puppet 6.23.0 → 7.0.0

data/lib/puppet/provider/service/systemd.rb

@@ -30,7 +30,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def self.instances
     i = []
     output = systemctl('list-unit-files', '--type', 'service', '--full', '--all',  '--no-pager')
-    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad|static)\s*([^-]\S+)?\s*$/i).each do |m|
+    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect|bad|static)\s*$/i).each do |m|
       Puppet.debug("#{m[0]} marked as bad by `systemctl`. It is recommended to be further checked.") if m[1] == "bad"
       i << new(:name => m[0])
     end
@@ -45,13 +45,8 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def enabled_insync?(current)
     case cached_enabled?[:output]
     when 'static'
-      # masking static services is OK, but enabling/disabling them is not
-      if @resource[:enable] == :mask
-        current == @resource[:enable]
-      else
-        Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
-        return true
-      end
+      Puppet.debug("Unable to enable or disable static service #{@resource[:name]}")
+      return true
     when 'indirect'
       Puppet.debug("Service #{@resource[:name]} is in 'indirect' state and cannot be enabled/disabled")
       return true
@@ -164,15 +159,10 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   end
 
   def mask
-    disable if exist?
+    self.disable
     systemctl_change_enable(:mask)
   end
 
-  def exist?
-    result = execute([command(:systemctl), 'cat', '--', @resource[:name]], :failonfail => false)
-    result.exitstatus == 0
-  end
-
   def unmask
     systemctl_change_enable(:unmask)
   end

data/lib/puppet/provider/service/windows.rb

@@ -128,55 +128,17 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     services
   end
 
-  def logonaccount_insync?(current)
-    @normalized_logon_account ||= normalize_logonaccount
-    @resource[:logonaccount] = @normalized_logon_account
-
-    insync = @resource[:logonaccount] == current
-    self.logonpassword = @resource[:logonpassword] if insync
-    insync
-  end
-
   def logonaccount
     return unless Puppet::Util::Windows::Service.exists?(@resource[:name])
     Puppet::Util::Windows::Service.logon_account(@resource[:name])
   end
 
   def logonaccount=(value)
-    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_account: value, logon_password: @resource[:logonpassword]})
     restart if @resource[:ensure] == :running && [:running, :paused].include?(status)
   end
 
   def logonpassword=(value)
-    validate_logon_credentials
     Puppet::Util::Windows::Service.set_startup_configuration(@resource[:name], options: {logon_password: value})
   end
-
-  private
-
-  def normalize_logonaccount
-    logon_account = @resource[:logonaccount].sub(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
-    return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(logon_account)
-
-    @logonaccount_information ||= Puppet::Util::Windows::SID.name_to_principal(logon_account)
-    return logon_account unless @logonaccount_information
-    return ".\\#{@logonaccount_information.account}" if @logonaccount_information.domain == Puppet::Util::Windows::ADSI.computer_name
-    @logonaccount_information.domain_account
-  end
-
-  def validate_logon_credentials
-    unless Puppet::Util::Windows::User::localsystem?(@normalized_logon_account)
-      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is not a valid account") unless @logonaccount_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(@logonaccount_information.account_type)
-
-      user_rights = Puppet::Util::Windows::User::get_rights(@logonaccount_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account)
-      raise Puppet::Error.new("\"#{@normalized_logon_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
-      raise Puppet::Error.new("\"#{@normalized_logon_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
-    end
-
-    is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@normalized_logon_account) || @normalized_logon_account == 'LocalSystem'
-    account_info = @normalized_logon_account.split("\\")
-    able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], @resource[:logonpassword], account_info[0]) unless is_a_predefined_local_account
-    raise Puppet::Error.new("The given password is invalid for user '#{@normalized_logon_account}'.") unless is_a_predefined_local_account || able_to_logon
-  end
 end

data/lib/puppet/provider/user/aix.rb

@@ -178,7 +178,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
       # does not have a password.
       break if line =~ /^\S+:$/
 
-      match_obj = /password\s+=\s+(\S+)/.match(line)
+      match_obj = /password = (\S+)/.match(line)
     end
     return :absent unless match_obj
 
@@ -211,7 +211,7 @@ Puppet::Type.type(:user).provide :aix, :parent => Puppet::Provider::AixObject do
       tempfile = Tempfile.new("puppet_#{user}_pw", :encoding => Encoding::ASCII)
       tempfile << "#{user}:#{value}\n"
       tempfile.close()
-
+  
       # Options '-e', '-c', use encrypted password and clear flags
       # Must receive "user:enc_password" as input
       # command, arguments = {:failonfail => true, :combine => true}

data/lib/puppet/provider/user/directoryservice.rb

@@ -435,7 +435,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   ['home', 'uid', 'gid', 'comment', 'shell'].each do |setter_method|
     define_method("#{setter_method}=") do |value|
       if @property_hash[setter_method.intern]
-        if %w(home uid).include?(setter_method)
+        if self.class.get_os_version.split('.').last.to_i >= 14 && %w(home uid).include?(setter_method)
           raise Puppet::Error, "OS X version #{self.class.get_os_version} does not allow changing #{setter_method} using puppet"
         end
         begin
@@ -536,14 +536,6 @@ Puppet::Type.type(:user).provide :directoryservice do
       if (shadow_hash_data.class == Hash) && (shadow_hash_data.has_key?('SALTED-SHA512'))
         shadow_hash_data.delete('SALTED-SHA512')
       end
-
-      # Starting with macOS 11 Big Sur, the AuthenticationAuthority field
-      # could be missing entirely and without it the managed user cannot log in
-      if needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
-        Puppet.debug("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user '#{@resource.name}'")
-        merge_attribute_with_dscl('Users', @resource.name, 'AuthenticationAuthority', ERB::Util.html_escape(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY))
-      end
-
       set_salted_pbkdf2(users_plist, shadow_hash_data, 'entropy', value)
     end
   end
@@ -570,17 +562,6 @@ Puppet::Type.type(:user).provide :directoryservice do
     end
   end
 
-  # This method will check if authentication_authority key of a user's plist
-  # needs SALTED_SHA512_PBKDF2 to be added. This is a valid case for macOS 11 (Big Sur)
-  # where users created with `dscl` started to have this field missing
-  def needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
-    authority = users_plist['authentication_authority']
-    return false if Puppet::Util::Package.versioncmp(self.class.get_os_version, '11.0.0') < 0 && authority && authority.include?(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY)
-
-    Puppet.debug("User '#{@resource.name}' is missing the 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash")
-    true
-  end
-
   # This method will embed the binary plist data comprising the user's
   # password hash (and Salt/Iterations value if the OS is 10.8 or greater)
   # into the ShadowHashData key of the user's plist.
@@ -591,7 +572,11 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       users_plist['ShadowHashData'] = [binary_plist]
     end
-    write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
+    if Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') < 0
+      write_users_plist_to_disk(users_plist)
+    else
+      write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
+    end
   end
 
   # This method writes the ShadowHashData plist in a temporary file,
@@ -667,17 +652,9 @@ Puppet::Type.type(:user).provide :directoryservice do
     set_shadow_hash_data(users_plist, binary_plist)
   end
 
-  # This is a simple wrapper method for writing values to a file.
-  def write_to_file(filename, value)
-    Puppet.deprecation_warning("Puppet::Type.type(:user).provider(:directoryservice).write_to_file is deprecated and will be removed in Puppet 5.")
-    begin
-      File.open(filename, 'w') { |f| f.write(value)}
-    rescue Errno::EACCES => detail
-      raise Puppet::Error, "Could not write to file #{filename}: #{detail}", detail.backtrace
-    end
+  # This method will accept a plist in XML format, save it to disk, convert
+  # the plist to a binary format, and flush the dscl cache.
+  def write_users_plist_to_disk(users_plist)
+    Puppet::Util::Plist.write_plist_file(users_plist, "#{users_plist_dir}/#{@resource.name}.plist", :binary)
   end
-
-  private
-
-  SHA512_PBKDF2_AUTHENTICATION_AUTHORITY = ';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>'
 end

data/lib/puppet/provider/user/useradd.rb

@@ -59,37 +59,23 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
      get(:uid)
   end
 
-  def gid
-     return localgid if @resource.forcelocal?
-     get(:gid)
-  end
-
   def comment
      return localcomment if @resource.forcelocal?
      get(:comment)
   end
 
-  def groups
-     return localgroups if @resource.forcelocal?
-     super
-  end
-
   def finduser(key, value)
-    passwd_file = '/etc/passwd'
+    passwd_file = "/etc/passwd"
     passwd_keys = [:account, :password, :uid, :gid, :gecos, :directory, :shell]
-
-    unless @users
-      unless Puppet::FileSystem.exist?(passwd_file)
-        raise Puppet::Error.new("Forcelocal set for user resource '#{resource[:name]}', but #{passwd_file} does not exist")
-      end
-
-      @users = []
-      Puppet::FileSystem.each_line(passwd_file) do |line|
-        user = line.chomp.split(':')
-        @users << Hash[passwd_keys.zip(user)]
+    index = passwd_keys.index(key)
+    @passwd_content ||= File.read(passwd_file)
+    @passwd_content.each_line do |line|
+      user = line.split(":")
+      if user[index] == value
+        return Hash[passwd_keys.zip(user)]
       end
     end
-    @users.find { |param| param[key] == value } || false
+    false
   end
 
   def local_username
@@ -102,56 +88,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     false
   end
 
-  def localgid
-    user = finduser(:account, resource[:name])
-    if user
-      begin
-        return Integer(user[:gid])
-      rescue ArgumentError
-        Puppet.debug("Non-numeric GID found in /etc/passwd for user #{resource[:name]}")
-        return user[:gid]
-      end
-    end
-    false
-  end
-
   def localcomment
     user = finduser(:account, resource[:name])
     user[:gecos]
   end
 
-  def localgroups
-    @groups_of ||= {}
-    group_file = '/etc/group'
-    user = resource[:name]
-
-    return @groups_of[user] if @groups_of[user]
-
-    @groups_of[user] = []
-
-    unless Puppet::FileSystem.exist?(group_file)
-      raise Puppet::Error.new("Forcelocal set for user resource '#{user}', but #{group_file} does not exist")
-    end
-
-    Puppet::FileSystem.each_line(group_file) do |line|
-      data = line.chomp.split(':')
-      if !data.empty? && data.last.split(',').include?(user)
-        @groups_of[user] << data.first
-      end
-    end
-
-    @groups_of[user]
-  end
-
   def shell=(value)
     check_valid_shell
     set(:shell, value)
   end
 
-  def groups=(value)
-    set(:groups, value)
-  end
-
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end

data/lib/puppet/reference/configuration.rb

@@ -24,6 +24,8 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
     val = object.default
     if name.to_s == 'vardir'
       val = 'Unix/Linux: /opt/puppetlabs/puppet/cache -- Windows: C:\ProgramData\PuppetLabs\puppet\cache -- Non-root user: ~/.puppetlabs/opt/puppet/cache'
+    elsif name.to_s == 'publicdir'
+      val = 'Unix/Linux: /opt/puppetlabs/puppet/public -- Windows: C:\ProgramData\PuppetLabs\puppet\public -- Non-root user: ~/.puppetlabs/opt/puppet/public'
     elsif name.to_s == 'confdir'
       val = 'Unix/Linux: /etc/puppetlabs/puppet -- Windows: C:\ProgramData\PuppetLabs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/puppet'
     elsif name.to_s == 'codedir'
@@ -41,7 +43,7 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
     # Leave out the section information; it was apparently confusing people.
     #str << "- **Section**: #{object.section}\n"
     unless val == ""
-      str << "- *Default*: `#{val}`\n"
+      str << "- *Default*: #{val}\n"
     end
     str << "\n"
   end
@@ -55,12 +57,11 @@ config.header = <<EOT
 * Each of these settings can be specified in `puppet.conf` or on the
   command line.
 * Puppet Enterprise (PE) and open source Puppet share the configuration settings
-  documented here. However, PE defaults differ from open source defaults for some 
-  settings, such as `node_terminus`, `storeconfigs`, `always_retry_plugins`, 
-  `disable18n`, `environment_timeout` (when Code Manager is enabled), and the 
-  Puppet Server JRuby `max-active-instances` setting. To verify PE configuration 
-  defaults, check the `puppet.conf` or `pe-puppet-server.conf` file after 
-  installation.
+  that are documented here. However, PE defaults for some settings differ from
+  the open source Puppet defaults. Some examples of settings that have different
+  PE defaults include `disable18n`, `environment_timeout`, `always_retry_plugins`,
+  and the Puppet Server JRuby `max-active-instances` setting. To verify PE
+  configuration defaults, check the `puppet.conf` file after installation.
 * When using boolean settings on the command line, use `--setting` and
   `--no-setting` instead of `--setting (true|false)`. (Using `--setting false`
   results in "Error: Could not parse application options: needless argument".)

data/lib/puppet/reference/indirection.rb

@@ -46,7 +46,7 @@ An indirector has five methods, which are mapped into HTTP verbs for the REST in
 
 These methods are available via the `indirection` class method on the indirected classes.  For example:
 
-    foo_cert = Puppet::SSL::Certificate.indirection.find('foo.example.com')
+    node = Puppet::Node.indirection.find('foo.example.com')
 
 At startup, each indirection is configured with a terminus.
 In most cases, this is the default terminus defined by the indirected class, but it can be overridden by the application or face, or overridden with the `route_file` configuration.

data/lib/puppet/resource.rb

@@ -32,7 +32,6 @@ class Puppet::Resource
   ATTRIBUTES = [:file, :line, :exported].freeze
   TYPE_CLASS = 'Class'.freeze
   TYPE_NODE  = 'Node'.freeze
-  TYPE_SITE  = 'Site'.freeze
 
   PCORE_TYPE_KEY = '__ptype'.freeze
   VALUE_KEY = 'value'.freeze
@@ -340,29 +339,6 @@ class Puppet::Resource
     catalog ? catalog.resource(to_s) : nil
   end
 
-  # A resource is an application component if it exports or consumes
-  # one or more capabilities, or if it requires a capability resource
-  def is_application_component?
-    return true if ! export.empty? || self[:consume]
-    # Array(self[:require]) does not work for Puppet::Resource instances
-    req = self[:require] || []
-    req = [ req ] unless req.is_a?(Array)
-    req.any? { |r| r.is_capability? }
-  end
-
-  # A resource is a capability (instance) if its underlying type is a
-  # capability type
-  def is_capability?
-    !resource_type.nil? && resource_type.is_capability?
-  end
-
-  # Returns the value of the 'export' metaparam as an Array
-  # @api private
-  def export
-    v = self[:export] || []
-    v.is_a?(Array) ? v : [ v ]
-  end
-
   # The resource's type implementation
   # @return [Puppet::Type, Puppet::Resource::Type]
   # @api private
@@ -377,12 +353,11 @@ class Puppet::Resource
     case type
     when TYPE_CLASS; environment.known_resource_types.hostclass(title == :main ? "" : title)
     when TYPE_NODE; environment.known_resource_types.node(title)
-    when TYPE_SITE; environment.known_resource_types.site(nil)
     else
       result = Puppet::Type.type(type)
       if !result
         krt = environment.known_resource_types
-        result = krt.definition(type) || krt.application(type)
+        result = krt.definition(type)
       end
       result
     end
@@ -515,38 +490,6 @@ class Puppet::Resource
   end
   private :missing_arguments
 
-  # @deprecated Not used by Puppet
-  # @api private
-  def set_default_parameters(scope)
-    Puppet.deprecation_warning(_('The method Puppet::Resource.set_default_parameters is deprecated and will be removed in the next major release of Puppet.'))
-
-    return [] unless resource_type and resource_type.respond_to?(:arguments)
-
-    unless is_a?(Puppet::Parser::Resource)
-      fail Puppet::DevError, _("Cannot evaluate default parameters for %{resource} - not a parser resource") % { resource: self }
-    end
-
-    missing_arguments.collect do |param, default|
-      rtype = resource_type
-      if rtype.type == :hostclass
-        using_bound_value = false
-        catch(:no_such_key) do
-          bound_value = Puppet::Pops::Lookup.search_and_merge("#{rtype.name}::#{param}", Puppet::Pops::Lookup::Invocation.new(scope), nil)
-          # Assign bound value but don't let an undef trump a default expression
-          unless bound_value.nil? && !default.nil?
-            self[param.to_sym] = bound_value
-            using_bound_value = true
-          end
-        end
-      end
-      unless using_bound_value
-        next if default.nil?
-        self[param.to_sym] = default.safeevaluate(scope)
-      end
-      param
-    end.compact
-  end
-
   def copy_as_resource
     Puppet::Resource.new(self)
   end
@@ -555,37 +498,6 @@ class Puppet::Resource
     resource_type.valid_parameter?(name)
   end
 
-  # Verify that all required arguments are either present or
-  # have been provided with defaults.
-  # Must be called after 'set_default_parameters'.  We can't join the methods
-  # because Type#set_parameters needs specifically ordered behavior.
-  #
-  # @deprecated Not used by Puppet
-  # @api private
-  def validate_complete
-    Puppet.deprecation_warning(_('The method Puppet::Resource.validate_complete is deprecated and will be removed in the next major release of Puppet.'))
-
-    return unless resource_type and resource_type.respond_to?(:arguments)
-
-    resource_type.arguments.each do |param, default|
-      param = param.to_sym
-      fail Puppet::ParseError, _("Must pass %{param} to %{resource}") % { param: param, resource: self } unless parameters.include?(param)
-    end
-
-    # Perform optional type checking
-    arg_types = resource_type.argument_types
-    # Parameters is a map from name, to parameter, and the parameter again has name and value
-    parameters.each do |name, value|
-      t = arg_types[name.to_s] # untyped, and parameters are symbols here (aargh, strings in the type)
-      next unless t
-      unless Puppet::Pops::Types::TypeCalculator.instance?(t, value.value)
-        inferred_type = Puppet::Pops::Types::TypeCalculator.infer_set(value.value)
-        actual = inferred_type.generalize()
-        fail Puppet::ParseError, _("Expected parameter '%{name}' of '%{value0}' to have type %{value1}, got %{value2}") % { name: name, value0: self, value1: t.to_s, value2: actual.to_s }
-      end
-    end
-  end
-
   def validate_parameter(name)
     raise Puppet::ParseError.new(_("no parameter named '%{name}'") % { name: name }, file, line) unless valid_parameter?(name)
   end