puppet 6.25.1 → 7.0.0

data/lib/puppet/type/exec.rb

@@ -11,10 +11,7 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met. The
-        `onlyif` and `unless` commands of an `exec` are used in the process of
-        determining whether the `exec` is already in sync, therefore they must be run
-        during a noop Puppet run.
+        Puppet from running the command unless some condition is met.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -201,20 +198,10 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique.
-
-        On *nix platforms, the command can be specified as an array of
-        strings and Puppet will invoke it using the more secure method of
-        parameterized system calls. For example, rather than executing the
-        malicious injected code, this command will echo it out:
-
-            command => ['/bin/echo', 'hello world; rm -rf /']
-      "
+        only uses the resource title to ensure `exec`s are unique."
 
       validate do |command|
-        unless command.is_a?(String) || command.is_a?(Array)
-          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
-        end
+        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
       end
     end
 
@@ -467,17 +454,10 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
-        Since this command is used in the process of determining whether the
-        `exec` is already in sync, it must be run during a noop Puppet run.
-
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
-        or an array of arrays. For example:
-
-            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
-
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -530,17 +510,10 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
-        Since this command is used in the process of determining whether the
-        `exec` is already in sync, it must be run during a noop Puppet run.
-
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
-        or an array of arrays. For example:
-
-            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
-
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -589,14 +562,12 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
-      cmd = self[:command]
-      cmd = cmd[0] if cmd.is_a? Array
 
-      cmd.scan(file_regex) { |str|
+      self[:command].scan(file_regex) { |str|
         reqs << str
       }
 
-      cmd.scan(/^"([^"]+)"/) { |str|
+      self[:command].scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -612,7 +583,6 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
-          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }

data/lib/puppet/type/file/checksum.rb

@@ -7,7 +7,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
   desc "The checksum type to use when determining whether to replace a file's contents.
 
-    The default checksum type is md5."
+    The default checksum type is #{Puppet.default_digest_algorithm}."
 
   newvalues(*Puppet::Util::Checksums.known_checksum_types)
 

data/lib/puppet/type/file/mode.rb

@@ -90,15 +90,9 @@ module Puppet
         raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
 
-      # normalizes to symbolic form, e.g. u+a, an octal string without leading 0
       normalize_symbolic_mode(value)
     end
 
-    unmunge do |value|
-      # return symbolic form or octal string *with* leading 0's
-      display_mode(value) if value
-    end
-
     def desired_mode_from_current(desired, current)
       current = current.to_i(8) if current.is_a? String
       is_a_directory = @resource.stat && @resource.stat.directory?

data/lib/puppet/type/file/selcontext.rb

@@ -42,7 +42,7 @@ module Puppet
         return nil
       end
 
-      context = self.get_selinux_default_context(@resource[:path], @resource[:ensure])
+      context = self.get_selinux_default_context(@resource[:path])
       unless context
         return nil
       end

data/lib/puppet/type/file/source.rb

@@ -340,7 +340,7 @@ module Puppet
 
     def handle_response_error(response)
       message = "Error #{response.code} on SERVER: #{response.body.empty? ? response.reason : response.body}"
-      raise Net::HTTPError.new(message, response.nethttp)
+      raise Net::HTTPError.new(message, Puppet::HTTP::ResponseConverter.to_ruby_response(response))
     end
   end
 

data/lib/puppet/type/file.rb

@@ -83,33 +83,31 @@ Puppet::Type.newtype(:file) do
         use copy the file in the same directory with that value as the extension
         of the backup. (A value of `true` is a synonym for `.puppet-bak`.)
       * If set to any other string, Puppet will try to back up to a filebucket
-        with that title. See the `filebucket` resource type for more details.
-        (This is the preferred method for backup, since it can be centralized
-        and queried.)
+        with that title. Puppet automatically creates a **local** filebucket
+        named `puppet` if one doesn't already exist. See the `filebucket` resource
+        type for more details.
 
-      Default value: `puppet`, which backs up to a filebucket of the same name.
-      (Puppet automatically creates a **local** filebucket named `puppet` if one
-      doesn't already exist.)
+      Default value: `false`
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
-      primary Puppet server's filebucket service. This requires declaring a
+      puppet master server's filebucket service. This requires declaring a
       filebucket resource and a resource default for the `backup` attribute
       in site.pp:
 
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured primary Puppet server.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
           }
 
           File { backup => main, }
 
-      If you are using multiple primary servers, you will want to
+      If you are using multiple puppet master servers, you will want to
       centralize the contents of the filebucket. Either configure your load
-      balancer to direct all filebucket traffic to a single primary server, or use
+      balancer to direct all filebucket traffic to a single master, or use
       something like an out-of-band rsync task to synchronize the content on all
-      primary servers.
+      masters.
 
       > **Note**: Enabling and using the backup option, and by extension the 
         filebucket resource, requires appropriate planning and management to ensure 
@@ -125,7 +123,7 @@ Puppet::Type.newtype(:file) do
         - Restrict the directory to a maximum size after which the oldest items are removed.
     EOT
 
-    defaultto "puppet"
+    defaultto false
 
     munge do |value|
       # I don't really know how this is happening.
@@ -220,23 +218,6 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to log a warning instead of raising an error.
-
-      Use value `-1` to disable errors and warnings due to max files."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/, /^-1$/)
-  end
-
   newparam(:replace, :boolean => true, :parent => Puppet::Parameter::Boolean) do
     desc "Whether to replace a file or symlink that already exists on the local system but
       whose content doesn't match what the `source` or `content` attribute
@@ -361,7 +342,7 @@ Puppet::Type.newtype(:file) do
       This command must have a fully qualified path, and should contain a
       percent (`%`) token where it would expect an input file. It must exit `0`
       if the syntax is correct, and non-zero otherwise. The command will be
-      run on the target system while applying the catalog, not on the primary Puppet server.
+      run on the target system while applying the catalog, not on the puppet master.
 
       Example:
 
@@ -593,7 +574,7 @@ Puppet::Type.newtype(:file) do
     options = @original_parameters.merge(:path => full_path).reject { |param, value| value.nil? }
 
     # These should never be passed to our children.
-    [:parent, :ensure, :recurse, :recurselimit, :max_files, :target, :alias, :source].each do |param|
+    [:parent, :ensure, :recurse, :recurselimit, :target, :alias, :source].each do |param|
       options.delete(param) if options.include?(param)
     end
 
@@ -770,7 +751,6 @@ Puppet::Type.newtype(:file) do
       :links => self[:links],
       :recurse => (self[:recurse] == :remote ? true : self[:recurse]),
       :recurselimit => self[:recurselimit],
-      :max_files => self[:max_files],
       :source_permissions => self[:source_permissions],
       :ignore => self[:ignore],
       :checksum_type => (self[:source] || self[:content]) ? self[:checksum] : :none,

data/lib/puppet/type/filebucket.rb

@@ -4,7 +4,7 @@ module Puppet
   Type.newtype(:filebucket) do
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
-      be local to each agent node, or centralized on a primary Puppet server. All
+      be local to each agent node, or centralized on a puppet master server. All
       puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
@@ -25,14 +25,14 @@ module Puppet
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured primary server.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
           }
 
           File { backup => main, }
 
-      Puppet master servers automatically provide the filebucket service, so
+      Puppet Servers automatically provide the filebucket service, so
       this will work in a default configuration. If you have a heavily
-      restricted `auth.conf` file, you may need to allow access to the
+      restricted Puppet Server `auth.conf` file, you may need to allow access to the
       `file_bucket_file` endpoint.
     EOT
 

data/lib/puppet/type/group.rb

@@ -1,4 +1,5 @@
 require 'etc'
+require 'facter'
 require 'puppet/property/keyvalue'
 require 'puppet/parameter/boolean'
 

data/lib/puppet/type/package.rb

@@ -106,10 +106,6 @@ module Puppet
         provider.purge
       end
 
-      newvalue(:held, :event => :package_held, :required_features => :holdable) do
-        provider.deprecated_hold
-      end
-
       newvalue(:disabled, :required_features => :disableable) do
         provider.disable
       end
@@ -161,7 +157,7 @@ module Puppet
         @should.each { |should|
           case should
           when :present
-            return true unless [:absent, :purged, :held, :disabled].include?(is)
+            return true unless [:absent, :purged, :disabled].include?(is)
           when :latest
             # Short-circuit packages that are not present
             return false if is == :absent || is == :purged
@@ -426,10 +422,10 @@ module Puppet
     end
 
     newparam(:source) do
-      desc "Where to find the package file. This is mostly used by providers that don't
+      desc "Where to find the package file. This is only used by providers that don't
         automatically download packages from a central repository. (For example:
-        the `yum` provider ignores this attribute, `apt` provider uses it if present
-        and the `rpm` and `dpkg` providers require it.)
+        the `yum` and `apt` providers ignore this attribute, but the `rpm` and
+        `dpkg` providers require it.)
 
         Different providers accept different values for `source`. Most providers
         accept paths to local files stored on the target system. Some providers
@@ -657,8 +653,7 @@ module Puppet
       if provider.reinstallable? &&
         @parameters[:reinstall_on_refresh].value == :true &&
         @parameters[:ensure].value != :purged &&
-        @parameters[:ensure].value != :absent &&
-        @parameters[:ensure].value != :held
+        @parameters[:ensure].value != :absent
 
         provider.reinstall
       end
@@ -673,7 +668,7 @@ module Puppet
         Default is "none". Mark can be specified with or without `ensure`,
         if `ensure` is missing will default to "present".
 
-        Mark cannot be specified together with "purged", "absent" or "held"
+        Mark cannot be specified together with "purged", or "absent"
         values for `ensure`.
       EOT
       newvalues(:hold, :none)
@@ -710,11 +705,8 @@ module Puppet
     end
 
     validate do
-      if :held == @parameters[:ensure].should
-        warning '"ensure=>held" has been deprecated and will be removed in a future version, use "mark=hold" instead'
-      end
-      if @parameters[:mark] && [:absent, :purged, :held].include?(@parameters[:ensure].should)
-        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged", "held"]')
+      if @parameters[:mark] && [:absent, :purged].include?(@parameters[:ensure].should)
+        raise ArgumentError, _('You cannot use "mark" property while "ensure" is one of ["absent", "purged"]')
       end
     end
   end

data/lib/puppet/type/resources.rb

@@ -175,7 +175,7 @@ Puppet::Type.newtype(:resources) do
     end
 
     # Otherwise, use a sensible default based on the OS family
-    @system_users_max_uid ||= case Puppet.runtime[:facter].value(:osfamily)
+    @system_users_max_uid ||= case Facter.value(:osfamily)
       when 'OpenBSD', 'FreeBSD'
         999
       else

data/lib/puppet/type/service.rb

@@ -38,12 +38,6 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
-    feature :delayed_startable, "The provider can set service to delayed start",
-      :methods => [:delayed_start]
-
-    feature :manual_startable, "The provider can set service to manual start",
-      :methods => [:manual_start]
-
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -73,7 +67,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
+      newvalue(:manual, :event => :service_manual_start) do
         provider.manual_start
       end
 
@@ -87,7 +81,8 @@ module Puppet
         provider.enabled?
       end
 
-      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
+      # This only works on Windows systems.
+      newvalue(:delayed, :event => :service_delayed_start) do
         provider.delayed_start
       end
 
@@ -95,6 +90,12 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
+
+      validate do |value|
+        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
+          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
+        end
+      end
     end
 
     # Handle whether the service should actually be running right now.
@@ -138,9 +139,23 @@ module Puppet
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      def insync?(current)
-        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
-        super(current)
+      munge do |value|
+        return value unless Puppet::Util::Platform.windows?
+        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
+
+        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
+        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
+
+        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+
+        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
+          ".\\#{user_information.account}"
+        else
+          user_information.domain_account
+        end
       end
     end
 
@@ -148,7 +163,18 @@ module Puppet
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
+        return unless Puppet::Util::Platform.windows?
+
+        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
+
+        account_info = @resource[:logonaccount].split("\\")
+        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
+
+        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
+
+        provider.logonpassword=(value)
       end
 
       sensitive true
@@ -272,14 +298,9 @@ module Puppet
 
     newparam(:timeout, :required_features => :configurable_timeout) do
       desc "Specify an optional minimum timeout (in seconds) for puppet to wait when syncing service properties"
-      defaultto { provider.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
-
-      munge do |value|
-        begin
-          value = value.to_i
-          raise if value < 1
-          value
-        rescue
+      defaultto { provider.class.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
+      validate do |value|
+        if (not value.is_a? Integer) || value < 1
           raise Puppet::Error.new(_("\"%{value}\" is not a positive integer: the timeout parameter must be specified as a positive integer") % { value: value })
         end
       end
@@ -299,11 +320,5 @@ module Puppet
     def self.needs_ensure_retrieved
       false
     end
-
-    validate do
-      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
-      end
-    end
   end
 end

data/lib/puppet/type/tidy.rb

@@ -50,22 +50,6 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to disable the check. In this case, a warning is logged if
-      the number of files exceeds 1000."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/)
-  end
-
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -144,7 +128,7 @@ Puppet::Type.newtype(:tidy) do
 
     def tidy?(path, stat)
       # If the file's older than we allow, we should get rid of it.
-      (Time.now.to_i - stat.send(resource[:type]).to_i) >= value
+      (Time.now.to_i - stat.send(resource[:type]).to_i) > value
     end
 
     munge do |age|
@@ -272,12 +256,9 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true,
-                    :recurselimit => self[:recurse] }
+      parameter = { :recurse => true, :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true }
+      parameter = { :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -1,4 +1,5 @@
 require 'etc'
+require 'facter'
 require 'puppet/parameter/boolean'
 require 'puppet/property/list'
 require 'puppet/property/ordered_list'
@@ -66,7 +67,6 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
-        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,7 +695,6 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
-        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -744,6 +743,25 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
+
+      munge do |value|
+        # Resolve string, boolean and symbol forms of true and false to a
+        # single representation.
+        test_sym = value.to_s.intern
+        value = test_sym if [:true, :false].include? test_sym
+
+        return [] if value == :false
+        home = resource[:home] || Dir.home(resource[:name])
+
+        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+        # value is an array - munge each value
+        [ value ].flatten.map do |entry|
+          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+          entry = entry.gsub(/^~\//, "#{home}/")
+          entry.gsub!(/^%h\//, "#{home}/")
+          entry
+        end
+      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -765,7 +783,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      munged_unmanaged_keys.
+      self[:purge_ssh_keys].
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -777,41 +795,6 @@ module Puppet
         end
     end
 
-    def munged_unmanaged_keys
-      value = self[:purge_ssh_keys]
-
-      # Resolve string, boolean and symbol forms of true and false to a
-      # single representation.
-      test_sym = value.to_s.intern
-      value = test_sym if [:true, :false].include? test_sym
-
-      return [] if value == :false
-
-      home = self[:home]
-      begin
-        home ||= provider.home
-      rescue
-        Puppet.debug("User '#{self[:name]}' does not exist")
-      end
-
-      if home.to_s.empty? || !Dir.exist?(home.to_s)
-        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
-          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
-          return []
-        end
-      end
-
-      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-
-      # value is an array - munge each value
-      [ value ].flatten.map do |entry|
-        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-        entry = entry.gsub(/^~\//, "#{home}/")
-        entry.gsub!(/^%h\//, "#{home}/")
-        entry
-      end
-    end
-
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.