppet/util/yaml'
 # as calculating corrective_change).
 # @api private
 class Puppet::Transaction::Persistence
+
+  def self.allowed_classes
+    @allowed_classes ||= [
+      Symbol,
+      Time,
+      Regexp,
+      # URI is excluded, because it serializes all instance variables including the
+      # URI parser. Better to serialize the URL encoded representation.
+      SemanticPuppet::Version,
+      # SemanticPuppet::VersionRange has many nested classes and is unlikely to be
+      # used directly, so ignore it
+      Puppet::Pops::Time::Timestamp,
+      Puppet::Pops::Time::TimeData,
+      Puppet::Pops::Time::Timespan,
+      Puppet::Pops::Types::PBinaryType::Binary,
+      # Puppet::Pops::Types::PSensitiveType::Sensitive values are excluded from
+      # the persistence store, ignore it.
+    ].freeze
+  end
+
   def initialize
     @old_data = {}
     @new_data = {"resources" => {}}
@@ -62,7 +82,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
+        result = Puppet::Util::Yaml.safe_load_file(filename, self.class.allowed_classes)
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 

data/lib/puppet/transaction/report.rb

@@ -77,6 +77,10 @@ class Puppet::Transaction::Report
   # @return [String] the environment name
   attr_accessor :environment
 
+  # The name of the environment the agent initially started in
+  # @return [String] the environment name
+  attr_accessor :initial_environment
+
   # Whether there are changes that we decided not to apply because of noop
   # @return [Boolean]
   #
@@ -377,7 +381,17 @@ class Puppet::Transaction::Report
   # @api public
   #
   def raw_summary
-    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
+    report = {
+      "version" => {
+        "config" => configuration_version,
+        "puppet" => Puppet.version
+      },
+      "application" => {
+        "run_mode" => Puppet.run_mode.name.to_s,
+        "initial_environment" => initial_environment,
+        "converged_environment" => environment
+      }
+    }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s

data/lib/puppet/type/exec.rb

@@ -11,7 +11,10 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met.
+        Puppet from running the command unless some condition is met. The
+        `onlyif` and `unless` commands of an `exec` are used in the process of
+        determining whether the `exec` is already in sync, therefore they must be run
+        during a noop Puppet run.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -198,10 +201,20 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique."
+        only uses the resource title to ensure `exec`s are unique.
+
+        On *nix platforms, the command can be specified as an array of
+        strings and Puppet will invoke it using the more secure method of
+        parameterized system calls. For example, rather than executing the
+        malicious injected code, this command will echo it out:
+
+            command => ['/bin/echo', 'hello world; rm -rf /']
+      "
 
       validate do |command|
-        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
+        unless command.is_a?(String) || command.is_a?(Array)
+          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
+        end
       end
     end
 
@@ -454,10 +467,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -510,10 +530,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -562,12 +589,14 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
+      cmd = self[:command]
+      cmd = cmd[0] if cmd.is_a? Array
 
-      self[:command].scan(file_regex) { |str|
+      cmd.scan(file_regex) { |str|
         reqs << str
       }
 
-      self[:command].scan(/^"([^"]+)"/) { |str|
+      cmd.scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -583,6 +612,7 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
+          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }