puppet 6.23.0 → 7.0.0

data/lib/puppet/type/file/checksum.rb

@@ -7,7 +7,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
   desc "The checksum type to use when determining whether to replace a file's contents.
 
-    The default checksum type is md5."
+    The default checksum type is #{Puppet.default_digest_algorithm}."
 
   newvalues(*Puppet::Util::Checksums.known_checksum_types)
 

data/lib/puppet/type/file/selcontext.rb

@@ -42,7 +42,7 @@ module Puppet
         return nil
       end
 
-      context = self.get_selinux_default_context(@resource[:path], @resource[:ensure])
+      context = self.get_selinux_default_context(@resource[:path])
       unless context
         return nil
       end

data/lib/puppet/type/file/source.rb

@@ -340,7 +340,7 @@ module Puppet
 
     def handle_response_error(response)
       message = "Error #{response.code} on SERVER: #{response.body.empty? ? response.reason : response.body}"
-      raise Net::HTTPError.new(message, response.nethttp)
+      raise Net::HTTPError.new(message, Puppet::HTTP::ResponseConverter.to_ruby_response(response))
     end
   end
 

data/lib/puppet/type/filebucket.rb

@@ -5,7 +5,7 @@ module Puppet
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
       be local to each agent node, or centralized on a puppet master server. All
-      puppet masters provide a filebucket service that agent nodes can access
+      puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
 
@@ -30,9 +30,9 @@ module Puppet
 
           File { backup => main, }
 
-      Puppet master servers automatically provide the filebucket service, so
+      Puppet Servers automatically provide the filebucket service, so
       this will work in a default configuration. If you have a heavily
-      restricted `auth.conf` file, you may need to allow access to the
+      restricted Puppet Server `auth.conf` file, you may need to allow access to the
       `file_bucket_file` endpoint.
     EOT
 

data/lib/puppet/type/package.rb

@@ -106,10 +106,6 @@ module Puppet
         provider.purge
       end
 
-      newvalue(:held, :event => :package_held, :required_features => :holdable) do
-        provider.deprecated_hold
-      end
-
       newvalue(:disabled, :required_features => :disableable) do
         provider.disable
       end
@@ -161,7 +157,7 @@ module Puppet
         @should.each { |should|
           case should
           when :present
-            return true unless [:absent, :purged, :held, :disabled].include?(is)
+            return true unless [:absent, :purged, :disabled].include?(is)
           when :latest
             # Short-circuit packages that are not present
             return false if is == :absent || is == :purged
@@ -426,10 +422,10 @@ module Puppet
     end
 
     newparam(:source) do
-      desc "Where to find the package file. This is mostly used by providers that don't
+      desc "Where to find the package file. This is only used by providers that don't
         automatically download packages from a central repository. (For example:
-        the `yum` provider ignores this attribute, `apt` provider uses it if present
-        and the `rpm` and `dpkg` providers require it.)
+        the `yum` and `apt` providers ignore this attribute, but the `rpm` and
+        `dpkg` providers require it.)
 
         Different providers accept different values for `source`. Most providers
         accept paths to local files stored on the target system. Some providers
@@ -657,8 +653,7 @@ module Puppet
       if provider.reinstallable? &&
         @parameters[:reinstall_on_refresh].value == :true &&
         @parameters[:ensure].value != :purged &&
-        @parameters[:ensure].value != :absent &&
-        @parameters[:ensure].value != :held
+        @parameters[:ensure].value != :absent
 
         provider.reinstall
       end
@@ -673,7 +668,7 @@ module Puppet
         Default is "none". Mark can be specified with or without `ensure`,
         if `ensure` is missing will default to "present".
 
-        Mark cannot be specified together with "purged", "absent" or "held"
+        Mark cannot be specified together with "purged", or "absent"
         values for `ensure`.
       EOT
       newvalues(:hold, :none)
@@ -710,11 +705,8 @@ module Puppet
     end
 
     validate do
-      if :held == @parameters[:ensure].should
-        warning '"ensure=>held" has been deprecated and will be removed in a future version, use "mark=hold" instead'
-      end
-      if @parameters[:mark] && [:absent, :purged, :held].include?(@parameters[:ensure].should)
-        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged", "held"]')
+      if @parameters[:mark] && [:absent, :purged].include?(@parameters[:ensure].should)
+        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged"]')
       end
     end
   end

data/lib/puppet/type/service.rb

@@ -38,12 +38,6 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
-    feature :delayed_startable, "The provider can set service to delayed start",
-      :methods => [:delayed_start]
-
-    feature :manual_startable, "The provider can set service to manual start",
-      :methods => [:manual_start]
-
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -73,7 +67,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
+      newvalue(:manual, :event => :service_manual_start) do
         provider.manual_start
       end
 
@@ -87,7 +81,8 @@ module Puppet
         provider.enabled?
       end
 
-      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
+      # This only works on Windows systems.
+      newvalue(:delayed, :event => :service_delayed_start) do
         provider.delayed_start
       end
 
@@ -95,6 +90,12 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
+
+      validate do |value|
+        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
+          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
+        end
+      end
     end
 
     # Handle whether the service should actually be running right now.
@@ -138,9 +139,23 @@ module Puppet
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      def insync?(current)
-        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
-        super(current)
+      munge do |value|
+        return value unless Puppet::Util::Platform.windows?
+        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
+
+        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
+        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
+
+        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+
+        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
+          ".\\#{user_information.account}"
+        else
+          user_information.domain_account
+        end
       end
     end
 
@@ -148,7 +163,18 @@ module Puppet
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
+        return unless Puppet::Util::Platform.windows?
+
+        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
+
+        account_info = @resource[:logonaccount].split("\\")
+        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
+
+        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
+
+        provider.logonpassword=(value)
       end
 
       sensitive true
@@ -294,11 +320,5 @@ module Puppet
     def self.needs_ensure_retrieved
       false
     end
-
-    validate do
-      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
-      end
-    end
   end
 end

data/lib/puppet/type/tidy.rb

@@ -50,22 +50,6 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to disable the check. In this case, a warning is logged if
-      the number of files exceeds 1000."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/)
-  end
-
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -272,12 +256,9 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true,
-                    :recurselimit => self[:recurse] }
+      parameter = { :recurse => true, :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true }
+      parameter = { :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -67,7 +67,6 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
-        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -696,7 +695,6 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
-        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -745,6 +743,25 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
+
+      munge do |value|
+        # Resolve string, boolean and symbol forms of true and false to a
+        # single representation.
+        test_sym = value.to_s.intern
+        value = test_sym if [:true, :false].include? test_sym
+
+        return [] if value == :false
+        home = resource[:home] || Dir.home(resource[:name])
+
+        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+        # value is an array - munge each value
+        [ value ].flatten.map do |entry|
+          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+          entry = entry.gsub(/^~\//, "#{home}/")
+          entry.gsub!(/^%h\//, "#{home}/")
+          entry
+        end
+      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -766,7 +783,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      munged_unmanaged_keys.
+      self[:purge_ssh_keys].
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -778,41 +795,6 @@ module Puppet
         end
     end
 
-    def munged_unmanaged_keys
-      value = self[:purge_ssh_keys]
-
-      # Resolve string, boolean and symbol forms of true and false to a
-      # single representation.
-      test_sym = value.to_s.intern
-      value = test_sym if [:true, :false].include? test_sym
-
-      return [] if value == :false
-
-      home = self[:home]
-      begin
-        home ||= provider.home
-      rescue
-        Puppet.debug("User '#{self[:name]}' does not exist")
-      end
-
-      if home.to_s.empty? || !Dir.exist?(home.to_s)
-        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
-          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
-          return []
-        end
-      end
-
-      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-
-      # value is an array - munge each value
-      [ value ].flatten.map do |entry|
-        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-        entry = entry.gsub(/^~\//, "#{home}/")
-        entry.gsub!(/^%h\//, "#{home}/")
-        entry
-      end
-    end
-
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.

data/lib/puppet/util/autoload.rb

@@ -166,7 +166,14 @@ class Puppet::Util::Autoload
     # Normalize a path. This converts ALT_SEPARATOR to SEPARATOR on Windows
     # and eliminates unnecessary parts of a path.
     def cleanpath(path)
-      Pathname.new(path).cleanpath.to_s
+      # There are two cases here because cleanpath does not handle absolute
+      # paths correctly on windows (c:\ and c:/ are treated as distinct) but
+      # we don't want to convert relative paths to absolute
+      if Puppet::Util.absolute_path?(path)
+        File.expand_path(path)
+      else
+        Pathname.new(path).cleanpath.to_s
+      end
     end
   end
 

data/lib/puppet/util/execution.rb

@@ -94,17 +94,6 @@ module Puppet::Util::Execution
   end
   private_class_method :exitstatus
 
-  # Wraps execution of {execute} with mapping of exception to given exception (and output as argument).
-  # @raise [exception] under same conditions as {execute}, but raises the given `exception` with the output as argument
-  # @return (see execute)
-  # @api public
-  # @deprecated
-  def self.execfail(command, exception)
-    execute(command)
-  rescue Puppet::ExecutionFailure => detail
-    raise exception, detail.message, detail.backtrace
-  end
-
   # Default empty options for {execute}
   NoOptionsSpecified = {}
 

data/lib/puppet/util/http_proxy.rb

@@ -1,217 +1,4 @@
-require 'uri'
-require 'puppet/ssl/openssl_loader'
 require 'puppet/http'
 
-module Puppet::Util::HttpProxy
-  def self.proxy(uri)
-    if http_proxy_host && !no_proxy?(uri)
-      Net::HTTP.new(uri.host, uri.port, self.http_proxy_host, self.http_proxy_port, self.http_proxy_user, self.http_proxy_password)
-    else
-      http = Net::HTTP.new(uri.host, uri.port, nil, nil, nil, nil)
-      # Net::HTTP defaults the proxy port even though we said not to
-      # use one. Set it to nil so caller is not surprised
-      http.proxy_port = nil
-      http
-    end
-  end
-
-  def self.http_proxy_env
-    # Returns a URI object if proxy is set, or nil
-    proxy_env = ENV["http_proxy"] || ENV["HTTP_PROXY"]
-    begin
-      return URI.parse(proxy_env) if proxy_env
-    rescue URI::InvalidURIError
-      return nil
-    end
-    return nil
-  end
-
-  # The documentation around the format of the no_proxy variable seems
-  # inconsistent.  Some suggests the use of the * as a way of matching any
-  # hosts under a domain, e.g.:
-  #   *.example.com
-  # Other documentation suggests that just a leading '.' indicates a domain
-  # level exclusion, e.g.:
-  #   .example.com
-  # We'll accommodate both here.
-  def self.no_proxy?(dest)
-    no_proxy = self.no_proxy
-    unless no_proxy
-      return false
-    end
-
-    unless dest.is_a? URI
-      begin
-        dest = URI.parse(dest)
-      rescue URI::InvalidURIError
-        return false
-      end
-    end
-
-    no_proxy.split(/\s*,\s*/).each do |d|
-      host, port = d.split(':')
-      host = Regexp.escape(host).gsub('\*', '.*')
-
-      #If this no_proxy entry specifies a port, we want to match it against
-      #the destination port.  Otherwise just match hosts.
-      if port
-        no_proxy_regex  = %r(#{host}:#{port}$)
-        dest_string     = "#{dest.host}:#{dest.port}"
-      else
-        no_proxy_regex  = %r(#{host}$)
-        dest_string     = "#{dest.host}"
-      end
-
-      if no_proxy_regex.match(dest_string)
-        return true
-      end
-    end
-
-    return false
-  end
-
-  def self.http_proxy_host
-    env = self.http_proxy_env
-
-    if env and env.host
-      return env.host
-    end
-
-    if Puppet.settings[:http_proxy_host] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_host]
-  end
-
-  def self.http_proxy_port
-    env = self.http_proxy_env
-
-    if env and env.port
-      return env.port
-    end
-
-    return Puppet.settings[:http_proxy_port]
-  end
-
-  def self.http_proxy_user
-    env = self.http_proxy_env
-
-    if env and env.user
-      return env.user
-    end
-
-    if Puppet.settings[:http_proxy_user] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_user]
-  end
-
-  def self.http_proxy_password
-    env = self.http_proxy_env
-
-    if env and env.password
-      return env.password
-    end
-
-    if Puppet.settings[:http_proxy_user] == 'none' or Puppet.settings[:http_proxy_password] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_password]
-  end
-
-  def self.no_proxy
-    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
-
-    if no_proxy_env
-      return no_proxy_env
-    end
-
-    if Puppet.settings[:no_proxy] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:no_proxy]
-  end
-
-  # Return a Net::HTTP::Proxy object.
-  #
-  # This method optionally configures SSL correctly if the URI scheme is
-  # 'https', including setting up the root certificate store so remote server
-  # SSL certificates can be validated.
-  #
-  # @param [URI] uri The URI that is to be accessed.
-  # @return [Net::HTTP::Proxy] object constructed tailored for the passed URI
-  def self.get_http_object(uri)
-    proxy = proxy(uri)
-
-    if uri.scheme == 'https'
-      cert_store = OpenSSL::X509::Store.new
-      cert_store.set_default_paths
-
-      proxy.use_ssl = true
-      proxy.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      proxy.cert_store = cert_store
-    end
-
-    if Puppet[:http_debug]
-      proxy.set_debug_output($stderr)
-    end
-
-    proxy.open_timeout = Puppet[:http_connect_timeout]
-    proxy.read_timeout = Puppet[:http_read_timeout]
-
-    proxy
-  end
-
-  # Retrieve a document through HTTP(s), following redirects if necessary. The
-  # returned response body may be compressed, and it is the caller's
-  # responsibility to decompress it based on the 'content-encoding' header.
-  #
-  # Based on the the client implementation in the HTTP pool.
-  #
-  # @see Puppet::Network::HTTP::Connection#request_with_redirects
-  #
-  # @param [URI] uri The address of the resource to retrieve.
-  # @param [symbol] method The name of the Net::HTTP method to use, typically :get, :head, :post etc.
-  # @param [FixNum] redirect_limit The number of redirections that can be followed.
-  # @return [Net::HTTPResponse] a response object
-  def self.request_with_redirects(uri, method, redirect_limit = 10, &block)
-    current_uri = uri
-    response = nil
-
-    0.upto(redirect_limit) do |redirection|
-      proxy = get_http_object(current_uri)
-
-      headers = { 'Accept' => '*/*', 'User-Agent' => Puppet[:http_user_agent] }
-      if Puppet.features.zlib?
-        headers["Accept-Encoding"] = Puppet::HTTP::ACCEPT_ENCODING
-      end
-
-      response = proxy.send(:head, current_uri, headers)
-      Puppet.debug("HTTP HEAD request to #{current_uri} returned #{response.code} #{response.message}")
-
-      if [301, 302, 307].include?(response.code.to_i)
-        # handle the redirection
-        current_uri = URI.parse(response['location'])
-        next
-      end
-
-      if method != :head
-        if block_given?
-          response = proxy.send("request_#{method}".to_sym, current_uri, headers, &block)
-        else
-          response = proxy.send(method, current_uri, headers)
-        end
-
-        Puppet.debug("HTTP #{method.to_s.upcase} request to #{current_uri} returned #{response.code} #{response.message}")
-      end
-
-      return response
-    end
-
-    raise RedirectionLimitExceededException, _("Too many HTTP redirections for %{uri}") % { uri: uri }
-  end
-end
+# for backwards compatibility
+Puppet::Util::HttpProxy = Puppet::HTTP::Proxy