puppet 6.25.1-x86-mingw32 → 6.28.0-x86-mingw32

data/lib/puppet/pops/serialization/to_data_converter.rb

@@ -14,8 +14,6 @@ module Serialization
     # @option options [Boolean] :local_reference use local references instead of duplicating complex entries
     # @option options [Boolean] :type_by_reference `true` if Object types are converted to references rather than embedded.
     # @option options [Boolean] :symbol_as_string `true` if Symbols should be converted to strings (with type loss)
-    # @option options [Boolean] :force_symbol `false` if Symbols should not be converted (rich_data and symbol_as_string must be false)
-    # @option options [Boolean] :silence_warnings `false` if warnings should be silenced
     # @option options [String] :message_prefix String to prepend to in warnings and errors
     # @return [Data] the processed result. An object assignable to `Data`.
     #
@@ -43,12 +41,6 @@ module Serialization
       @symbol_as_string = options[:symbol_as_string]
       @symbol_as_string = false if @symbol_as_string.nil?
 
-      @force_symbol = options[:force_symbol]
-      @force_symbol = false if @force_symbol.nil?
-
-      @silence_warnings = options[:silence_warnings]
-      @silence_warnings = false if @silence_warnings.nil?
-
       @rich_data = options[:rich_data]
       @rich_data = false if @rich_data.nil?
 
@@ -100,11 +92,7 @@ module Serialization
         elsif @rich_data
           { PCORE_TYPE_KEY => PCORE_TYPE_SYMBOL, PCORE_VALUE_KEY => value.to_s }
         else
-          if @force_symbol
-            value
-          else
-            @silence_warnings ? unknown_to_string(value) : unknown_to_string_with_warning(value)
-          end
+          unknown_to_string_with_warning(value)
         end
       elsif value.instance_of?(Array)
         process(value) do
@@ -129,11 +117,7 @@ module Serialization
           { PCORE_TYPE_KEY => PCORE_TYPE_SENSITIVE, PCORE_VALUE_KEY => to_data(value.unwrap) }
         end
       else
-        if @rich_data
-          value_to_data_hash(value)
-        else
-          @silence_warnings ? unknown_to_string(value) : unknown_to_string_with_warning(value)
-        end
+        unknown_to_data(value)
       end
     end
 
@@ -207,6 +191,10 @@ module Serialization
       v
     end
 
+    def unknown_to_data(value)
+      @rich_data ? value_to_data_hash(value) : unknown_to_string_with_warning(value)
+    end
+
     def unknown_key_to_string_with_warning(value)
       str = unknown_to_string(value)
       serialization_issue(Issues::SERIALIZATION_UNKNOWN_KEY_CONVERTED_TO_STRING, :path => path_to_s, :klass => value.class, :value => str)

data/lib/puppet/provider/package/puppetserver_gem.rb

@@ -53,7 +53,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
     end
 
     if options[:local]
-      list = execute_rubygems_list_command(gem_regex)
+      list = execute_rubygems_list_command(command_options)
     else
       begin
         list = puppetservercmd(command_options)
@@ -137,7 +137,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
   # for example: json (1.8.3 java)
   # but java platform gems should not be managed by this (or any) provider.
 
-  def self.execute_rubygems_list_command(gem_regex)
+  def self.execute_rubygems_list_command(command_options)
     puppetserver_default_gem_home            = '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
     puppetserver_default_vendored_jruby_gems = '/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems'
     puppet_default_vendor_gems               = '/opt/puppetlabs/puppet/lib/ruby/vendor_gems'
@@ -157,24 +157,15 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
       gem_env['GEM_PATH'] = puppetserver_conf['jruby-puppet'].key?('gem-path') ? puppetserver_conf['jruby-puppet']['gem-path'].join(':') : puppetserver_default_gem_path
     end
     gem_env['GEM_SPEC_CACHE'] = "/tmp/#{$$}"
-    Gem.paths = gem_env
-
-    sio_inn = StringIO.new
-    sio_out = StringIO.new
-    sio_err = StringIO.new
-    stream_ui = Gem::StreamUI.new(sio_inn, sio_out, sio_err, false)
-    gem_list_cmd = Gem::Commands::ListCommand.new
-    gem_list_cmd.options[:domain] = :local
-    gem_list_cmd.options[:args] = [gem_regex] if gem_regex
-    gem_list_cmd.ui = stream_ui
-    gem_list_cmd.execute
+
+    # Remove the 'gem' from the command_options
+    command_options.shift
+    gem_out = execute_gem_command(Puppet::Type::Package::ProviderPuppet_gem.provider_command, command_options, gem_env)
 
     # There is no method exclude default gems from the local gem list,
     # for example: psych (default: 2.2.2)
     # but default gems should not be managed by this (or any) provider.
-    gem_list = sio_out.string.lines.reject { |gem| gem =~ / \(default\: / }
+    gem_list = gem_out.lines.reject { |gem| gem =~ / \(default\: / }
     gem_list.join("\n")
-  ensure
-    Gem.clear_paths
   end
 end

data/lib/puppet/provider/package/windows/exe_package.rb

@@ -17,6 +17,11 @@ class Puppet::Provider::Package::Windows
       'WindowsInstaller',
     ]
 
+    def self.register(path)
+      Puppet::Type::Package::ProviderWindows.paths ||= []
+      Puppet::Type::Package::ProviderWindows.paths << path
+    end
+
     # Return an instance of the package from the registry, or nil
     def self.from_registry(name, values)
       if valid?(name, values)
@@ -55,7 +60,31 @@ class Puppet::Provider::Package::Windows
     end
 
     def self.install_command(resource)
-      munge(resource[:source])
+      file_location = resource[:source]
+      if file_location.start_with?('http://', 'https://')
+        tempfile = Tempfile.new(['','.exe'])
+        begin
+          uri = URI(Puppet::Util.uri_encode(file_location))
+          client = Puppet.runtime[:http]
+          client.get(uri, options: { include_system_store: true }) do |response|
+            raise Puppet::HTTP::ResponseError.new(response) unless response.success?
+
+            File.open(tempfile.path, 'wb') do |file|
+              response.read_body do |data|
+                file.write(data)
+              end
+            end
+          end
+        rescue => detail
+          raise Puppet::Error.new(_("Error when installing %{package}: %{detail}") % { package: resource[:name] ,detail: detail.message}, detail)
+        ensure
+          self.register(tempfile.path)
+          tempfile.close()
+          file_location = tempfile.path
+        end
+      end
+
+      munge(file_location)
     end
 
     def uninstall_command

data/lib/puppet/provider/package/windows/package.rb

@@ -67,7 +67,8 @@ class Puppet::Provider::Package::Windows
         # REMIND: what about msp, etc
         MsiPackage
       when /\.exe"?\Z/i
-        fail(_("The source does not exist: '%{source}'") % { source: resource[:source] }) unless Puppet::FileSystem.exist?(resource[:source])
+        fail(_("The source does not exist: '%{source}'") % { source: resource[:source] }) unless
+          Puppet::FileSystem.exist?(resource[:source]) || resource[:source].start_with?('http://', 'https://')
         ExePackage
       else
         fail(_("Don't know how to install '%{source}'") % { source: resource[:source] })

data/lib/puppet/provider/package/windows.rb

@@ -30,6 +30,19 @@ Puppet::Type.type(:package).provide(:windows, :parent => Puppet::Provider::Packa
   has_feature :versionable
 
   attr_accessor :package
+  class << self
+    attr_accessor :paths
+  end
+
+  def self.post_resource_eval
+    @paths.each do |path|
+      begin
+        Puppet::FileSystem.unlink(path)
+      rescue => detail
+        raise Puppet::Error.new(_("Error when unlinking %{path}: %{detail}") % { path: path ,detail: detail.message}, detail)
+      end
+    end if @paths
+  end
 
   # Return an array of provider instances
   def self.instances
@@ -64,7 +77,7 @@ Puppet::Type.type(:package).provide(:windows, :parent => Puppet::Provider::Packa
 
     command = [installer.install_command(resource), install_options].flatten.compact.join(' ')
     working_dir = File.dirname(resource[:source])
-    if !Puppet::FileSystem.exist?(working_dir) && resource[:source] =~ /\.msi"?\Z/i
+    unless Puppet::FileSystem.exist?(working_dir)
       working_dir = nil
     end
     output = execute(command, :failonfail => false, :combine => true, :cwd => working_dir, :suppress_window => true)

data/lib/puppet/provider/service/init.rb

@@ -84,7 +84,7 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
     defpath = [defpath] unless defpath.is_a? Array
     instances = []
     defpath.each do |path|
-      unless FileTest.directory?(path)
+      unless Puppet::FileSystem.directory?(path)
         Puppet.debug "Service path #{path} does not exist"
         next
       end
@@ -97,8 +97,9 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
         fullpath = File.join(path, name)
         next if name =~ /^\./
         next if exclude.include? name
-        next if not FileTest.executable?(fullpath)
-        next if not is_init?(fullpath)
+        next if Puppet::FileSystem.directory?(fullpath)
+        next unless Puppet::FileSystem.executable?(fullpath)
+        next unless is_init?(fullpath)
         instances << new(:name => name, :path => path, :hasstatus => true)
       end
     end
@@ -122,7 +123,7 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
 
   def paths
     @paths ||= @resource[:path].find_all do |path|
-      if File.directory?(path)
+      if Puppet::FileSystem.directory?(path)
         true
       else
         if Puppet::FileSystem.exist?(path)

data/lib/puppet/provider/user/directoryservice.rb

@@ -401,6 +401,11 @@ Puppet::Type.type(:user).provide :directoryservice do
   # we have to treat the ds cache just like you would in the password=
   # method.
   def salt=(value)
+    if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') >= 0)
+      if value.length != 64
+        self.fail "macOS versions 10.15 and higher require the salt to be 32-bytes. Since Puppet's user resource requires the value to be hex encoded, the length of the salt's string must be 64. Please check your salt and try again."
+      end
+    end
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 

data/lib/puppet/ssl/ssl_provider.rb

@@ -42,17 +42,19 @@ class Puppet::SSL::SSLProvider
   # refers to the cacerts bundle in the puppet-agent package.
   #
   # Connections made from the returned context will authenticate the server,
-  # i.e. `VERIFY_PEER`, but will not use a client certificate and will not
-  # perform revocation checking.
+  # i.e. `VERIFY_PEER`, but will not use a client certificate (unless requested)
+  # and will not perform revocation checking.
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param path [String, nil] A file containing additional trusted CA certs.
+  # @param include_client_cert [true, false] If true, the client cert will be added to the context
+  #   allowing mutual TLS authentication. The default is false. If the client cert doesn't exist
+  #   then the option will be ignored.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise (see #create_context)
   # @api private
-  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
-    store = create_x509_store(cacerts, [], false)
-    store.set_default_paths
+  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_client_cert: false)
+    store = create_x509_store(cacerts, [], false, include_system_store: true)
 
     if path
       stat = Puppet::FileSystem.stat(path)
@@ -72,6 +74,29 @@ class Puppet::SSL::SSLProvider
       end
     end
 
+    if include_client_cert
+      cert_provider = Puppet::X509::CertProvider.new
+      private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
+      unless private_key
+        Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist")
+      end
+
+      client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
+      unless client_cert
+        Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist")
+      end
+
+      if private_key && client_cert
+        client_chain = resolve_client_chain(store, client_cert, private_key)
+
+        return Puppet::SSL::SSLContext.new(
+          store: store, cacerts: cacerts, crls: [],
+          private_key: private_key, client_cert: client_cert, client_chain: client_chain,
+          revocation: false
+        ).freeze
+      end
+    end
+
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
   end
 
@@ -94,28 +119,21 @@ class Puppet::SSL::SSLProvider
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::SSL::SSLError] There was an issue with the
   #   `private_key`.
   # @api private
-  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
+  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
     raise ArgumentError, _("CA certs are missing") unless cacerts
     raise ArgumentError, _("CRLs are missing") unless crls
     raise ArgumentError, _("Private key is missing") unless private_key
     raise ArgumentError, _("Client cert is missing") unless client_cert
 
-    store = create_x509_store(cacerts, crls, revocation)
-    client_chain = verify_cert_with_store(store, client_cert)
-
-    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
-      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
-    end
-
-    unless client_cert.check_private_key(private_key)
-      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
-    end
+    store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
+    client_chain = resolve_client_chain(store, client_cert, private_key)
 
     Puppet::SSL::SSLContext.new(
       store: store, cacerts: cacerts, crls: crls,
@@ -134,12 +152,13 @@ class Puppet::SSL::SSLProvider
   # @param password [String, nil] If the private key is encrypted, decrypt
   #   it using the password. If the key is encrypted, but a password is
   #   not specified, then the key cannot be loaded.
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::Error] There was an issue with one of the required components.
   # @api private
-  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
     cert = Puppet::X509::CertProvider.new
     cacerts = cert.load_cacerts(required: true)
     crls = case revocation
@@ -151,7 +170,7 @@ class Puppet::SSL::SSLProvider
     private_key = cert.load_private_key(certname, required: true, password: password)
     client_cert = cert.load_client_cert(certname, required: true)
 
-    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
   rescue OpenSSL::PKey::PKeyError => e
     raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
   end
@@ -173,6 +192,27 @@ class Puppet::SSL::SSLProvider
     csr
   end
 
+  def print(ssl_context, alg = 'SHA256')
+    if Puppet::Util::Log.sendlevel?(:debug)
+      chain = ssl_context.client_chain
+      # print from root to client
+      chain.reverse.each_with_index do |cert, i|
+        digest = Puppet::SSL::Digest.new(alg, cert.to_der)
+        if i == chain.length - 1
+          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        else
+          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        end
+      end
+      ssl_context.crls.each do |crl|
+        oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
+        crlNumber = oid_values['crlNumber'] || 'unknown'
+        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
+        Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
+      end
+    end
+  end
+
   private
 
   def default_flags
@@ -186,7 +226,7 @@ class Puppet::SSL::SSLProvider
     end
   end
 
-  def create_x509_store(roots, crls, revocation)
+  def create_x509_store(roots, crls, revocation, include_system_store: false)
     store = OpenSSL::X509::Store.new
     store.purpose = OpenSSL::X509::PURPOSE_ANY
     store.flags = default_flags | revocation_mode(revocation)
@@ -194,6 +234,8 @@ class Puppet::SSL::SSLProvider
     roots.each { |cert| store.add_cert(cert) }
     crls.each { |crl| store.add_crl(crl) }
 
+    store.set_default_paths if include_system_store
+
     store
   end
 
@@ -217,6 +259,20 @@ class Puppet::SSL::SSLProvider
     end
   end
 
+  def resolve_client_chain(store, client_cert, private_key)
+    client_chain = verify_cert_with_store(store, client_cert)
+
+    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
+      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
+    end
+
+    unless client_cert.check_private_key(private_key)
+      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
+    end
+
+    client_chain
+  end
+
   def verify_cert_with_store(store, cert)
     # StoreContext#initialize accepts a chain argument, but it's set to [] because
     # puppet requires any intermediate CA certs needed to complete the client's

data/lib/puppet/ssl/state_machine.rb

@@ -27,6 +27,15 @@ class Puppet::SSL::StateMachine
       detail.set_backtrace(cause.backtrace)
       Error.new(@machine, message, detail)
     end
+
+    def log_error(message)
+      # When running daemonized we set stdout to /dev/null, so write to the log instead
+      if Puppet[:daemonize]
+        Puppet.err(message)
+      else
+        $stdout.puts(message)
+      end
+    end
   end
 
   # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -270,15 +279,15 @@ class Puppet::SSL::StateMachine
     def next_state
       time = @machine.waitforcert
       if time < 1
-        puts _("Exiting now because the waitforcert setting is set to 0.")
+        log_error(_("Exiting now because the waitforcert setting is set to 0."))
         exit(1)
       elsif Time.now.to_i > @machine.wait_deadline
-        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
+        log_error(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] })
         exit(1)
       else
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        # close persistent connections and session state before sleeping
+        # close http/tls and session state before sleeping
         Puppet.runtime[:http].close
         @machine.session = Puppet.runtime[:http].create_session
 
@@ -417,20 +426,7 @@ class Puppet::SSL::StateMachine
   def ensure_client_certificate
     final_state = run_machine(NeedLock.new(self), Done)
     ssl_context = final_state.ssl_context
-
-    if Puppet::Util::Log.sendlevel?(:debug)
-      chain = ssl_context.client_chain
-      # print from root to client
-      chain.reverse.each_with_index do |cert, i|
-        digest = Puppet::SSL::Digest.new(@digest, cert.to_der)
-        if i == chain.length - 1
-          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
-        else
-          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
-        end
-      end
-    end
-
+    @ssl_provider.print(ssl_context, @digest)
     ssl_context
   end
 

data/lib/puppet/ssl/verifier.rb

@@ -115,6 +115,12 @@ class Puppet::SSL::Verifier
         return false
       end
 
+    # ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
+    # store_context error when the cert is mismatched
+    when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
+      @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+      return false
+
     when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
       crl = store_context.current_crl
       if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS

data/lib/puppet/transaction/persistence.rb

@@ -6,6 +6,26 @@ require 'puppet/util/yaml'
 # as calculating corrective_change).
 # @api private
 class Puppet::Transaction::Persistence
+
+  def self.allowed_classes
+    @allowed_classes ||= [
+      Symbol,
+      Time,
+      Regexp,
+      # URI is excluded, because it serializes all instance variables including the
+      # URI parser. Better to serialize the URL encoded representation.
+      SemanticPuppet::Version,
+      # SemanticPuppet::VersionRange has many nested classes and is unlikely to be
+      # used directly, so ignore it
+      Puppet::Pops::Time::Timestamp,
+      Puppet::Pops::Time::TimeData,
+      Puppet::Pops::Time::Timespan,
+      Puppet::Pops::Types::PBinaryType::Binary,
+      # Puppet::Pops::Types::PSensitiveType::Sensitive values are excluded from
+      # the persistence store, ignore it.
+    ].freeze
+  end
+
   def initialize
     @old_data = {}
     @new_data = {"resources" => {}}
@@ -62,7 +82,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
+        result = Puppet::Util::Yaml.safe_load_file(filename, self.class.allowed_classes)
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 
@@ -87,17 +107,7 @@ class Puppet::Transaction::Persistence
 
   # Save data from internal class to persistence store on disk.
   def save
-    converted_data = Puppet::Pops::Serialization::ToDataConverter.convert(
-      @new_data, {
-        symbol_as_string: false,
-        local_reference: false,
-        type_by_reference: true,
-        force_symbol: true,
-        silence_warnings: true,
-        message_prefix: to_s
-      }
-    )
-    Puppet::Util::Yaml.dump(converted_data, Puppet[:transactionstorefile])
+    Puppet::Util::Yaml.dump(@new_data, Puppet[:transactionstorefile])
   end
 
   # Use the catalog and run_mode to determine if persistence should be enabled or not

data/lib/puppet/type/exec.rb

@@ -457,7 +457,7 @@ module Puppet
 
             exec { '/bin/echo root >> /usr/lib/cron/cron.allow':
               path   => '/usr/bin:/usr/sbin:/bin',
-              unless => 'grep root /usr/lib/cron/cron.allow 2>/dev/null',
+              unless => 'grep ^root$ /usr/lib/cron/cron.allow 2>/dev/null',
             }
 
         This would add `root` to the cron.allow file (on Solaris) unless

data/lib/puppet/type/file/data_sync.rb

@@ -79,7 +79,7 @@ module Puppet
       return :absent unless stat
       ftype = stat.ftype
       # Don't even try to manage the content on directories or links
-      return nil if ["directory","link"].include?(ftype)
+      return nil if ['directory', 'link', 'fifo', 'socket'].include?(ftype)
 
       begin
         resource.parameter(:checksum).sum_file(resource[:path])