puppet 6.29.0 → 7.0.0

data/lib/puppet/type/resources.rb

@@ -175,7 +175,7 @@ Puppet::Type.newtype(:resources) do
     end
 
     # Otherwise, use a sensible default based on the OS family
-    @system_users_max_uid ||= case Puppet.runtime[:facter].value(:osfamily)
+    @system_users_max_uid ||= case Facter.value(:osfamily)
       when 'OpenBSD', 'FreeBSD'
         999
       else

data/lib/puppet/type/service.rb

@@ -38,12 +38,6 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
-    feature :delayed_startable, "The provider can set service to delayed start",
-      :methods => [:delayed_start]
-
-    feature :manual_startable, "The provider can set service to manual start",
-      :methods => [:manual_start]
-
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -73,7 +67,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
+      newvalue(:manual, :event => :service_manual_start) do
         provider.manual_start
       end
 
@@ -87,7 +81,8 @@ module Puppet
         provider.enabled?
       end
 
-      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
+      # This only works on Windows systems.
+      newvalue(:delayed, :event => :service_delayed_start) do
         provider.delayed_start
       end
 
@@ -95,6 +90,12 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
+
+      validate do |value|
+        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
+          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
+        end
+      end
     end
 
     # Handle whether the service should actually be running right now.
@@ -138,9 +139,23 @@ module Puppet
     newproperty(:logonaccount, :required_features => :manages_logon_credentials) do
       desc "Specify an account for service logon"
 
-      def insync?(current)
-        return provider.logonaccount_insync?(current) if provider.respond_to?(:logonaccount_insync?)
-        super(current)
+      munge do |value|
+        return value unless Puppet::Util::Platform.windows?
+        return 'LocalSystem' if Puppet::Util::Windows::User::localsystem?(value)
+
+        value.sub!(/^\.\\/, "#{Puppet::Util::Windows::ADSI.computer_name}\\")
+        user_information = Puppet::Util::Windows::SID.name_to_principal(value)
+        raise Puppet::Error.new("\"#{value}\" is not a valid account") unless user_information && [:SidTypeUser, :SidTypeWellKnownGroup].include?(user_information.account_type)
+
+        user_rights = Puppet::Util::Windows::User::get_rights(user_information.domain_account) unless Puppet::Util::Windows::User::default_system_account?(value)
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" has the 'Log On As A Service' right set to denied.") if user_rights =~ /SeDenyServiceLogonRight/
+        raise Puppet::Error.new("\"#{user_information.domain_account}\" is missing the 'Log On As A Service' right.") unless user_rights.nil? || user_rights =~ /SeServiceLogonRight/
+
+        if user_information.domain == Puppet::Util::Windows::ADSI.computer_name
+          ".\\#{user_information.account}"
+        else
+          user_information.domain_account
+        end
       end
     end
 
@@ -148,7 +163,18 @@ module Puppet
       desc "Specify a password for service logon. Default value is an empty string (when logonaccount is specified)."
 
       validate do |value|
-        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) && value.include?(":")
+        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.") unless @resource[:logonaccount]
+        raise ArgumentError, _("Passwords cannot include ':'") if value.is_a?(String) and value.include?(":")
+        return unless Puppet::Util::Platform.windows?
+
+        is_a_predefined_local_account = Puppet::Util::Windows::User::default_system_account?(@resource[:logonaccount]) || @resource[:logonaccount] == 'LocalSystem'
+
+        account_info = @resource[:logonaccount].split("\\")
+        able_to_logon = Puppet::Util::Windows::User.password_is?(account_info[1], value, account_info[0]) unless is_a_predefined_local_account
+
+        raise Puppet::Error.new("The given password is invalid for user '#{@resource[:logonaccount]}'.") unless is_a_predefined_local_account || able_to_logon
+
+        provider.logonpassword=(value)
       end
 
       sensitive true
@@ -272,14 +298,9 @@ module Puppet
 
     newparam(:timeout, :required_features => :configurable_timeout) do
       desc "Specify an optional minimum timeout (in seconds) for puppet to wait when syncing service properties"
-      defaultto { provider.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
-
-      munge do |value|
-        begin
-          value = value.to_i
-          raise if value < 1
-          value
-        rescue
+      defaultto { provider.class.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
+      validate do |value|
+        if (not value.is_a? Integer) || value < 1
           raise Puppet::Error.new(_("\"%{value}\" is not a positive integer: the timeout parameter must be specified as a positive integer") % { value: value })
         end
       end
@@ -299,11 +320,5 @@ module Puppet
     def self.needs_ensure_retrieved
       false
     end
-
-    validate do
-      if @parameters[:logonpassword] && @parameters[:logonaccount].nil?
-        raise Puppet::Error.new(_"The 'logonaccount' parameter is mandatory when setting 'logonpassword'.")
-      end
-    end
   end
 end

data/lib/puppet/type/tidy.rb

@@ -50,22 +50,6 @@ Puppet::Type.newtype(:tidy) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to disable the check. In this case, a warning is logged if
-      the number of files exceeds 1000."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/)
-  end
-
   newparam(:matches) do
     desc <<-'EOT'
       One or more (shell type) file glob patterns, which restrict
@@ -144,7 +128,7 @@ Puppet::Type.newtype(:tidy) do
 
     def tidy?(path, stat)
       # If the file's older than we allow, we should get rid of it.
-      (Time.now.to_i - stat.send(resource[:type]).to_i) >= value
+      (Time.now.to_i - stat.send(resource[:type]).to_i) > value
     end
 
     munge do |age|
@@ -272,12 +256,9 @@ Puppet::Type.newtype(:tidy) do
 
     case self[:recurse]
     when Integer, /^\d+$/
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true,
-                    :recurselimit => self[:recurse] }
+      parameter = { :recurse => true, :recurselimit => self[:recurse] }
     when true, :true, :inf
-      parameter = { :max_files => self[:max_files],
-                    :recurse => true }
+      parameter = { :recurse => true }
     end
 
     if parameter

data/lib/puppet/type/user.rb

@@ -1,4 +1,5 @@
 require 'etc'
+require 'facter'
 require 'puppet/parameter/boolean'
 require 'puppet/property/list'
 require 'puppet/property/ordered_list'
@@ -227,9 +228,6 @@ module Puppet
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
-        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user 
-          resource requires the value to be hex encoded, the length of the salt's
-          string must be 64. 
         * Windows passwords can be managed only in cleartext, because there is no Windows
           API for setting the password hash.
 
@@ -749,40 +747,20 @@ module Puppet
       munge do |value|
         # Resolve string, boolean and symbol forms of true and false to a
         # single representation.
-        case value
-        when :false, false, "false"
-          []
-        when :true, true, "true"
-          home = homedir
-          home ? [ "#{home}/.ssh/authorized_keys" ] : []
-        else
-          # value can be a string or array - munge each value
-          [ value ].flatten.map do |entry|
-            authorized_keys_path(entry)
-          end.compact
-        end
-      end
+        test_sym = value.to_s.intern
+        value = test_sym if [:true, :false].include? test_sym
 
-      private
+        return [] if value == :false
+        home = resource[:home] || Dir.home(resource[:name])
 
-      def homedir
-        resource[:home] || Dir.home(resource[:name])
-      rescue ArgumentError
-        Puppet.debug("User '#{resource[:name]}' does not exist")
-        nil
-      end
-
-      def authorized_keys_path(entry)
-        return entry unless entry.match?(%r{^(?:~|%h)/})
-
-        # if user doesn't exist (yet), ignore nonexistent homedir
-        home = homedir
-        return nil unless home
-
-        # compiler freezes "value" so duplicate using a gsub, second mutating gsub! is then ok
-        entry = entry.gsub(%r{^~/}, "#{home}/")
-        entry.gsub!(%r{^%h/}, "#{home}/")
-        entry
+        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+        # value is an array - munge each value
+        [ value ].flatten.map do |entry|
+          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+          entry = entry.gsub(/^~\//, "#{home}/")
+          entry.gsub!(/^%h\//, "#{home}/")
+          entry
+        end
       end
     end
 

data/lib/puppet/type.rb

@@ -114,29 +114,6 @@ class Type
     attr_reader :properties
   end
 
-  # Allow declaring that a type is actually a capability
-  class << self
-    # @deprecated application orchestration will be removed in puppet 7
-    attr_accessor :is_capability
-
-    # @deprecated application orchestration will be removed in puppet 7
-    def is_capability?
-      c = is_capability
-      c.nil? ? false : c
-    end
-  end
-
-  # Returns whether this type represents an application instance; since
-  # only defined types, i.e., instances of Puppet::Resource::Type can
-  # represent application instances, this implementation always returns
-  # +false+. Having this method though makes code checking whether a
-  # resource is an application instance simpler
-  #
-  # @deprecated application orchestration will be removed in puppet 7
-  def self.application?
-      false
-  end
-
   # Returns all the attribute names of the type in the appropriate order.
   # The {key_attributes} come first, then the {provider}, then the {properties}, and finally
   # the {parameters} and {metaparams},
@@ -1295,7 +1272,7 @@ class Type
       like it does when running normally. However, if a resource attribute is not in
       the desired state (as declared in the catalog), Puppet will take no
       action, and will instead report the changes it _would_ have made. These
-      simulated changes will appear in the report sent to the primary Puppet server, or
+      simulated changes will appear in the report sent to the puppet master, or
       be shown on the console if running puppet agent or puppet apply in the
       foreground. The simulated changes will not send refresh events to any
       subscribing or notified resources, although Puppet will log that a refresh
@@ -1720,59 +1697,6 @@ class Type
     }
   end
 
-  # @deprecated application orchestration will be removed in puppet 7
-  newmetaparam(:export, :parent => RelationshipMetaparam, :attributes => {:direction => :out, :events => :NONE}) do
-          desc <<EOS
-Export a capability resource.
-
-The value of this parameter must be a reference to a capability resource,
-or an array of such references. Each capability resource referenced here
-will be instantiated in the node catalog and exported to consumers of this
-resource. The title of the capability resource will be the title given in
-the reference, and all other attributes of the resource will be filled
-according to the corresponding produces statement.
-
-It is an error if this metaparameter references resources whose type is not
-a capability type, or of there is no produces clause for the type of the
-current resource and the capability resource mentioned in this parameter.
-
-For example:
-
-define web(..) { .. }
-Web produces Http { .. }
-web { server:
-  export => Http[main_server]
-}
-EOS
-  end
-
-  # @deprecated application orchestration will be removed in puppet 7
-  newmetaparam(:consume, :parent => RelationshipMetaparam, :attributes => {:direction => :in, :events => :NONE}) do
-          desc <<EOS
-Consume a capability resource.
-
-The value of this parameter must be a reference to a capability resource,
-or an array of such references. Each capability resource referenced here
-must have been exported by another resource in the same environment.
-
-The referenced capability resources will be looked up, added to the
-current node catalog, and processed following the underlying consumes
-clause.
-
-It is an error if this metaparameter references resources whose type is not
-a capability type, or of there is no consumes clause for the type of the
-current resource and the capability resource mentioned in this parameter.
-
-For example:
-
-define web(..) { .. }
-Web consumes Sql { .. }
-web { server:
-  consume => Sql[my_db]
-}
-EOS
-end
-
   ###############################
   # All of the provider plumbing for the resource types.
   require 'puppet/provider'

data/lib/puppet/util/autoload.rb

@@ -166,7 +166,14 @@ class Puppet::Util::Autoload
     # Normalize a path. This converts ALT_SEPARATOR to SEPARATOR on Windows
     # and eliminates unnecessary parts of a path.
     def cleanpath(path)
-      Pathname.new(path).cleanpath.to_s
+      # There are two cases here because cleanpath does not handle absolute
+      # paths correctly on windows (c:\ and c:/ are treated as distinct) but
+      # we don't want to convert relative paths to absolute
+      if Puppet::Util.absolute_path?(path)
+        File.expand_path(path)
+      else
+        Pathname.new(path).cleanpath.to_s
+      end
     end
   end
 

data/lib/puppet/util/command_line.rb

@@ -135,7 +135,7 @@ module Puppet
 
               # Puppet requires Facter, which initializes its lookup paths. Reset Facter to
               # pickup the new $LOAD_PATH.
-              Puppet.runtime[:facter].reset
+              Facter.reset
             end
           end
 

data/lib/puppet/util/execution.rb

@@ -94,17 +94,6 @@ module Puppet::Util::Execution
   end
   private_class_method :exitstatus
 
-  # Wraps execution of {execute} with mapping of exception to given exception (and output as argument).
-  # @raise [exception] under same conditions as {execute}, but raises the given `exception` with the output as argument
-  # @return (see execute)
-  # @api public
-  # @deprecated
-  def self.execfail(command, exception)
-    execute(command)
-  rescue Puppet::ExecutionFailure => detail
-    raise exception, detail.message, detail.backtrace
-  end
-
   # Default empty options for {execute}
   NoOptionsSpecified = {}
 

data/lib/puppet/util/filetype.rb

@@ -215,7 +215,7 @@ class Puppet::Util::FileType
     # Remove a specific @path's cron tab.
     def remove
       cmd = "#{cmdbase} -r"
-      if %w{Darwin FreeBSD DragonFly}.include?(Puppet.runtime[:facter].value("operatingsystem"))
+      if %w{Darwin FreeBSD DragonFly}.include?(Facter.value("operatingsystem"))
         cmd = "/bin/echo yes | #{cmd}"
       end
 
@@ -244,7 +244,7 @@ class Puppet::Util::FileType
     # Only add the -u flag when the @path is different.  Fedora apparently
     # does not think I should be allowed to set the @path to my own user name
     def cmdbase
-      if @uid == Puppet::Util::SUIDManager.uid || Puppet.runtime[:facter].value(:operatingsystem) == "HP-UX"
+      if @uid == Puppet::Util::SUIDManager.uid || Facter.value(:operatingsystem) == "HP-UX"
         return "crontab"
       else
         return "crontab -u #{@path}"

data/lib/puppet/util/http_proxy.rb

@@ -1,217 +1,4 @@
-require 'uri'
-require 'puppet/ssl/openssl_loader'
 require 'puppet/http'
 
-module Puppet::Util::HttpProxy
-  def self.proxy(uri)
-    if http_proxy_host && !no_proxy?(uri)
-      Net::HTTP.new(uri.host, uri.port, self.http_proxy_host, self.http_proxy_port, self.http_proxy_user, self.http_proxy_password)
-    else
-      http = Net::HTTP.new(uri.host, uri.port, nil, nil, nil, nil)
-      # Net::HTTP defaults the proxy port even though we said not to
-      # use one. Set it to nil so caller is not surprised
-      http.proxy_port = nil
-      http
-    end
-  end
-
-  def self.http_proxy_env
-    # Returns a URI object if proxy is set, or nil
-    proxy_env = ENV["http_proxy"] || ENV["HTTP_PROXY"]
-    begin
-      return URI.parse(proxy_env) if proxy_env
-    rescue URI::InvalidURIError
-      return nil
-    end
-    return nil
-  end
-
-  # The documentation around the format of the no_proxy variable seems
-  # inconsistent.  Some suggests the use of the * as a way of matching any
-  # hosts under a domain, e.g.:
-  #   *.example.com
-  # Other documentation suggests that just a leading '.' indicates a domain
-  # level exclusion, e.g.:
-  #   .example.com
-  # We'll accommodate both here.
-  def self.no_proxy?(dest)
-    no_proxy = self.no_proxy
-    unless no_proxy
-      return false
-    end
-
-    unless dest.is_a? URI
-      begin
-        dest = URI.parse(dest)
-      rescue URI::InvalidURIError
-        return false
-      end
-    end
-
-    no_proxy.split(/\s*,\s*/).each do |d|
-      host, port = d.split(':')
-      host = Regexp.escape(host).gsub('\*', '.*')
-
-      #If this no_proxy entry specifies a port, we want to match it against
-      #the destination port.  Otherwise just match hosts.
-      if port
-        no_proxy_regex  = %r(#{host}:#{port}$)
-        dest_string     = "#{dest.host}:#{dest.port}"
-      else
-        no_proxy_regex  = %r(#{host}$)
-        dest_string     = "#{dest.host}"
-      end
-
-      if no_proxy_regex.match(dest_string)
-        return true
-      end
-    end
-
-    return false
-  end
-
-  def self.http_proxy_host
-    env = self.http_proxy_env
-
-    if env and env.host
-      return env.host
-    end
-
-    if Puppet.settings[:http_proxy_host] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_host]
-  end
-
-  def self.http_proxy_port
-    env = self.http_proxy_env
-
-    if env and env.port
-      return env.port
-    end
-
-    return Puppet.settings[:http_proxy_port]
-  end
-
-  def self.http_proxy_user
-    env = self.http_proxy_env
-
-    if env and env.user
-      return env.user
-    end
-
-    if Puppet.settings[:http_proxy_user] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_user]
-  end
-
-  def self.http_proxy_password
-    env = self.http_proxy_env
-
-    if env and env.password
-      return env.password
-    end
-
-    if Puppet.settings[:http_proxy_user] == 'none' or Puppet.settings[:http_proxy_password] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:http_proxy_password]
-  end
-
-  def self.no_proxy
-    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
-
-    if no_proxy_env
-      return no_proxy_env
-    end
-
-    if Puppet.settings[:no_proxy] == 'none'
-      return nil
-    end
-
-    return Puppet.settings[:no_proxy]
-  end
-
-  # Return a Net::HTTP::Proxy object.
-  #
-  # This method optionally configures SSL correctly if the URI scheme is
-  # 'https', including setting up the root certificate store so remote server
-  # SSL certificates can be validated.
-  #
-  # @param [URI] uri The URI that is to be accessed.
-  # @return [Net::HTTP::Proxy] object constructed tailored for the passed URI
-  def self.get_http_object(uri)
-    proxy = proxy(uri)
-
-    if uri.scheme == 'https'
-      cert_store = OpenSSL::X509::Store.new
-      cert_store.set_default_paths
-
-      proxy.use_ssl = true
-      proxy.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      proxy.cert_store = cert_store
-    end
-
-    if Puppet[:http_debug]
-      proxy.set_debug_output($stderr)
-    end
-
-    proxy.open_timeout = Puppet[:http_connect_timeout]
-    proxy.read_timeout = Puppet[:http_read_timeout]
-
-    proxy
-  end
-
-  # Retrieve a document through HTTP(s), following redirects if necessary. The
-  # returned response body may be compressed, and it is the caller's
-  # responsibility to decompress it based on the 'content-encoding' header.
-  #
-  # Based on the the client implementation in the HTTP pool.
-  #
-  # @see Puppet::Network::HTTP::Connection#request_with_redirects
-  #
-  # @param [URI] uri The address of the resource to retrieve.
-  # @param [symbol] method The name of the Net::HTTP method to use, typically :get, :head, :post etc.
-  # @param [FixNum] redirect_limit The number of redirections that can be followed.
-  # @return [Net::HTTPResponse] a response object
-  def self.request_with_redirects(uri, method, redirect_limit = 10, &block)
-    current_uri = uri
-    response = nil
-
-    0.upto(redirect_limit) do |redirection|
-      proxy = get_http_object(current_uri)
-
-      headers = { 'Accept' => '*/*', 'User-Agent' => Puppet[:http_user_agent] }
-      if Puppet.features.zlib?
-        headers["Accept-Encoding"] = Puppet::HTTP::ACCEPT_ENCODING
-      end
-
-      response = proxy.send(:head, current_uri, headers)
-      Puppet.debug("HTTP HEAD request to #{current_uri} returned #{response.code} #{response.message}")
-
-      if [301, 302, 307].include?(response.code.to_i)
-        # handle the redirection
-        current_uri = URI.parse(response['location'])
-        next
-      end
-
-      if method != :head
-        if block_given?
-          response = proxy.send("request_#{method}".to_sym, current_uri, headers, &block)
-        else
-          response = proxy.send(method, current_uri, headers)
-        end
-
-        Puppet.debug("HTTP #{method.to_s.upcase} request to #{current_uri} returned #{response.code} #{response.message}")
-      end
-
-      return response
-    end
-
-    raise RedirectionLimitExceededException, _("Too many HTTP redirections for %{uri}") % { uri: uri }
-  end
-end
+# for backwards compatibility
+Puppet::Util::HttpProxy = Puppet::HTTP::Proxy

data/lib/puppet/util/json.rb

@@ -26,23 +26,6 @@ module Puppet::Util
       require 'json'
     end
 
-    # Load the content from a file as JSON if
-    # contents are in valid format. This method does not
-    # raise error but returns `nil` when invalid file is
-    # given.
-    def self.load_file_if_valid(filename, options = {})
-      load_file(filename, options)
-    rescue Puppet::Util::Json::ParseError, ArgumentError, Errno::ENOENT => detail
-      Puppet.debug("Could not retrieve JSON content from '#{filename}': #{detail.message}")
-      nil
-    end
-
-    # Load the content from a file as JSON.
-    def self.load_file(filename, options = {})
-      json = Puppet::FileSystem.read(filename, :encoding => 'utf-8')
-      load(json, options)
-    end
-
     # These methods do similar processing to the fallback implemented by MultiJson
     # when using the built-in JSON backend, to ensure consistent behavior
     # whether or not MultiJson can be loaded.
@@ -77,9 +60,6 @@ module Puppet::Util
     def self.dump(object, options = {})
       if defined? MultiJson
         MultiJson.dump(object, options)
-      elsif options.is_a?(JSON::State)
-        # we're being called recursively
-        object.to_json(options)
       else
         options.merge!(::JSON::PRETTY_STATE_PROTOTYPE.to_h) if options.delete(:pretty)
         object.to_json(options)