puppet 6.3.0-x64-mingw32 → 6.4.0-x64-mingw32

data/lib/puppet/defaults.rb

@@ -305,7 +305,9 @@ module Puppet
     :manage_internal_file_permissions => {
         :default  => ! Puppet::Util::Platform.windows?,
         :type     => :boolean,
-        :desc     => "Whether Puppet should manage the owner, group, and mode of files it uses internally",
+        :desc     => "Whether Puppet should manage the owner, group, and mode of files it uses internally.
+        
+          **Note**: For Windows agents, the default is `false` for versions 4.10.13 and greater, versions 5.5.6 and greater, and versions 6.0 and greater.",
     },
     :onetime => {
         :default  => false,

data/lib/puppet/file_system.rb

@@ -10,10 +10,13 @@ module Puppet::FileSystem
   @impl = if Puppet::Util::Platform.windows?
            require 'puppet/file_system/windows'
            Puppet::FileSystem::Windows
-         else
-           require 'puppet/file_system/posix'
-           Puppet::FileSystem::Posix
-         end.new()
+          elsif Puppet::Util::Platform.jruby?
+            require 'puppet/file_system/jruby'
+            Puppet::FileSystem::JRuby
+          else
+            require 'puppet/file_system/posix'
+            Puppet::FileSystem::Posix
+          end.new()
 
   # Allows overriding the filesystem for the duration of the given block.
   # The filesystem will only contain the given file(s).
@@ -401,4 +404,21 @@ module Puppet::FileSystem
   def self.chmod(mode, path)
     @impl.chmod(mode, path)
   end
+
+  # Replace the contents of a file atomically, creating the file if necessary.
+  # If a `mode` is specified, then it will always be applied to the file. If
+  # a `mode` is not specified and the file exists, its mode will be preserved.
+  # If the file doesn't exist, the mode will be set to a platform-specific
+  # default.
+  #
+  # @param path [String] The path to the file, can also accept [PathName]
+  # @param mode [Integer] Optional mode for the file.
+  #
+  # @raise [Errno::EISDIR]: path is a directory
+  #
+  # @api public
+  #
+  def self.replace_file(path, mode = nil, &block)
+    @impl.replace_file(assert_path(path), mode, &block)
+  end
 end

data/lib/puppet/file_system/file_impl.rb

@@ -151,4 +151,29 @@ class Puppet::FileSystem::FileImpl
   def chmod(mode, path)
     FileUtils.chmod(mode, path)
   end
+
+  def replace_file(path, mode = nil)
+    mode ||= begin
+               stat = Puppet::FileSystem.lstat(path)
+               stat.mode & 07777
+             rescue Errno::ENOENT
+               0640
+             end
+
+    tempfile = Puppet::FileSystem::Uniquefile.new(Puppet::FileSystem.basename_string(path), Puppet::FileSystem.dir_string(path))
+    begin
+      begin
+        yield tempfile
+        tempfile.flush
+        tempfile.fsync
+      ensure
+        tempfile.close
+      end
+
+      chmod(mode, tempfile.path)
+      File.rename(tempfile.path, Puppet::FileSystem.path_string(path))
+    ensure
+      tempfile.close!
+    end
+  end
 end

data/lib/puppet/file_system/jruby.rb

@@ -0,0 +1,23 @@
+require 'puppet/file_system/posix'
+
+class Puppet::FileSystem::JRuby < Puppet::FileSystem::Posix
+  def unlink(*paths)
+    File.unlink(*paths)
+  rescue Errno::ENOENT
+    # JRuby raises ENOENT if the path doesn't exist or the parent directory
+    # doesn't allow execute/traverse. If it's the former, `stat` will raise
+    # ENOENT, if it's the later, it'll raise EACCES
+    # See https://github.com/jruby/jruby/issues/5617
+    stat(*paths)
+  end
+
+  def replace_file(path, mode = nil, &block)
+    # MRI Ruby rename checks if destination is a directory and raises, while
+    # JRuby removes the directory and replaces the file.
+    if Puppet::FileSystem.directory?(path)
+      raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
+    end
+
+    super
+  end
+end

data/lib/puppet/file_system/windows.rb

@@ -2,6 +2,8 @@ require 'puppet/file_system/posix'
 require 'puppet/util/windows'
 
 class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
+  FULL_CONTROL = Puppet::Util::Windows::File::FILE_ALL_ACCESS
+  FILE_READ = Puppet::Util::Windows::File::FILE_GENERIC_READ
 
   def open(path, mode, options, &block)
     # PUP-6959 mode is explicitly ignored until it can be implemented
@@ -114,8 +116,90 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
     contents
   end
 
+  # https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes--0-499-
+  ACCESS_DENIED = 5
+  SHARING_VIOLATION = 32
+  LOCK_VIOLATION = 33
+
+  def replace_file(path, mode = nil)
+    if Puppet::FileSystem.directory?(path)
+      raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
+    end
+
+    current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
+    dacl = case mode
+           when 0644
+             dacl = secure_dacl(current_sid)
+             dacl.allow(Puppet::Util::Windows::SID::BuiltinUsers, FILE_READ)
+             dacl
+           when 0640, 0600
+             secure_dacl(current_sid)
+           when nil
+             get_dacl_from_file(path) || secure_dacl(current_sid)
+           else
+             raise ArgumentError, "Only modes 0644, 0640 and 0600 are allowed"
+           end
+
+
+    tempfile = Puppet::FileSystem::Uniquefile.new(Puppet::FileSystem.basename_string(path), Puppet::FileSystem.dir_string(path))
+    begin
+      tempdacl = Puppet::Util::Windows::AccessControlList.new
+      tempdacl.allow(current_sid, FULL_CONTROL)
+      set_dacl(tempfile.path, tempdacl)
+
+      begin
+        yield tempfile
+        tempfile.flush
+        tempfile.fsync
+      ensure
+        tempfile.close
+      end
+
+      set_dacl(tempfile.path, dacl) if dacl
+      File.rename(tempfile.path, Puppet::FileSystem.path_string(path))
+    ensure
+      tempfile.close!
+    end
+  rescue Puppet::Util::Windows::Error => e
+    case e.code
+    when ACCESS_DENIED, SHARING_VIOLATION, LOCK_VIOLATION
+      raise Errno::EACCES.new(Puppet::FileSystem.path_string(path), e)
+    else
+      raise SystemCallError.new(e.message)
+    end
+  end
+
   private
 
+  def set_dacl(path, dacl)
+    sd = Puppet::Util::Windows::Security.get_security_descriptor(path)
+    new_sd = Puppet::Util::Windows::SecurityDescriptor.new(sd.owner, sd.group, dacl, true)
+    Puppet::Util::Windows::Security.set_security_descriptor(path, new_sd)
+  end
+
+  def secure_dacl(current_sid)
+    dacl = Puppet::Util::Windows::AccessControlList.new
+    [
+     Puppet::Util::Windows::SID::LocalSystem,
+     Puppet::Util::Windows::SID::BuiltinAdministrators,
+     current_sid
+    ].uniq.map do |sid|
+      dacl.allow(sid, FULL_CONTROL)
+    end
+    dacl
+  end
+
+  def get_dacl_from_file(path)
+    sd = Puppet::Util::Windows::Security.get_security_descriptor(Puppet::FileSystem.path_string(path))
+    sd.dacl
+  rescue Puppet::Util::Windows::Error => e
+    if e.code == 2 # ERROR_FILE_NOT_FOUND
+      nil
+    else
+      raise e
+    end
+  end
+
   def raise_if_symlinks_unsupported
     if ! Puppet.features.manages_symlinks?
       msg = _("This version of Windows does not support symlinks.  Windows Vista / 2008 or higher is required.")

data/lib/puppet/indirector/rest.rb

@@ -73,8 +73,10 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
   end
 
   def network(request)
-    Puppet::Network::HttpPool.http_instance(request.server || self.class.server,
-                                            request.port || self.class.port)
+    ssl_context = Puppet.lookup(:ssl_context)
+    Puppet::Network::HttpPool.connection(request.server || self.class.server,
+                                         request.port || self.class.port,
+                                         ssl_context: ssl_context)
   end
 
   def http_get(request, path, headers = nil, *args)

data/lib/puppet/loaders.rb

@@ -21,6 +21,7 @@ module Puppet
       require 'puppet/pops/loader/loader_paths'
       require 'puppet/pops/loader/simple_environment_loader'
       require 'puppet/pops/loader/predefined_loader'
+      require 'puppet/pops/loader/generic_plan_instantiator'
       require 'puppet/pops/loader/puppet_plan_instantiator'
     end
   end

data/lib/puppet/network/http.rb

@@ -21,6 +21,7 @@ module Puppet::Network::HTTP
   require 'puppet/network/http/site'
   require 'puppet/network/http/session'
   require 'puppet/network/http/factory'
+  require 'puppet/network/http/base_pool'
   require 'puppet/network/http/nocache_pool'
   require 'puppet/network/http/pool'
   require 'puppet/network/http/memory_response'

data/lib/puppet/network/http/base_pool.rb

@@ -0,0 +1,18 @@
+# Base pool for HTTP connections.
+#
+# @api private
+class Puppet::Network::HTTP::BasePool
+  def start(site, verifier, http)
+    Puppet.debug("Starting connection for #{site}")
+    if verifier
+      verifier.setup_connection(http)
+      begin
+        http.start
+      rescue OpenSSL::SSL::SSLError => error
+        verifier.handle_connection_error(http, error)
+      end
+    else
+      http.start
+    end
+  end
+end

data/lib/puppet/network/http/connection.rb

@@ -25,7 +25,8 @@ module Puppet::Network::HTTP
 
     OPTION_DEFAULTS = {
       :use_ssl => true,
-      :verify => nil,
+      :verify => nil, # Puppet::SSL::Validator is deprecated
+      :verifier => nil,
       :redirect_limit => 10,
     }
 
@@ -56,7 +57,17 @@ module Puppet::Network::HTTP
 
       options = OPTION_DEFAULTS.merge(options)
       @use_ssl = options[:use_ssl]
-      @verify = options[:verify]
+      if @use_ssl
+        if options[:verifier]
+          unless options[:verifier].is_a?(Puppet::SSL::Verifier)
+            raise ArgumentError, _("Expected an instance of Puppet::SSL::Verifier but was passed a %{klass}") % { klass: options[:verifier].class }
+          end
+
+          @verifier = options[:verifier]
+        else
+          @verifier = Puppet::SSL::VerifierAdapter.new(options[:verify])
+        end
+      end
       @redirect_limit = options[:redirect_limit]
       @site = Puppet::Network::HTTP::Site.new(@use_ssl ? 'https' : 'http', host, port)
       @pool = Puppet.lookup(:http_pool)
@@ -130,20 +141,26 @@ module Puppet::Network::HTTP
     # future we may want to refactor these so that they are funneled through
     # that method and do inherit the error handling.
     def request_get(*args, &block)
-      with_connection(@site) do |connection|
-        connection.request_get(*args, &block)
+      with_connection(@site) do |http|
+        resp = http.request_get(*args, &block)
+        Puppet.debug("HTTP GET #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
+        resp
       end
     end
 
     def request_head(*args, &block)
-      with_connection(@site) do |connection|
-        connection.request_head(*args, &block)
+      with_connection(@site) do |http|
+        resp = http.request_head(*args, &block)
+        Puppet.debug("HTTP HEAD #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
+        resp
       end
     end
 
     def request_post(*args, &block)
-      with_connection(@site) do |connection|
-        connection.request_post(*args, &block)
+      with_connection(@site) do |http|
+        resp = http.request_post(*args, &block)
+        Puppet.debug("HTTP POST #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
+        resp
       end
     end
     # end of Net::HTTP#request_* proxies
@@ -163,6 +180,11 @@ module Puppet::Network::HTTP
       @site.use_ssl?
     end
 
+    # @api private
+    def verifier
+      @verifier
+    end
+
     private
 
     def do_request(request, options)
@@ -297,23 +319,33 @@ module Puppet::Network::HTTP
 
     def execute_request(connection, request)
       start = Time.now
-      connection.request(request)
-    rescue EOFError => e
+      resp = connection.request(request)
+      Puppet.debug("HTTP #{request.method.upcase} #{@site}#{request.path.split('?').first} returned #{resp.code} #{resp.message}")
+      resp
+    rescue => exception
       elapsed = (Time.now - start).to_f.round(3)
-      uri = @site.addr + request.path.split('?')[0]
-      eof = EOFError.new(_('request %{uri} interrupted after %{elapsed} seconds') % {uri: uri, elapsed: elapsed})
-      eof.set_backtrace(e.backtrace) unless e.backtrace.empty?
-      raise eof
+      uri = [@site.addr, request.path.split('?')[0]].join('/')
+      eclass = exception.class
+
+      err = case exception
+            when EOFError
+              eclass.new(_('request %{uri} interrupted after %{elapsed} seconds') % {uri: uri, elapsed: elapsed})
+            when Timeout::Error
+              eclass.new(_('request %{uri} timed out after %{elapsed} seconds') % {uri: uri, elapsed: elapsed})
+            else
+              eclass.new(_('request %{uri} failed: %{msg}') % {uri: uri, msg: exception.message})
+            end
+
+      err.set_backtrace(exception.backtrace) unless exception.backtrace.empty?
+      raise err
     end
 
     def with_connection(site, &block)
       response = nil
-      @pool.with_connection(site, @verify) do |conn|
+      @pool.with_connection(site, @verifier) do |conn|
         response = yield conn
       end
       response
-    rescue OpenSSL::SSL::SSLError => error
-      Puppet::Util::SSL.handle_connection_error(error, @verify, site.host)
     end
   end
 end

data/lib/puppet/network/http/nocache_pool.rb

@@ -1,7 +1,7 @@
 # A pool that does not cache HTTP connections.
 #
 # @api private
-class Puppet::Network::HTTP::NoCachePool
+class Puppet::Network::HTTP::NoCachePool < Puppet::Network::HTTP::BasePool
   def initialize(factory = Puppet::Network::HTTP::Factory.new)
     @factory = factory
   end
@@ -9,10 +9,15 @@ class Puppet::Network::HTTP::NoCachePool
   # Yields a <tt>Net::HTTP</tt> connection.
   #
   # @yieldparam http [Net::HTTP] An HTTP connection
-  def with_connection(site, verify, &block)
+  def with_connection(site, verifier, &block)
     http = @factory.create_connection(site)
-    verify.setup_connection(http)
-    yield http
+    start(site, verifier, http)
+    begin
+      yield http
+    ensure
+      Puppet.debug("Closing connection for #{site}")
+      http.finish
+    end
   end
 
   def close

data/lib/puppet/network/http/pool.rb

@@ -8,7 +8,7 @@
 #
 # @api private
 #
-class Puppet::Network::HTTP::Pool
+class Puppet::Network::HTTP::Pool < Puppet::Network::HTTP::BasePool
   FIFTEEN_SECONDS = 15
 
   attr_reader :factory
@@ -19,10 +19,10 @@ class Puppet::Network::HTTP::Pool
     @keepalive_timeout = keepalive_timeout
   end
 
-  def with_connection(site, verify, &block)
+  def with_connection(site, verifier, &block)
     reuse = true
 
-    http = borrow(site, verify)
+    http = borrow(site, verifier)
     begin
       if http.use_ssl? && http.verify_mode != OpenSSL::SSL::VERIFY_PEER
         reuse = false
@@ -34,7 +34,7 @@ class Puppet::Network::HTTP::Pool
       raise detail
     ensure
       if reuse
-        release(site, http)
+        release(site, verifier, http)
       else
         close_connection(site, http)
       end
@@ -69,18 +69,17 @@ class Puppet::Network::HTTP::Pool
   # connection is created, it will be started prior to being returned.
   #
   # @api private
-  def borrow(site, verify)
+  def borrow(site, verifier)
     @pool[site] = active_sessions(site)
-    session = @pool[site].shift
+    index = @pool[site].index { |session| verifier.reusable?(session.verifier) }
+    session = index ? @pool[site].delete_at(index) : nil
     if session
       Puppet.debug("Using cached connection for #{site}")
       session.connection
     else
       http = @factory.create_connection(site)
-      verify.setup_connection(http)
 
-      Puppet.debug("Starting connection for #{site}")
-      http.start
+      start(site, verifier, http)
       setsockopts(http.instance_variable_get(:@socket))
       http
     end
@@ -97,9 +96,9 @@ class Puppet::Network::HTTP::Pool
   # Release a connection back into the pool.
   #
   # @api private
-  def release(site, http)
+  def release(site, verifier, http)
     expiration = Time.now + @keepalive_timeout
-    session = Puppet::Network::HTTP::Session.new(http, expiration)
+    session = Puppet::Network::HTTP::Session.new(http, verifier, expiration)
     Puppet.debug("Caching connection for #{site}")
 
     sessions = @pool[site]