puppet 6.4.3-universal-darwin → 6.4.4-universal-darwin

data/lib/puppet/face/help.rb

@@ -195,7 +195,7 @@ Puppet::Face.define(:help, '0.0.1') do
   #private :horribly_extract_summary_from
 
   def exclude_from_docs?(appname)
-    %w{face_base indirection_base cert key man plugin report status}.include? appname
+    %w{face_base indirection_base cert key man report status}.include? appname
   end
   # This should absolutely be a private method, but for some reason it appears
   #  that you can't use the 'private' keyword inside of a Face definition.

data/lib/puppet/face/plugin.rb

@@ -41,8 +41,15 @@ Puppet::Face.define(:plugin, '0.0.1') do
     when_invoked do |options|
       remote_environment_for_plugins = Puppet::Node::Environment.remote(Puppet[:environment])
 
-      handler = Puppet::Configurer::PluginHandler.new()
-      handler.download_plugins(remote_environment_for_plugins)
+      pool = Puppet::Network::HTTP::Pool.new(Puppet[:http_keepalive_timeout])
+      Puppet.override(:http_pool => pool) do
+        begin
+          handler = Puppet::Configurer::PluginHandler.new()
+          handler.download_plugins(remote_environment_for_plugins)
+        ensure
+          pool.close
+        end
+      end
     end
 
     when_rendering :console do |value|

data/lib/puppet/indirector/catalog/compiler.rb

@@ -395,22 +395,28 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
 
     # And then add the server name and IP
     {"servername" => "fqdn",
-      "serverip" => "ipaddress"
+      "serverip"  => "ipaddress",
+      "serverip6" => "ipaddress6"
     }.each do |var, fact|
-      if value = Facter.value(fact)
+      value = Facter.value(fact)
+      if !value.nil?
         @server_facts[var] = value
-      else
-        Puppet.warning _("Could not retrieve fact %{fact}") % { fact: fact }
       end
     end
 
     if @server_facts["servername"].nil?
       host = Facter.value(:hostname)
-      if domain = Facter.value(:domain)
+      if host.nil?
+        Puppet.warning _("Could not retrieve fact servername")
+      elsif domain = Facter.value(:domain)
         @server_facts["servername"] = [host, domain].join(".")
       else
         @server_facts["servername"] = host
       end
     end
+
+    if @server_facts["serverip"].nil? && @server_facts["serverip6"].nil?
+      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
+    end
   end
 end

data/lib/puppet/module_tool/tar/mini.rb

@@ -1,7 +1,17 @@
 class Puppet::ModuleTool::Tar::Mini
   def unpack(sourcefile, destdir, _)
     Zlib::GzipReader.open(sourcefile) do |reader|
-      Archive::Tar::Minitar.unpack(reader, destdir, find_valid_files(reader)) do |action, name, stats|
+      # puppet doesn't have a hard dependency on minitar, so we
+      # can't be certain which version is installed. If it's 0.9
+      # or above then we can prevent minitar from fsync'ing each
+      # extracted file and directory, otherwise fallback to the
+      # old behavior
+      args = [reader, destdir, find_valid_files(reader)]
+      spec = Gem::Specification.find_by_name('minitar')
+      if spec && spec.version >= Gem::Version.new('0.9')
+        args << {:fsync => false}
+      end
+      Archive::Tar::Minitar.unpack(*args) do |action, name, stats|
         case action
         when :dir
           validate_entry(destdir, name)

data/lib/puppet/network/http/factory.rb

@@ -25,17 +25,7 @@ class Puppet::Network::HTTP::Factory
   def create_connection(site)
     Puppet.debug("Creating new connection for #{site}")
 
-    args = [site.host, site.port]
-
-    unless Puppet::Util::HttpProxy.no_proxy?(site)
-      if Puppet[:http_proxy_host] == "none"
-        args << nil << nil
-      else
-        args << Puppet[:http_proxy_host] << Puppet[:http_proxy_port]
-      end
-    end
-
-    http = Net::HTTP.new(*args)
+    http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
     http.use_ssl = site.use_ssl?
     http.read_timeout = Puppet[:http_read_timeout]
     http.open_timeout = Puppet[:http_connect_timeout]

data/lib/puppet/provider/file/posix.rb

@@ -8,6 +8,11 @@ Puppet::Type.type(:file).provide :posix do
   include Puppet::Util::Warnings
 
   require 'etc'
+  require 'puppet/util/selinux'
+
+  def self.post_resource_eval
+    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  end
 
   def uid2name(id)
     return id.to_s if id.is_a?(Symbol) or id.is_a?(String)

data/lib/puppet/provider/nameservice.rb

@@ -172,9 +172,10 @@ class Puppet::Provider::NameService < Puppet::Provider
     end
 
     begin
-      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      sensitive = has_sensitive_data?
+      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       if feature?(:manages_password_age) && (cmd = passcmd)
-        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       end
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
@@ -276,13 +277,19 @@ class Puppet::Provider::NameService < Puppet::Provider
     self.class.validate(param, value)
     cmd = modifycmd(param, munge(param, value))
     raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
+    sensitive = has_sensitive_data?(param)
     begin
-      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
     end
   end
 
+  #Derived classes can override to declare sensitive data so a flag can be passed to execute
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
   # returns a struct with binary encoded string values, and >= 2.1.0 will return
   # binary encoded strings for values incompatible with current locale charset,

data/lib/puppet/provider/package/dnf.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   These options should be specified as an array where each element is either
    a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages
+  has_feature :install_options, :versionable, :virtual_packages, :install_only
 
   commands :cmd => "dnf", :rpm => "rpm"
 

data/lib/puppet/provider/package/pip.rb

@@ -86,9 +86,9 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
   end
 
   # Parse lines of output from `pip freeze`, which are structured as:
-  # _package_==_version_
+  # _package_==_version_ or _package_===_version_
   def self.parse(line)
-    if line.chomp =~ /^([^=]+)==([^=]+)$/
+    if line.chomp =~ /^([^=]+)===?([^=]+)$/
       {:ensure => $2, :name => $1, :provider => name}
     end
   end

data/lib/puppet/provider/package/rpm.rb

@@ -13,6 +13,7 @@ These options should be specified as an array where each element is either a str
   has_feature :install_options
   has_feature :uninstall_options
   has_feature :virtual_packages
+  has_feature :install_only
 
   # Note: self:: is required here to keep these constants in the context of what will
   # eventually become this Puppet::Type::Package::ProviderRpm class.
@@ -20,6 +21,7 @@ These options should be specified as an array where each element is either a str
   self::NEVRA_FORMAT = %Q{%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\\n}
   self::NEVRA_REGEX  = %r{^'?(\S+) (\S+) (\S+) (\S+) (\S+)$}
   self::NEVRA_FIELDS = [:name, :epoch, :version, :release, :arch]
+  self::MULTIVERSION_SEPARATOR = "; "
 
   ARCH_LIST = [
     'noarch',
@@ -79,12 +81,9 @@ These options should be specified as an array where each element is either a str
 
     # list out all of the packages
     begin
-      execpipe("#{command(:rpm)} -qa #{nosignature} #{nodigest} --qf '#{self::NEVRA_FORMAT}'") { |process|
+      execpipe("#{command(:rpm)} -qa #{nosignature} #{nodigest} --qf '#{self::NEVRA_FORMAT}' | sort") { |process|
         # now turn each returned line into a package object
-        process.each_line { |line|
-          hash = nevra_to_hash(line)
-          packages << new(hash) unless hash.empty?
-        }
+        nevra_to_multiversion_hash(process).each { |hash| packages << new(hash) }
       }
     rescue Puppet::ExecutionFailure
       raise Puppet::Error, _("Failed to list packages"), $!.backtrace
@@ -100,7 +99,7 @@ These options should be specified as an array where each element is either a str
     #NOTE: Prior to a fix for issue 1243, this method potentially returned a cached value
     #IF YOU CALL THIS METHOD, IT WILL CALL RPM
     #Use get(:property) to check if cached values are available
-    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", "'#{self.class::NEVRA_FORMAT}'"]
+    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", "#{self.class::NEVRA_FORMAT}"]
 
     begin
       output = rpm(*cmd)
@@ -117,9 +116,7 @@ These options should be specified as an array where each element is either a str
         return nil
       end
     end
-    # FIXME: We could actually be getting back multiple packages
-    # for multilib and this will only return the first such package
-    @property_hash.update(self.class.nevra_to_hash(output))
+    @property_hash.update(self.class.nevra_to_multiversion_hash(output))
 
     @property_hash.dup
   end
@@ -130,8 +127,8 @@ These options should be specified as an array where each element is either a str
       @resource.fail _("RPMs must specify a package source")
     end
 
-    cmd = [command(:rpm), "-q", "--qf", "'#{self.class::NEVRA_FORMAT}'", "-p", source]
-    h = self.class.nevra_to_hash(execute(cmd))
+    cmd = [command(:rpm), "-q", "--qf", "#{self.class::NEVRA_FORMAT}", "-p", source]
+    h = self.class.nevra_to_multiversion_hash(execute(cmd))
     h[:ensure]
   rescue Puppet::ExecutionFailure => e
     raise Puppet::Error, e.message, e.backtrace
@@ -168,7 +165,11 @@ These options should be specified as an array where each element is either a str
       if @resource[:name].start_with? nav
         identifier = nav
       else
-        identifier = name
+        if @resource[:install_only]
+          identifier = get(:ensure).split(self.class::MULTIVERSION_SEPARATOR).map { |ver| "#{name}-#{ver}" }
+        else
+          identifier = name
+        end
       end
     end
     # If an arch is specified in the resource, uninstall that arch,
@@ -308,8 +309,12 @@ These options should be specified as an array where each element is either a str
 
   def insync?(is)
     return false if [:purged, :absent].include?(is)
+    return false if is.include?(self.class::MULTIVERSION_SEPARATOR) && !@resource[:install_only]
+
     should = resource[:ensure]
-    0 == rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(is))
+    is.split(self.class::MULTIVERSION_SEPARATOR).any? do |version|
+      0 == self.rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(version))
+    end
   end
 
   # parse a rpm "version" specification
@@ -412,4 +417,37 @@ These options should be specified as an array where each element is either a str
 
     return hash
   end
+
+  # @param line [String] multiple lines of rpm package query information
+  # @return list of [Hash] of NEVRA_FIELDS strings parsed from package info
+  # or an empty list if we failed to parse
+  # @api private
+  def self.nevra_to_multiversion_hash(multiline)
+    list = []
+    multiversion_hash = {}
+    multiline.each_line do |line|
+      hash = self.nevra_to_hash(line)
+      if !hash.empty?
+        if multiversion_hash.empty?
+          multiversion_hash = hash.dup
+          next
+        end
+
+        if multiversion_hash[:name] != hash[:name]
+          list << multiversion_hash
+          multiversion_hash = hash.dup
+          next
+        end
+
+        if !multiversion_hash[:ensure].include?(hash[:ensure])
+          multiversion_hash[:ensure].concat("#{self::MULTIVERSION_SEPARATOR}#{hash[:ensure]}")
+        end
+      end
+    end
+    list << multiversion_hash if multiversion_hash
+    if list.size == 1
+      return list[0]
+    end
+    return list
+  end
 end

data/lib/puppet/provider/package/yum.rb

@@ -8,7 +8,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
   This provider supports the `install_options` attribute, which allows command-line flags to be passed to yum.
   These options should be specified as an array where each element is either a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages
+  has_feature :install_options, :versionable, :virtual_packages, :install_only
 
   commands :cmd => "yum", :rpm => "rpm"
 
@@ -203,7 +203,10 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
       end
       current_package = self.query
       if current_package
-        if rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) < 0
+        if @resource[:install_only]
+          self.debug "Updating package #{@resource[:name]} from version #{current_package[:ensure]} to #{should} as install_only packages are never downgraded"
+          operation = update_command
+        elsif rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) < 0
           self.debug "Downgrading package #{@resource[:name]} from version #{current_package[:ensure]} to #{should}"
           operation = :downgrade
         elsif rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(current_package[:ensure])) > 0
@@ -228,10 +231,11 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
       is = self.query
       raise Puppet::Error, _("Could not find package %{name}") % { name: self.name } unless is
 
+      version = is[:ensure]
       # FIXME: Should we raise an exception even if should == :latest
       # and yum updated us to a version other than @param_hash[:ensure] ?
-      vercmp_result = rpm_compareEVR(rpm_parse_evr(should), rpm_parse_evr(is[:ensure]))
-      raise Puppet::Error, _("Failed to update to version %{should}, got version %{version} instead") % { should: should, version: is[:ensure] } if vercmp_result != 0
+      raise Puppet::Error, _("Failed to update to version %{should}, got version %{version} instead") % { should: should, version: version } unless
+        insync?(version)
     end
   end
 

data/lib/puppet/provider/service/launchd.rb

@@ -240,12 +240,20 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def status
     if @resource && ((@resource[:hasstatus] == :false) || (@resource[:status]))
       return super
-    else
-      if @property_hash[:status].nil?
-        :absent
+    elsif @property_hash[:status].nil?
+      # property_hash was flushed so the service changed status
+      service_name = @resource[:name]
+      # Updating services with new statuses
+      job_list = self.class.job_list
+      # if job is present in job_list, return its status
+      if job_list.key?(service_name)
+        job_list[service_name]
+      # if job is no longer present in job_list, it was stopped
       else
-        @property_hash[:status]
+        :stopped
       end
+    else
+      @property_hash[:status]
     end
   end
 
@@ -313,7 +321,14 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = nil
     overrides_disabled = nil
 
-    _, job_plist = plist_from_label(resource[:name])
+    begin
+      _, job_plist = plist_from_label(resource[:name])
+    rescue Puppet::Error => err
+      # if job does not exist, log the error and return false as on other platforms
+      Puppet.log_exception(err)
+      return :false
+    end
+
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     if FileTest.file?(self.class.launchd_overrides) and overrides = self.class.read_overrides

data/lib/puppet/provider/service/systemd.rb

@@ -1,5 +1,7 @@
 # Manage systemd services using systemctl
 
+require 'puppet/file_system'
+
 Puppet::Type.type(:service).provide :systemd, :parent => :base do
   desc "Manages `systemd` services using `systemctl`.
 
@@ -9,14 +11,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
 
   commands :systemctl => "systemctl"
 
-  if Facter.value(:osfamily).downcase == 'debian'
-    # With multiple init systems on Debian, it is possible to have
-    # pieces of systemd around (e.g. systemctl) but not really be
-    # using systemd.  We do not do this on other platforms as it can
-    # cause issues when running in a chroot without /run mounted
-    # (PUP-5577)
-    confine :exists => "/run/systemd/system"
-  end
+  confine :true => Puppet::FileSystem.exist?('/proc/1/comm') && Puppet::FileSystem.read('/proc/1/comm').include?('systemd')
 
   defaultfor :osfamily => [:archlinux]
   defaultfor :osfamily => :redhat, :operatingsystemmajrelease => ["7", "8"]
@@ -24,8 +19,8 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :suse
   defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2"]
-  defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid"]
-
+  defaultfor :operatingsystem => :debian
+  notdefaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["5", "6", "7"] # These are using the "debian" method
   defaultfor :operatingsystem => :LinuxMint
   notdefaultfor :operatingsystem => :LinuxMint, :operatingsystemmajrelease => ["10", "11", "12", "13", "14", "15", "16", "17"] # These are using upstart
   defaultfor :operatingsystem => :ubuntu

data/lib/puppet/provider/service/windows.rb

@@ -35,6 +35,12 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
     raise Puppet::Error.new(_("Cannot enable %{resource_name} for manual start, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
   end
 
+  def delayed_start
+    Puppet::Util::Windows::Service.set_startup_mode( @resource[:name], :SERVICE_AUTO_START, true )
+  rescue => detail
+    raise Puppet::Error.new(_("Cannot enable %{resource_name} for delayed start, error was: %{detail}") % { resource_name: @resource[:name], detail: detail }, detail )
+  end
+
   def enabled?
     return :false unless Puppet::Util::Windows::Service.exists?(@resource[:name])
 
@@ -47,6 +53,8 @@ Puppet::Type.type(:service).provide :windows, :parent => :service do
         :true
       when :SERVICE_DEMAND_START
         :manual
+      when :SERVICE_DELAYED_AUTO_START
+        :delayed
       when :SERVICE_DISABLED
         :false
       else

data/lib/puppet/provider/user/pw.rb

@@ -66,11 +66,11 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
 
   # use pw to update password hash
   def password=(cryptopw)
-    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash [redacted]"
     stdin, _, _ = Open3.popen3("pw user mod #{@resource[:name]} -H 0")
     stdin.puts(cryptopw)
     stdin.close
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash [redacted]"
   end
 
   # get password from /etc/master.passwd
@@ -78,10 +78,19 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
     Puppet.debug "checking password for user '#{@resource[:name]}' method called"
     current_passline = `getent passwd #{@resource[:name]}`
     current_password = current_passline.chomp.split(':')[1] if current_passline
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called : '#{current_password}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called : [redacted]"
     current_password
   end
 
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   # Get expiry from system and convert to Puppet-style date
   def expiry
     expiry = self.get(:expiry)