puppet 6.4.2-universal-darwin → 6.4.3-universal-darwin

data/lib/puppet/provider/service/upstart.rb

@@ -28,14 +28,16 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
   # We only want to use upstart as our provider if the upstart daemon is running.
   # This can be checked by running `initctl version --quiet` on a machine that has
   # upstart installed.
-  confine :true => lambda {
+  confine :true => lambda { has_initctl? }
+
+  def self.has_initctl?
     # Puppet::Util::Execution.execute does not currently work on jRuby.
     # Unfortunately, since this confine is invoked whenever we check for
     # provider suitability and since provider suitability is still checked
     # on the master, this confine will still be invoked on the master. Thus
     # to avoid raising an exception, we do an early return if we're running
     # on jRuby.
-    next false if Puppet::Util::Platform.jruby?
+    return false if Puppet::Util::Platform.jruby?
 
     begin
       initctl('version', '--quiet')
@@ -43,7 +45,7 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
     rescue
       false
     end
-  }
+  end
 
   # upstart developer haven't implemented initctl enable/disable yet:
   # http://www.linuxplanet.com/linuxplanet/tutorials/7033/2/

data/lib/puppet/provider/user/useradd.rb

@@ -105,11 +105,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     # because by default duplicates are allowed.  This check is
     # to ensure consistent behaviour of the useradd provider when
     # using both useradd and luseradd
-    if not @resource.allowdupe? and @resource.forcelocal?
-       if @resource.should(:uid) and finduser('uid', @resource.should(:uid).to_s)
+    if (!@resource.allowdupe?) && @resource.forcelocal?
+       if @resource.should(:uid) && finduser('uid', @resource.should(:uid).to_s)
            raise(Puppet::Error, "UID #{@resource.should(:uid).to_s} already exists, use allowdupe to force user creation")
        end
-    elsif @resource.allowdupe? and not @resource.forcelocal?
+    elsif @resource.allowdupe? && (!@resource.forcelocal?)
        return ["-o"]
     end
     []
@@ -126,16 +126,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
 
   def check_manage_home
     cmd = []
-    if @resource.managehome? and not @resource.forcelocal?
+    if @resource.managehome? && (!@resource.forcelocal?)
       cmd << "-m"
-    elsif not @resource.managehome? and Facter.value(:osfamily) == 'RedHat'
+    elsif (!@resource.managehome?) && Facter.value(:osfamily) == 'RedHat'
       cmd << "-M"
     end
     cmd
   end
 
   def check_system_users
-    if self.class.system_users? and resource.system?
+    if self.class.system_users? && resource.system?
       ["-r"]
     else
       []
@@ -149,11 +149,11 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     Puppet::Type.type(:user).validproperties.sort.each do |property|
       next if property == :ensure
       next if property_manages_password_age?(property)
-      next if property == :groups and @resource.forcelocal?
-      next if property == :expiry and @resource.forcelocal?
+      next if (property == :groups) && @resource.forcelocal?
+      next if (property == :expiry) && @resource.forcelocal?
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
-      if value = @resource.should(property) and value != ""
+      if (value = @resource.should(property)) && (value != "")
         cmd << flag(property) << munge(property, value)
       end
     end
@@ -167,7 +167,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     else
       cmd = [command(:add)]
     end
-    if not @resource.should(:gid) and Puppet::Util.gid(@resource[:name])
+    if (!@resource.should(:gid)) && Puppet::Util.gid(@resource[:name])
       cmd += ["-g", @resource[:name]]
     end
     cmd += add_properties
@@ -203,7 +203,10 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     else
       cmd = [command(:delete)]
     end
-    cmd += @resource.managehome? ? ['-r'] : []
+    # Solaris `userdel -r` will fail if the homedir does not exist.
+    if @resource.managehome? && (('Solaris' != Facter.value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
+      cmd << '-r'
+    end
     cmd << @resource[:name]
   end
 
@@ -239,10 +242,10 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       check_valid_shell
     end
      super
-     if @resource.forcelocal? and self.groups?
+     if @resource.forcelocal? && self.groups?
        set(:groups, @resource[:groups])
      end
-     if @resource.forcelocal? and @resource[:expiry]
+     if @resource.forcelocal? && @resource[:expiry]
        set(:expiry, @resource[:expiry])
      end
   end

data/lib/puppet/settings/server_list_setting.rb

@@ -4,6 +4,15 @@ class Puppet::Settings::ServerListSetting < Puppet::Settings::ArraySetting
     :server_list
   end
 
+  def print(value)
+    if value.is_a?(Array)
+      #turn into a string
+      value.map {|item| item.join(":") }.join(",")
+    else
+      value
+    end
+  end
+  
   def munge(value)
     servers = super 
     servers.map! { |server| 

data/lib/puppet/ssl/host.rb

@@ -121,7 +121,7 @@ class Puppet::SSL::Host
       generate_key unless key
 
       # get CA and optional CRL
-      sm = Puppet::SSL::StateMachine.new
+      sm = Puppet::SSL::StateMachine.new(onetime: true)
       sm.ensure_ca_certificates
 
       cert = get_host_certificate

data/lib/puppet/ssl/state_machine.rb

@@ -17,8 +17,14 @@ class Puppet::SSL::StateMachine
     def initialize(machine, ssl_context)
       @machine = machine
       @ssl_context = ssl_context
-      @cert_provider = Puppet::X509::CertProvider.new
-      @ssl_provider = Puppet::SSL::SSLProvider.new
+      @cert_provider = machine.cert_provider
+      @ssl_provider = machine.ssl_provider
+    end
+
+    def to_error(message, cause)
+      detail = Puppet::Error.new(message)
+      detail.set_backtrace(cause.backtrace)
+      Error.new(@machine, message, detail)
     end
   end
 
@@ -45,11 +51,13 @@ class Puppet::SSL::StateMachine
       end
 
       NeedCRLs.new(@machine, next_ctx)
+    rescue OpenSSL::X509::CertificateError => e
+      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        raise Puppet::Error.new(_('CA certificate is missing from the server'))
+        to_error(_('CA certificate is missing from the server'), e)
       else
-        raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
+        to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
       end
     end
   end
@@ -82,11 +90,13 @@ class Puppet::SSL::StateMachine
       end
 
       NeedKey.new(@machine, next_ctx)
+    rescue OpenSSL::X509::CRLError => e
+      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        raise Puppet::Error.new(_('CRL is missing from the server'))
+        to_error(_('CRL is missing from the server'), e)
       else
-        raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
+        to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
       end
     end
   end
@@ -145,11 +155,11 @@ class Puppet::SSL::StateMachine
       @cert_provider.save_request(Puppet[:certname], csr)
       NeedCert.new(@machine, @ssl_context, @private_key)
     rescue Puppet::Rest::ResponseError => e
-      if e.response.code.to_i != 400
-        raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
+      if e.response.code.to_i == 400
+        NeedCert.new(@machine, @ssl_context, @private_key)
+      else
+        to_error(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
       end
-
-      NeedCert.new(@machine, @ssl_context, @private_key)
     end
   end
 
@@ -170,34 +180,37 @@ class Puppet::SSL::StateMachine
       @cert_provider.delete_request(Puppet[:certname])
       Done.new(@machine, next_ctx)
     rescue Puppet::SSL::SSLError => e
-      Puppet.log_exception(e)
-      Wait.new(@machine, @ssl_context)
+      Error.new(@machine, e.message, e)
     rescue OpenSSL::X509::CertificateError => e
-      Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
-      Wait.new(@machine, @ssl_context)
+      Error.new(@machine, _("Failed to parse certificate: %{message}") % {message: e.message}, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
         Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
+        $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
+        Wait.new(@machine)
       else
-        Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
-                             {certname: Puppet[:certname], message: e.response.message})
+        to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
+                 {certname: Puppet[:certname], message: e.response.message}, e)
       end
-      Wait.new(@machine, @ssl_context)
     end
   end
 
-  # We cannot make progress, so wait if allowed to do so, or error.
+  # We cannot make progress, so wait if allowed to do so, or exit.
   #
   class Wait < SSLState
+    def initialize(machine)
+      super(machine, nil)
+    end
+
     def next_state
       time = @machine.waitforcert
       if time < 1
-        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
+        puts _("Exiting now because the waitforcert setting is set to 0.")
         exit(1)
       else
-        Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
+        Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        sleep(time)
+        Kernel.sleep(time)
 
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
@@ -206,28 +219,68 @@ class Puppet::SSL::StateMachine
     end
   end
 
+  # We cannot make progress due to an error.
+  #
+  class Error < SSLState
+    attr_reader :message, :error
+
+    def initialize(machine, message, error)
+      super(machine, nil)
+      @message = message
+      @error = error
+    end
+
+    def next_state
+      Puppet.log_exception(@error, @message)
+      Wait.new(@machine)
+    end
+  end
+
   # We have a CA bundle, optional CRL bundle, a private key and matching cert
   # that chains to one of the root certs in our bundle.
   #
   class Done < SSLState; end
 
-  attr_reader :waitforcert
+  attr_reader :waitforcert,  :cert_provider, :ssl_provider
 
-  def initialize(waitforcert: Puppet[:waitforcert])
+  # Construct a state machine to manage the SSL initialization process. By
+  # default, if the state machine encounters an exception, it will log the
+  # exception and wait for `waitforcert` seconds and retry, restarting from the
+  # beginning of the state machine.
+  #
+  # However, if `onetime` is true, then the state machine will raise the first
+  # error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0,
+  # then then state machine will exit instead of wait.
+  #
+  # @param waitforcert [Integer] how many seconds to wait between attempts
+  # @param onetime [Boolean] whether to run onetime
+  # @param cert_provider [Puppet::X509::CertProvider] cert provider to use
+  #   to load and save X509 objects.
+  # @param ssl_provider [Puppet::SSL::SSLProvider] ssl provider to use
+  #   to construct ssl contexts.
+  def initialize(waitforcert: Puppet[:waitforcert],
+                 onetime: Puppet[:onetime],
+                 cert_provider: Puppet::X509::CertProvider.new,
+                 ssl_provider: Puppet::SSL::SSLProvider.new)
     @waitforcert = waitforcert
+    @onetime = onetime
+    @cert_provider = cert_provider
+    @ssl_provider = ssl_provider
   end
 
-  # Run the state machine for CA certs and CRLs
+  # Run the state machine for CA certs and CRLs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_ca_certificates
     final_state = run_machine(NeedCACerts.new(self), NeedKey)
     final_state.ssl_context
   end
 
-  # Run the state machine for CA certs and CRLs
+  # Run the state machine for CA certs and CRLs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_client_certificate
     final_state = run_machine(NeedCACerts.new(self), Done)
     ssl_context = final_state.ssl_context
@@ -252,9 +305,27 @@ class Puppet::SSL::StateMachine
 
   def run_machine(state, stop)
     loop do
-      state = state.next_state
-
-      return state if state.is_a?(stop)
+      state = run_step(state)
+
+      case state
+      when stop
+        break
+      when Error
+        if @onetime
+          Puppet.log_exception(state.error)
+          raise state.error
+        end
+      else
+        # fall through
+      end
     end
+
+    state
+  end
+
+  def run_step(state)
+    state.next_state
+  rescue => e
+    state.to_error(e.message, e)
   end
 end

data/lib/puppet/type/package.rb

@@ -20,8 +20,8 @@ module Puppet
       requires in order to function, and you must meet those requirements
       to use a given provider.
 
-      You can declare multiple package resources with the same `name`, as long
-      as they specify different providers and have unique titles.
+      You can declare multiple package resources with the same `name` as long
+      as they have unique titles, and specify different providers and commands.
 
       Note that you must use the _title_ to make a reference to a package
       resource; `Package[<NAME>]` is not a synonym for `Package[<TITLE>]` like
@@ -66,6 +66,8 @@ module Puppet
       :methods => [:package_settings_insync?, :package_settings, :package_settings=]
     feature :virtual_packages, "The provider accepts virtual package names for install and uninstall."
 
+    feature :targetable, "The provider accepts a targeted package management command."
+
     ensurable do
       desc <<-EOT
         What state the package should be in. On packaging systems that can
@@ -275,20 +277,55 @@ module Puppet
       [:provider]
     end
 
-    # We have more than one namevar, so we need title_patterns. However, we
-    # cheat and set the patterns to map to name only and completely ignore
-    # provider. So far, the logic that determines uniqueness appears to just
-    # "Do The Right Thing™" when the provider is explicitly set by the user.
+    # Specify a targeted package management command.
+    newparam(:command, :required_features => :targetable) do
+      desc <<-EOT
+        The targeted command to use when managing a package:
+
+          package { 'mysql':
+            provider => gem,
+          }
+
+          package { 'mysql-opt':
+            name     => 'mysql',
+            provider => gem,
+            command  => '/opt/ruby/bin/gem',
+          }
+
+        Each provider defines a package management command; and uses the first
+        instance of the command found in the PATH.
+
+        Providers supporting the targetable feature allow you to specify the
+        absolute path of the package management command; useful when multiple
+        instances of the command are installed, or the command is not in the PATH.
+      EOT
+
+      isnamevar
+      defaultto :default
+    end
+
+    # We have more than one namevar, so we need title_patterns.
+    # However, we cheat and set the patterns to map to name only
+    # and completely ignore provider (and command, for targetable providers).
+    # So far, the logic that determines uniqueness appears to just
+    # "Do The Right Thing™" when provider (and command) are explicitly set.
     #
     # The following resources will be seen as unique by puppet:
     #
     #     # Uniqueness Key: ['mysql', nil]
-    #     package{'mysql': }
+    #     package {'mysql': }
+    #
+    #     # Uniqueness Key: ['mysql', 'gem', nil]
+    #     package {'gem-mysql':
+    #       name     => 'mysql,
+    #       provider => gem,
+    #     }
     #
-    #     # Uniqueness Key: ['mysql', 'gem']
-    #     package{'gem-mysql':
+    #     # Uniqueness Key: ['mysql', 'gem', '/opt/ruby/bin/gem']
+    #     package {'gem-mysql-opt':
     #       name     => 'mysql,
     #       provider => gem
+    #       command  => '/opt/ruby/bin/gem',
     #     }
     #
     # This does not handle the case where providers like 'yum' and 'rpm' should

data/lib/puppet/util/pidlock.rb

@@ -62,12 +62,13 @@ class Puppet::Util::Pidlock
     # POSIX and Windows platforms (PUP-9247).
     if Puppet.features.posix?
       procname = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "comm="]).strip
-      @lockfile.unlock unless procname =~ /puppet(-.*)?$/
+      args     = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "args="]).strip
+      @lockfile.unlock unless procname =~ /ruby/ && args =~ /puppet/ || procname =~ /puppet(-.*)?$/
     elsif Puppet.features.microsoft_windows?
       # On Windows, we're checking if the filesystem path name of the running
       # process is our vendored ruby:
       exe_path = Puppet::Util::Windows::Process::get_process_image_name_by_pid(lock_pid)
-      @lockfile.unlock unless exe_path =~ /Puppet\\puppet\\bin\\ruby.exe/
+      @lockfile.unlock unless exe_path =~ /\\bin\\ruby.exe$/
     end
   end
   private :clear_if_stale