puppet 6.23.0 → 7.0.0

data/spec/unit/type/file/source_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 require 'uri'
 require 'puppet/network/http_pool'
-#require 'puppet/network/resolver'
 
 describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
   include PuppetSpec::Files

data/spec/unit/type/file_spec.rb

@@ -1,3 +1,4 @@
+# coding: utf-8
 require 'spec_helper'
 
 describe Puppet::Type.type(:file) do
@@ -133,6 +134,10 @@ describe Puppet::Type.type(:file) do
   end
 
   describe "the backup parameter" do
+    it 'should be disabled by default' do
+      expect(file[:backup]).to eq(nil)
+    end
+
     [false, 'false', :false].each do |value|
       it "should disable backup if the value is #{value.inspect}" do
         file[:backup] = value
@@ -344,6 +349,12 @@ describe Puppet::Type.type(:file) do
   end
 
   describe "#flush" do
+    it "should flush all properties that respond to :flush" do
+      file[:source] = File.expand_path(__FILE__)
+      expect(file.parameter(:source)).to receive(:flush)
+      file.flush
+    end
+
     it "should reset its stat reference" do
       FileUtils.touch(path)
       stat1 = file.stat
@@ -768,7 +779,7 @@ describe Puppet::Type.type(:file) do
     it "should set the checksum parameter based on the metadata" do
       allow(file).to receive(:perform_recursion).and_return([@first])
       allow(@resource).to receive(:[]=)
-      expect(@resource).to receive(:[]=).with(:checksum, "md5")
+      expect(@resource).to receive(:[]=).with(:checksum, "sha256")
       file.recurse_remote("first" => @resource)
     end
 
@@ -804,7 +815,7 @@ describe Puppet::Type.type(:file) do
       allow(file).to receive(:perform_recursion).and_return([@first])
 
       allow(file).to receive(:[]=)
-      expect(file). to receive(:[]=).with(:checksum, "md5")
+      expect(file). to receive(:[]=).with(:checksum, "sha256")
 
       file.recurse_remote("first" => @resource)
     end
@@ -922,7 +933,7 @@ describe Puppet::Type.type(:file) do
     end
 
     it "should fail if it can't backup the file" do
-      # Default: file[:backup] = true
+      file[:backup] = true
       allow(file).to receive(:stat).and_return(double('stat', :ftype => 'file'))
       allow(file).to receive(:perform_backup).and_return(false)
 
@@ -931,7 +942,7 @@ describe Puppet::Type.type(:file) do
 
     describe "backing up directories" do
       it "should not backup directories if backup is true and force is false" do
-        # Default: file[:backup] = true
+        file[:backup] = true
         file[:force] = false
         allow(file).to receive(:stat).and_return(double('stat', :ftype => 'directory'))
 
@@ -941,7 +952,7 @@ describe Puppet::Type.type(:file) do
       end
 
       it "should backup directories if backup is true and force is true" do
-        # Default: file[:backup] = true
+        file[:backup] = true
         file[:force] = true
         allow(file).to receive(:stat).and_return(double('stat', :ftype => 'directory'))
 
@@ -968,7 +979,7 @@ describe Puppet::Type.type(:file) do
     end
 
     it "should remove a directory if backup is true and force is true" do
-      # Default: file[:backup] = true
+      file[:backup] = true
       file[:force] = true
       allow(file).to receive(:stat).and_return(double('stat', :ftype => 'directory'))
 
@@ -1000,6 +1011,7 @@ describe Puppet::Type.type(:file) do
     end
 
     it "should fail if the file is not a directory, link, file, fifo, socket, or is unknown" do
+      file[:backup] = 'puppet'
       allow(file).to receive(:stat).and_return(double('stat', :ftype => 'blockSpecial'))
 
       expect(file).to receive(:warning).with("Could not back up file of type blockSpecial")

data/spec/unit/type/group_spec.rb

@@ -60,12 +60,9 @@ describe Puppet::Type.type(:group) do
   end
 
   it "delegates the existence check to its provider" do
-    provider = @class.provide(:testing) do
-      def exists?
-        true
-      end
-    end
+    provider = @class.provide(:testing) {}
     provider_instance = provider.new
+    expect(provider_instance).to receive(:exists?).and_return(true)
 
     type = @class.new(:name => "group", :provider => provider_instance)
 
@@ -80,24 +77,20 @@ describe Puppet::Type.type(:group) do
         def members
           []
         end
-
-        def members_insync?(current, should)
-          current == should
-        end
-
-        def members_to_s(values)
-          values.map { |v| "#{v} ()" }.join(', ')
-        end
       end
     end
     let (:provider_instance) { provider.new }
     let (:type) { @class.new(:name => "group", :provider => provider_instance, :members => ['user1']) }
 
     it "insync? calls members_insync?" do
+      expect(provider_instance).to receive(:members_insync?).with(['user1'], ['user1']).and_return(true)
       expect(type.property(:members).insync?(['user1'])).to be_truthy
     end
 
     it "is_to_s and should_to_s call members_to_s" do
+      expect(provider_instance).to receive(:members_to_s).with(['user1', 'user2']).and_return("user1 (), user2 ()")
+      expect(provider_instance).to receive(:members_to_s).with(['user1']).and_return("user1 ()")
+
       expect(type.property(:members).is_to_s('user1')).to eq('user1 ()')
       expect(type.property(:members).should_to_s('user1,user2')).to eq('user1 (), user2 ()')
     end

data/spec/unit/type/package_spec.rb

@@ -349,7 +349,7 @@ describe Puppet::Type.type(:package) do
         end
       end
 
-      [:purged, :absent, :held].each do |state|
+      [:purged, :absent].each do |state|
         it "should not reinstall if it should be #{state.to_s} and reinstall_on_refresh is true" do
           @package[:ensure] = state
           allow(@provider).to receive(:reinstallable?).and_return(true)

data/spec/unit/type/resources_spec.rb

@@ -6,9 +6,6 @@ Puppet::Type.newtype(:purgeable_test) do
   newparam(:name) {}
 end
 Puppet::Type.type(:purgeable_test).provide(:purgeable_test) do
-  def self.instances
-    []
-  end
 end
 
 resources = Puppet::Type.type(:resources)
@@ -49,16 +46,19 @@ describe resources do
     end
 
     it "cannot be set to true for a resource type that does not accept ensure" do
-      allow(instance.resource_type).to receive(:validproperty?).with(:ensure).and_return(false)
-      expect { instance[:purge] = 'yes' }.to raise_error Puppet::Error, /Purging is only supported on types that accept 'ensure'/
+      allow(instance.resource_type).to receive(:respond_to?).and_return(true)
+      allow(instance.resource_type).to receive(:validproperty?).and_return(false)
+      expect { instance[:purge] = 'yes' }.to raise_error Puppet::Error
     end
 
     it "cannot be set to true for a resource type that does not have instances" do
-      allow(instance.resource_type).to receive(:respond_to?).with(:instances).and_return(false)
-      expect { instance[:purge] = 'yes' }.to raise_error Puppet::Error, /Purging resources of type file is not supported/
+      allow(instance.resource_type).to receive(:respond_to?).and_return(false)
+      allow(instance.resource_type).to receive(:validproperty?).and_return(true)
+      expect { instance[:purge] = 'yes' }.to raise_error Puppet::Error
     end
 
     it "can be set to true for a resource type that has instances and can accept ensure" do
+      allow(instance.resource_type).to receive(:respond_to?).and_return(true)
       allow(instance.resource_type).to receive(:validproperty?).and_return(true)
       expect { instance[:purge] = 'yes' }.to_not raise_error
     end

data/spec/unit/type/service_spec.rb

@@ -72,65 +72,50 @@ describe test_title, "when validating attribute values" do
       allow(@provider.class).to receive(:supports_parameter?).and_return(true)
     end
 
-    describe "for value without required features" do
-      before :each do
-        allow(@provider).to receive(:satisfies?)
-      end
-
-      it "should not support :mask as a value" do
-        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :mask) }.to raise_error(
-          Puppet::ResourceError,
-          /Provider .+ must have features 'maskable' to set 'enable' to 'mask'/
-        )
-      end
+    it "should support :true as a value" do
+      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
+      expect(srv.should(:enable)).to eq(:true)
+    end
 
-      it "should not support :manual as a value" do
-        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
-          Puppet::ResourceError,
-          /Provider .+ must have features 'manual_startable' to set 'enable' to 'manual'/
-        )
-      end
+    it "should support :false as a value" do
+      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
+      expect(srv.should(:enable)).to eq(:false)
+    end
 
-      it "should not support :mask as a value" do
-        expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
-          Puppet::ResourceError,
-          /Provider .+ must have features 'delayed_startable' to set 'enable' to 'delayed'/
-        )
-      end
+    it "should support :mask as a value" do
+      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
+      expect(srv.should(:enable)).to eq(:mask)
     end
 
-    describe "for value with required features" do
-      before :each do
-        allow(@provider).to receive(:satisfies?).and_return(:true)
-      end
+    it "should support :manual as a value on Windows" do
+      allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
+      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
+      expect(srv.should(:enable)).to eq(:manual)
+    end
 
-      it "should support :true as a value" do
-        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
-        expect(srv.should(:enable)).to eq(:true)
-      end
+    it "should support :delayed as a value on Windows" do
+      allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
 
-      it "should support :false as a value" do
-        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
-        expect(srv.should(:enable)).to eq(:false)
-      end
+      srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
+      expect(srv.should(:enable)).to eq(:delayed)
+    end
 
-      it "should support :mask as a value" do
-        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
-        expect(srv.should(:enable)).to eq(:mask)
-      end
+    it "should not support :manual as a value when not on Windows" do
+      allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
 
-      it "should support :manual as a value on Windows" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
-        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
-        expect(srv.should(:enable)).to eq(:manual)
-      end
+      expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
+        Puppet::Error,
+        /Setting enable to manual is only supported on Microsoft Windows\./
+      )
+    end
 
-      it "should support :delayed as a value on Windows" do
-        allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
+    it "should not support :delayed as a value when not on Windows" do
+      allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
 
-        srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
-        expect(srv.should(:enable)).to eq(:delayed)
-      end
+      expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
+        Puppet::Error,
+        /Setting enable to delayed is only supported on Microsoft Windows\./
+      )
     end
   end
 
@@ -165,24 +150,105 @@ describe test_title, "when validating attribute values" do
       provider_class_with_logon_credentials = Puppet::Type.type(:service).provide(:simple) do
         has_features :manages_logon_credentials
         def logonpassword=(value) end
-        def logonaccount_insync?(current) end
       end
       allow(Puppet::Type.type(:service)).to receive(:defaultprovider).and_return(provider_class_with_logon_credentials)
     end
 
     describe "the 'logonaccount' property" do
-      let(:service) {Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')}
+      it "should not be munged nor checked when not on Windows" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
+        service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'NonWindowsUser')
 
-      it "should let superclass implementation resolve insyncness when provider does not respond to the 'logonaccount_insync?' method" do
-        allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?).and_return(false)
-        expect(service.property(:logonaccount).insync?('myUser')).to eq(true)
+        expect { service }.not_to raise_error
+        expect(service[:logonaccount]).to eq('NonWindowsUser')
       end
 
-      it "should let provider resolve insyncness when provider responds to the 'logonaccount_insync?' method" do
-        allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?, any_args).and_return(true)
-        allow(service.provider).to receive(:logonaccount_insync?).and_return(false)
-        
-        expect(service.property(:logonaccount).insync?('myUser')).to eq(false)
+      context "when on Windows", :if => Puppet::Util::Platform.windows? do
+        before do
+          allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
+          allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        end
+
+        it "should fail when the `Log On As A Service` right is missing from given user" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("")
+
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" is missing the 'Log On As A Service' right./)
+        end
+
+        it "should fail when the `Log On As A Service` right is set to denied for given user" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeDenyServiceLogonRight")
+
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" has the 'Log On As A Service' right set to denied./)
+        end
+
+        it "should not fail when given user has the `Log On As A Service` right" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeServiceLogonRight")
+
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
+        end
+
+        it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
+
+          expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
+        end
+
+        ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input|
+          it "should succesfully munge #{user_input} to 'LocalSystem'" do
+            service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => user_input)
+
+            expect { service }.not_to raise_error
+            expect(service[:logonaccount]).to eq('LocalSystem')
+          end
+        end
+
+        it "should succesfully munge local account" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
+          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
+
+          expect { service }.not_to raise_error
+          expect(service[:logonaccount]).to eq('.\myUser')
+        end
+
+        it "should succesfully munge domain account" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("DomainUser", nil, nil, "myDomain", :SidTypeUser))
+          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'DomainUser')
+
+          expect { service }.not_to raise_error
+          expect(service[:logonaccount]).to eq('myDomain\DomainUser')
+        end
+
+        it "should succesfully munge well known user" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup))
+          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalService')
+
+          expect { service }.not_to raise_error
+          expect(service[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
+        end
+
+        it "should succesfully munge a SID" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
+          service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'S-1-5-20')
+
+          expect { service }.not_to raise_error
+          expect(service[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
+        end
+
+        it "should fail when account is invalid" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(nil)
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'InvalidUser') }.to raise_error(Puppet::Error, /"InvalidUser" is not a valid account/)
+        end
+
+        it "should fail when sid type is not user or well known user" do
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias))
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'Administrators') }.to raise_error(Puppet::Error, /"Administrators" is not a valid account/)
+        end
       end
     end
 
@@ -192,6 +258,7 @@ describe test_title, "when validating attribute values" do
       end
 
       it "should default to empty string when only logonaccount is being managed" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
         service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
 
         expect { service }.not_to raise_error
@@ -204,8 +271,70 @@ describe test_title, "when validating attribute values" do
       end
 
       it "should fail when logonpassword includes the ':' character" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
         expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'my:Pass') }.to raise_error(Puppet::Error, /Passwords cannot include ':'/)
       end
+
+      it "should not further check the password against given account when not on Windows" do
+        allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
+        expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
+      end
+
+      context "when on Windows", :if => Puppet::Util::Platform.windows? do
+        before do
+          allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
+          allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(name_to_principal_result)
+          allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
+        end
+
+        it "should pass validation when given account is 'LocalSystem'" do
+          allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
+          allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(false)
+
+          expect(Puppet::Util::Windows::SID).not_to receive(:name_to_principal)
+          expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+          expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalSystem') }.not_to raise_error
+        end
+
+        ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
+          describe "when given account is #{predefined_local_account}" do
+            let(:name_to_principal_result) do
+              Puppet::Util::Windows::SID::Principal.new(predefined_local_account, nil, nil, "NT AUTHORITY", :SidTypeUser)
+            end
+
+            it "should pass validation" do
+              allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(predefined_local_account).and_return(false)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(predefined_local_account).and_return(true)
+              expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with("NT AUTHORITY\\#{predefined_local_account}").and_return(true)
+
+              expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
+              expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => predefined_local_account) }.not_to raise_error
+            end
+          end
+        end
+
+        let(:name_to_principal_result) do
+          Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser)
+        end
+
+        describe "when given logonaccount is not a predefined local account" do
+          before do
+            allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('myUser').and_return(false)
+            allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('myUser').and_return(false)
+            allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('.\\myUser').and_return(false)
+          end
+
+          it "should pass validation if password is proven correct" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
+            expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
+          end
+
+          it "should not pass validation if password check fails" do
+            allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
+            expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myWrongPass') }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
+          end
+        end
+      end
     end
   end
 
@@ -359,7 +488,7 @@ describe test_title, "when changing the host" do
   it "insyncness should be resolved by provider instead of superclass implementation when provider responds to the 'enabled_insync?' method" do
     allow(@service.provider.class).to receive(:supports_parameter?).and_return(true)
     @service[:enable] = true
-    allow(@service.provider).to receive(:respond_to?).with(:enabled_insync?, any_args).and_return(true)
+    allow(@service.provider).to receive(:respond_to?).with(:enabled_insync?).and_return(true)
     allow(@service.provider).to receive(:enabled_insync?).and_return(false)
 
     expect(@service.property(:enable).insync?(:true)).to eq(false)