RubyGems - puppet - Versions diffs - 6.4.4 → 6.4.5 - Mend

puppet 6.4.4 → 6.4.5

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (221) hide show

checksums.yaml +4 -4
data/CODEOWNERS +1 -1
data/Gemfile +4 -4
data/Gemfile.lock +38 -32
data/ext/build_defaults.yaml +1 -0
data/ext/cert_inspector +3 -3
data/ext/puppet-test +2 -2
data/ext/regexp_nodes/regexp_nodes.rb +4 -4
data/ext/windows/service/daemon.rb +38 -8
data/install.rb +6 -6
data/lib/puppet/application.rb +1 -1
data/lib/puppet/application/apply.rb +2 -2
data/lib/puppet/application/describe.rb +3 -9
data/lib/puppet/application/doc.rb +1 -1
data/lib/puppet/application/lookup.rb +1 -1
data/lib/puppet/application/script.rb +2 -2
data/lib/puppet/application/ssl.rb +4 -1
data/lib/puppet/configurer.rb +86 -30
data/lib/puppet/configurer/downloader.rb +2 -6
data/lib/puppet/defaults.rb +32 -6
data/lib/puppet/error.rb +9 -1
data/lib/puppet/face/module/list.rb +5 -5
data/lib/puppet/face/module/search.rb +1 -1
data/lib/puppet/face/module/uninstall.rb +1 -1
data/lib/puppet/face/module/upgrade.rb +1 -1
data/lib/puppet/file_serving/http_metadata.rb +1 -1
data/lib/puppet/file_system.rb +0 -8
data/lib/puppet/file_system/memory_file.rb +1 -1
data/lib/puppet/file_system/posix.rb +3 -2
data/lib/puppet/forge.rb +3 -3
data/lib/puppet/functions.rb +1 -2
data/lib/puppet/functions/camelcase.rb +2 -2
data/lib/puppet/functions/epp.rb +4 -4
data/lib/puppet/functions/find_file.rb +9 -9
data/lib/puppet/functions/inline_epp.rb +5 -5
data/lib/puppet/gettext/module_translations.rb +1 -1
data/lib/puppet/graph/rb_tree_map.rb +2 -2
data/lib/puppet/graph/simple_graph.rb +4 -3
data/lib/puppet/indirector/file_bucket_file/file.rb +1 -1
data/lib/puppet/indirector/hiera.rb +2 -0
data/lib/puppet/indirector/resource/ral.rb +1 -3
data/lib/puppet/indirector/resource/validator.rb +1 -1
data/lib/puppet/interface.rb +2 -1
data/lib/puppet/loaders.rb +0 -1
data/lib/puppet/metatype/manager.rb +1 -1
data/lib/puppet/module.rb +1 -1
data/lib/puppet/module/task.rb +20 -4
data/lib/puppet/module_tool/applications/installer.rb +1 -1
data/lib/puppet/module_tool/applications/uninstaller.rb +3 -3
data/lib/puppet/module_tool/metadata.rb +1 -1
data/lib/puppet/module_tool/shared_behaviors.rb +4 -4
data/lib/puppet/module_tool/tar/mini.rb +1 -1
data/lib/puppet/network/http/api/indirected_routes.rb +12 -11
data/lib/puppet/network/http/connection.rb +10 -12
data/lib/puppet/network/http/pool.rb +2 -0
data/lib/puppet/network/http/site.rb +1 -1
data/lib/puppet/network/resolver.rb +2 -2
data/lib/puppet/node/environment.rb +4 -2
data/lib/puppet/pal/pal_impl.rb +2 -2
data/lib/puppet/parser/ast.rb +1 -1
data/lib/puppet/parser/ast/resourceparam.rb +1 -1
data/lib/puppet/parser/functions.rb +1 -1
data/lib/puppet/parser/functions/epp.rb +3 -3
data/lib/puppet/parser/functions/inline_epp.rb +5 -5
data/lib/puppet/parser/scope.rb +8 -7
data/lib/puppet/pops/evaluator/collectors/catalog_collector.rb +1 -1
data/lib/puppet/pops/evaluator/collectors/exported_collector.rb +1 -1
data/lib/puppet/pops/evaluator/external_syntax_support.rb +3 -2
data/lib/puppet/pops/evaluator/runtime3_support.rb +4 -4
data/lib/puppet/pops/loader/task_instantiator.rb +4 -0
data/lib/puppet/pops/loaders.rb +1 -1
data/lib/puppet/pops/lookup/hiera_config.rb +1 -0
data/lib/puppet/pops/lookup/sub_lookup.rb +1 -1
data/lib/puppet/pops/merge_strategy.rb +22 -18
data/lib/puppet/pops/parser/heredoc_support.rb +1 -1
data/lib/puppet/pops/parser/interpolation_support.rb +4 -4
data/lib/puppet/pops/parser/locator.rb +1 -1
data/lib/puppet/pops/parser/pn_parser.rb +17 -16
data/lib/puppet/pops/puppet_stack.rb +51 -49
data/lib/puppet/pops/types/p_sensitive_type.rb +1 -1
data/lib/puppet/pops/types/string_converter.rb +10 -10
data/lib/puppet/pops/types/types.rb +3 -3
data/lib/puppet/property.rb +1 -1
data/lib/puppet/property/ensure.rb +1 -1
data/lib/puppet/provider/exec.rb +6 -2
data/lib/puppet/provider/nameservice/directoryservice.rb +1 -1
data/lib/puppet/provider/nameservice/pw.rb +2 -2
data/lib/puppet/provider/package/apt.rb +5 -1
data/lib/puppet/provider/package/dnfmodule.rb +87 -0
data/lib/puppet/provider/package/dpkg.rb +34 -18
data/lib/puppet/provider/package/openbsd.rb +1 -1
data/lib/puppet/provider/package/pip.rb +34 -9
data/lib/puppet/provider/package/portage.rb +4 -4
data/lib/puppet/provider/package/rpm.rb +5 -5
data/lib/puppet/provider/package/windows/package.rb +1 -1
data/lib/puppet/provider/package/yum.rb +1 -1
data/lib/puppet/provider/package_targetable.rb +5 -4
data/lib/puppet/provider/parsedfile.rb +1 -1
data/lib/puppet/provider/service/daemontools.rb +9 -9
data/lib/puppet/provider/service/openbsd.rb +1 -1
data/lib/puppet/provider/service/rcng.rb +2 -2
data/lib/puppet/provider/service/runit.rb +2 -8
data/lib/puppet/provider/service/systemd.rb +9 -9
data/lib/puppet/provider/user/directoryservice.rb +1 -1
data/lib/puppet/provider/user/hpux.rb +1 -1
data/lib/puppet/provider/user/user_role_add.rb +1 -1
data/lib/puppet/provider/user/useradd.rb +22 -13
data/lib/puppet/provider/user/windows_adsi.rb +4 -5
data/lib/puppet/reference/indirection.rb +2 -2
data/lib/puppet/reference/metaparameter.rb +1 -3
data/lib/puppet/reference/providers.rb +1 -3
data/lib/puppet/reference/type.rb +3 -9
data/lib/puppet/reports.rb +1 -1
data/lib/puppet/resource.rb +1 -1
data/lib/puppet/resource/catalog.rb +1 -1
data/lib/puppet/settings.rb +3 -3
data/lib/puppet/settings/environment_conf.rb +1 -0
data/lib/puppet/ssl/host.rb +1 -1
data/lib/puppet/ssl/oids.rb +1 -1
data/lib/puppet/transaction.rb +33 -11
data/lib/puppet/transaction/report.rb +1 -1
data/lib/puppet/type.rb +2 -4
data/lib/puppet/type/exec.rb +7 -3
data/lib/puppet/type/file.rb +1 -2
data/lib/puppet/type/file/data_sync.rb +5 -1
data/lib/puppet/type/group.rb +4 -2
data/lib/puppet/type/notify.rb +3 -2
data/lib/puppet/type/package.rb +10 -3
data/lib/puppet/type/schedule.rb +1 -1
data/lib/puppet/type/service.rb +1 -1
data/lib/puppet/type/user.rb +4 -2
data/lib/puppet/util.rb +35 -12
data/lib/puppet/util/command_line/trollop.rb +1 -1
data/lib/puppet/util/http_proxy.rb +8 -14
data/lib/puppet/util/log.rb +2 -2
data/lib/puppet/util/log/destinations.rb +2 -2
data/lib/puppet/util/logging.rb +32 -20
data/lib/puppet/util/metric.rb +2 -2
data/lib/puppet/util/provider_features.rb +2 -4
data/lib/puppet/util/rdoc.rb +1 -1
data/lib/puppet/util/reference.rb +1 -1
data/lib/puppet/util/resource_template.rb +1 -1
data/lib/puppet/util/selinux.rb +3 -1
data/lib/puppet/util/windows/adsi.rb +48 -18
data/lib/puppet/util/windows/registry.rb +7 -5
data/lib/puppet/vendor.rb +1 -1
data/lib/puppet/version.rb +1 -1
data/lib/puppet/x509/cert_provider.rb +13 -6
data/locales/puppet.pot +199 -159
data/man/man5/puppet.conf.5 +35 -5
data/man/man8/puppet-agent.8 +1 -1
data/man/man8/puppet-apply.8 +1 -1
data/man/man8/puppet-catalog.8 +1 -1
data/man/man8/puppet-config.8 +1 -1
data/man/man8/puppet-describe.8 +1 -1
data/man/man8/puppet-device.8 +1 -1
data/man/man8/puppet-doc.8 +1 -1
data/man/man8/puppet-epp.8 +1 -1
data/man/man8/puppet-facts.8 +1 -1
data/man/man8/puppet-filebucket.8 +1 -1
data/man/man8/puppet-generate.8 +1 -1
data/man/man8/puppet-help.8 +1 -1
data/man/man8/puppet-key.8 +1 -1
data/man/man8/puppet-lookup.8 +1 -1
data/man/man8/puppet-man.8 +1 -1
data/man/man8/puppet-module.8 +1 -1
data/man/man8/puppet-node.8 +1 -1
data/man/man8/puppet-parser.8 +1 -1
data/man/man8/puppet-plugin.8 +1 -1
data/man/man8/puppet-report.8 +1 -1
data/man/man8/puppet-resource.8 +1 -1
data/man/man8/puppet-script.8 +1 -1
data/man/man8/puppet-ssl.8 +1 -1
data/man/man8/puppet-status.8 +1 -1
data/man/man8/puppet.8 +2 -2
data/spec/fixtures/unit/provider/package/dnfmodule/dnf-module-list-installed.txt +11 -0
data/spec/integration/configurer_spec.rb +52 -0
data/spec/integration/type/notify_spec.rb +46 -0
data/spec/lib/puppet/certificate_factory.rb +2 -2
data/spec/spec_helper.rb +28 -0
data/spec/unit/application/ssl_spec.rb +4 -7
data/spec/unit/configurer_spec.rb +394 -398
data/spec/unit/defaults_spec.rb +4 -4
data/spec/unit/forge/forge_spec.rb +1 -3
data/spec/unit/forge/repository_spec.rb +1 -3
data/spec/unit/indirector/resource/ral_spec.rb +4 -4
data/spec/unit/network/http/connection_spec.rb +119 -145
data/spec/unit/parser/scope_spec.rb +10 -0
data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +8 -3
data/spec/unit/pops/loaders/module_loaders_spec.rb +37 -0
data/spec/unit/provider/exec_spec.rb +209 -0
data/spec/unit/provider/package/dnfmodule_spec.rb +186 -0
data/spec/unit/provider/package/dpkg_spec.rb +238 -78
data/spec/unit/provider/package/pip_spec.rb +51 -6
data/spec/unit/provider/package/portage_spec.rb +4 -4
data/spec/unit/provider/package_targetable_spec.rb +60 -0
data/spec/unit/provider/service/daemontools_spec.rb +24 -0
data/spec/unit/provider/service/runit_spec.rb +24 -0
data/spec/unit/provider/service/systemd_spec.rb +25 -25
data/spec/unit/provider/user/hpux_spec.rb +2 -2
data/spec/unit/provider/user/useradd_spec.rb +46 -0
data/spec/unit/ssl/host_spec.rb +0 -5
data/spec/unit/ssl/state_machine_spec.rb +0 -6
data/spec/unit/transaction_spec.rb +46 -0
data/spec/unit/type/exec_spec.rb +6 -12
data/spec/unit/type/file/content_spec.rb +9 -3
data/spec/unit/type/file_spec.rb +9 -4
data/spec/unit/type/package_spec.rb +5 -0
data/spec/unit/util/execution_spec.rb +16 -0
data/spec/unit/util/http_proxy_spec.rb +118 -27
data/spec/unit/util/log/destinations_spec.rb +7 -3
data/spec/unit/util/log_spec.rb +0 -138
data/spec/unit/util/logging_spec.rb +200 -0
data/spec/unit/util/windows/adsi_spec.rb +51 -0
data/spec/unit/x509/cert_provider_spec.rb +24 -4
data/tasks/manpages.rake +1 -0
metadata +12 -10
data/lib/puppet/pops/loader/null_loader.rb +0 -60
data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_get/should_yield_to_the_block.yml +0 -24
data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_head/should_yield_to_the_block.yml +0 -24
data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_post/should_yield_to_the_block.yml +0 -24

data/lib/puppet/util/command_line/trollop.rb CHANGED

@@ -215,7 +215,7 @@ class Parser
     opts[:type] = opts[:type] || type_from_default || :flag
     ## fill in :long
-    opts[:long] = opts[:long] ? opts[:long].to_s : name.to_s.gsub("_", "-")
+    opts[:long] = opts[:long] ? opts[:long].to_s : name.to_s.tr("_", "-")
     opts[:long] =
       case opts[:long]
       when /^--([^-].*)$/

data/lib/puppet/util/http_proxy.rb CHANGED

@@ -4,13 +4,15 @@ require 'puppet/network/http'
 module Puppet::Util::HttpProxy
   def self.proxy(uri)
-    if self.no_proxy?(uri)
-      proxy_class = Net::HTTP::Proxy(nil)
+    if http_proxy_host && !no_proxy?(uri)
+      Net::HTTP.new(uri.host, uri.port, self.http_proxy_host, self.http_proxy_port, self.http_proxy_user, self.http_proxy_password)
     else
-      proxy_class = Net::HTTP::Proxy(self.http_proxy_host, self.http_proxy_port, self.http_proxy_user, self.http_proxy_password)
+      http = Net::HTTP.new(uri.host, uri.port, nil, nil, nil, nil)
+      # Net::HTTP defaults the proxy port even though we said not to
+      # use one. Set it to nil so caller is not surprised
+      http.proxy_port = nil if http.respond_to?(:proxy_port=)
+      http
     end
-    return proxy_class.new(uri.host, uri.port)
   end
   def self.http_proxy_env
@@ -49,14 +51,6 @@ module Puppet::Util::HttpProxy
       host, port = d.split(':')
       host = Regexp.escape(host).gsub('\*', '.*')
-      #If the host of this no_proxy value starts with '.', this entry is
-      #a domain level entry. Don't pin the regex to the beginning of the entry.
-      #If it does not start with a '.' then it is a host specific entry and
-      #should be matched to the destination starting at the beginning.
-      unless host =~ /^\\\./
-        host = "^#{host}"
-      end
       #If this no_proxy entry specifies a port, we want to match it against
       #the destination port.  Otherwise just match hosts.
       if port
@@ -192,7 +186,7 @@ module Puppet::Util::HttpProxy
       headers = { 'Accept' => '*/*', 'User-Agent' => Puppet[:http_user_agent] }
       if Puppet.features.zlib?
-        headers.merge!({"Accept-Encoding" => Puppet::Network::HTTP::Compression::ACCEPT_ENCODING})
+        headers["Accept-Encoding"] = Puppet::Network::HTTP::Compression::ACCEPT_ENCODING
       end
       response = proxy.send(:head, current_uri, headers)

data/lib/puppet/util/log.rb CHANGED

@@ -175,7 +175,7 @@ class Puppet::Util::Log
     # We only select the last 10 callers in the stack to avoid being spammy
     message = _("Received a Log attribute with invalid encoding:%{log_message}") %
         { log_message: Puppet::Util::CharacterEncoding.convert_to_utf_8(str.dump)}
-    message += '\n' + _("Backtrace:\n%{backtrace}") % { backtrace: caller[0..10].join("\n") }
+    message += '\n' + _("Backtrace:\n%{backtrace}") % { backtrace: caller(1, 10).join("\n") }
     message
   end
   private_class_method :coerce_string
@@ -392,7 +392,7 @@ class Puppet::Util::Log
   end
   def to_report
-    "#{time} #{source} (#{level}): #{to_s}"
+    "#{time} #{source} (#{level}): #{self}"
   end
   def to_s

data/lib/puppet/util/log/destinations.rb CHANGED

@@ -34,7 +34,7 @@ Puppet::Util::Log.newdesttype :syslog do
       end
     else
       msg.to_s.split("\n").each do |line|
-        @syslog.send(msg.level, "(%s) %s" % [msg.source.to_s.gsub("%", ""),
+        @syslog.send(msg.level, "(%s) %s" % [msg.source.to_s.delete("%"),
             line.gsub("%", '%%')
           ]
         )
@@ -78,7 +78,7 @@ Puppet::Util::Log.newdesttype :file do
     # create the log file, if it doesn't already exist
     need_array_start = false
-    file_exists = File.exists?(path)
+    file_exists = Puppet::FileSystem.exist?(path)
     if @json == 1
       need_array_start = true
       if file_exists

data/lib/puppet/util/logging.rb CHANGED

@@ -48,12 +48,13 @@ module Logging
   #    wish to log a message at all; in this case it is likely that you are only calling this method in order
   #    to take advantage of the backtrace logging.
   def log_exception(exception, message = :default, options = {})
-    trace = Puppet[:trace] || options[:trace]
     level = options[:level] || :err
+    combined_trace = Puppet[:trace] || options[:trace]
+    puppet_trace = Puppet[:puppet_trace] || options[:puppet_trace]
     if message == :default && exception.is_a?(Puppet::ParseErrorWithIssue)
       # Retain all detailed info and keep plain message and stacktrace separate
-      backtrace = []
-      build_exception_trace(backtrace, exception, trace)
+      backtrace = build_exception_trace(exception, combined_trace, puppet_trace)
       Puppet::Util::Log.create({
           :level => level,
           :source => log_source,
@@ -67,28 +68,27 @@ module Logging
           :node => exception.node
         }.merge(log_metadata))
     else
-      send_log(level, format_exception(exception, message, trace))
+      send_log(level, format_exception(exception, message, combined_trace, puppet_trace))
     end
   end
-  def build_exception_trace(arr, exception, trace = true)
-    if trace and exception.backtrace
-      exception.backtrace.each do |line|
-        arr << line =~ /^(.+):(\d+.*)$/ ? ("#{Pathname($1).realpath}:#{$2}" rescue line) : line
-      end
-    end
+  def build_exception_trace(exception, combined_trace = true, puppet_trace = false)
+    built_trace = format_backtrace(exception, combined_trace, puppet_trace)
     if exception.respond_to?(:original)
       original =  exception.original
       unless original.nil?
-        arr << _('Wrapped exception:')
-        arr << original.message
-        build_exception_trace(arr, original, trace)
+        built_trace << _('Wrapped exception:')
+        built_trace << original.message
+        built_trace += build_exception_trace(original, combined_trace, puppet_trace)
       end
     end
+    built_trace
   end
   private :build_exception_trace
-  def format_exception(exception, message = :default, trace = true)
+  def format_exception(exception, message = :default, combined_trace = true, puppet_trace = false)
     arr = []
     case message
     when :default
@@ -99,16 +99,28 @@ module Logging
       arr << message
     end
-    if trace and exception.backtrace
-      arr << Puppet::Util.pretty_backtrace(exception.backtrace)
-    end
+    arr += format_backtrace(exception, combined_trace, puppet_trace)
     if exception.respond_to?(:original) and exception.original
       arr << _("Wrapped exception:")
-      arr << format_exception(exception.original, :default, trace)
+      arr << format_exception(exception.original, :default, combined_trace, puppet_trace)
     end
     arr.flatten.join("\n")
   end
+  def format_backtrace(exception, combined_trace, puppet_trace)
+    puppetstack = exception.respond_to?(:puppetstack) ? exception.puppetstack : []
+    if combined_trace and exception.backtrace
+      Puppet::Util.format_backtrace_array(exception.backtrace, puppetstack)
+    elsif puppet_trace && !puppetstack.empty?
+      Puppet::Util.format_backtrace_array(puppetstack)
+    else
+      []
+    end
+  end
   def log_and_raise(exception, message)
     log_exception(exception, message)
     raise exception, message + "\n" + exception.to_s, exception.backtrace
@@ -194,9 +206,9 @@ module Logging
     # let's find the offending line;  we need to jump back up the stack a few steps to find the method that called
     #  the deprecated method
     if Puppet[:trace]
-      caller()[2..-1]
+      caller(3)
     else
-      [caller()[2]]
+      [caller(3, 1).first]
     end
   end

data/lib/puppet/util/metric.rb CHANGED

@@ -54,11 +54,11 @@ class Puppet::Util::Metric
   end
   def values
-    @values.sort { |a, b| a[1] <=> b[1] }
+    @values.sort_by { |a| a[1] }
   end
   # Convert a name into a label.
   def self.labelize(name)
-    name.to_s.capitalize.gsub("_", " ")
+    name.to_s.capitalize.tr("_", " ")
   end
 end

data/lib/puppet/util/provider_features.rb CHANGED

@@ -78,7 +78,7 @@ module Puppet::Util::ProviderFeatures
     str = ""
     @features ||= {}
     return nil if @features.empty?
-    names = @features.keys.sort { |a,b| a.to_s <=> b.to_s }
+    names = @features.keys.sort_by(&:to_s)
     names.each do |name|
       doc = @features[name].docs.gsub(/\n\s+/, " ")
       str << "- *#{name}*: #{doc}\n"
@@ -127,9 +127,7 @@ module Puppet::Util::ProviderFeatures
       # Create a method that will list all functional features.
       @feature_module.send(:define_method, :features) do
         return false unless defined?(features)
-        features.keys.find_all { |n| feature?(n) }.sort { |a,b|
-          a.to_s <=> b.to_s
-        }
+        features.keys.find_all { |n| feature?(n) }.sort_by(&:to_s)
       end
       # Create a method that will determine if a provided list of

data/lib/puppet/util/rdoc.rb CHANGED

@@ -31,7 +31,7 @@ module Puppet::Util::RDoc
     # uses relative_path_from that will generate errors when the slashes don't
     # properly match.  This is a workaround for that issue.
     if Puppet::Util::Platform.windows? && RDoc::VERSION !~ /^[0-3]\./
-      options += [ "--root", Dir.pwd.gsub(/\\/, '/')]
+      options += [ "--root", Dir.pwd.tr('\\', '/')]
     end
     options += files

data/lib/puppet/util/reference.rb CHANGED

@@ -58,7 +58,7 @@ class Puppet::Util::Reference
   def self.references(environment)
     instance_loader(:reference).loadall(environment)
-    loaded_instances(:reference).sort { |a,b| a.to_s <=> b.to_s }
+    loaded_instances(:reference).sort_by(&:to_s)
   end
   attr_accessor :page, :depth, :header, :title, :dynamic

data/lib/puppet/util/resource_template.rb CHANGED

@@ -53,7 +53,7 @@ class Puppet::Util::ResourceTemplate
   def set_resource_variables
     @resource.to_hash.each do |param, value|
-      var = "@#{param.to_s}"
+      var = "@#{param}"
       instance_variable_set(var, value)
     end
   end

data/lib/puppet/util/selinux.rb CHANGED

@@ -206,7 +206,9 @@ module Puppet::Util::SELinux
         # If possible we use read_nonblock in a loop rather than read to work-
         # a linux kernel bug.  See ticket #1963 for details.
         mountfh = File.open("/proc/mounts")
-        mounts += mountfh.read_nonblock(1024) while true
+        loop do
+          mounts += mountfh.read_nonblock(1024)
+        end
       else
         # Otherwise we shell out and let cat do it for us
         mountfh = IO.popen("/bin/cat /proc/mounts")

data/lib/puppet/util/windows/adsi.rb CHANGED

@@ -1,6 +1,23 @@
 module Puppet::Util::Windows::ADSI
   require 'ffi'
+  # https://docs.microsoft.com/en-us/windows/win32/api/dsrole/ne-dsrole-dsrole_machine_role
+  STANDALONE_WORKSTATION = 0
+  MEMBER_WORKSTATION = 1
+  STANDALONE_SERVER = 2
+  MEMBER_SERVER = 3
+  BACKUP_DOMAIN_CONTROLLER = 4
+  PRIMARY_DOMAIN_CONTROLLER = 5
+  DOMAIN_ROLES = {
+    STANDALONE_WORKSTATION => :STANDALONE_WORKSTATION,
+    MEMBER_WORKSTATION => :MEMBER_WORKSTATION,
+    STANDALONE_SERVER => :STANDALONE_SERVER,
+    MEMBER_SERVER => :MEMBER_SERVER,
+    BACKUP_DOMAIN_CONTROLLER => :BACKUP_DOMAIN_CONTROLLER,
+    PRIMARY_DOMAIN_CONTROLLER => :PRIMARY_DOMAIN_CONTROLLER,
+  }
   class << self
     extend FFI::Library
@@ -94,6 +111,14 @@ module Puppet::Util::Windows::ADSI
       wmi_connection.execquery(query)
     end
+    def domain_role
+      unless @domain_role
+        query_result = Puppet::Util::Windows::ADSI.execquery('select DomainRole from Win32_ComputerSystem').to_enum.first
+        @domain_role = DOMAIN_ROLES[query_result.DomainRole] if query_result
+      end
+      @domain_role
+    end
     ffi_convention :stdcall
     # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724295(v=vs.85).aspx
@@ -176,7 +201,12 @@ module Puppet::Util::Windows::ADSI
         well_known = false
         if (sid = Puppet::Util::Windows::SID.name_to_principal(name_or_sid))
           # Examples of SidType include SidTypeUser, SidTypeGroup
-          return true if sid.account_type == "SidType#{@object_class.capitalize}".to_sym
+          if sid.account_type == "SidType#{@object_class.capitalize}".to_sym
+            # Check if we're getting back a local user when domain-joined
+            return true unless [:MEMBER_WORKSTATION, :MEMBER_SERVER].include?(Puppet::Util::Windows::ADSI.domain_role)
+            # The resource domain and the computer name are not always case-matching
+            return sid.domain.casecmp(Puppet::Util::Windows::ADSI.computer_name) == 0
+          end
           # 'well known group' is special as it can be a group like Everyone OR a user like SYSTEM
           # so try to resolve it
@@ -386,23 +416,23 @@ module Puppet::Util::Windows::ADSI
       ADS_UF_SCRIPT:                                 0x0001,
       ADS_UF_ACCOUNTDISABLE:                         0x0002,
       ADS_UF_HOMEDIR_REQUIRED:                       0x0008,
-      ADS_UF_LOCKOUT:                                0x0010,
-      ADS_UF_PASSWD_NOTREQD:                         0x0020,
-      ADS_UF_PASSWD_CANT_CHANGE:                     0x0040,
-      ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED:        0x0080,
-      ADS_UF_TEMP_DUPLICATE_ACCOUNT:                 0x0100,
-      ADS_UF_NORMAL_ACCOUNT:                         0x0200,
-      ADS_UF_INTERDOMAIN_TRUST_ACCOUNT:              0x0800,
-      ADS_UF_WORKSTATION_TRUST_ACCOUNT:              0x1000,
-      ADS_UF_SERVER_TRUST_ACCOUNT:                   0x2000,
-      ADS_UF_DONT_EXPIRE_PASSWD:                     0x10000,
-      ADS_UF_MNS_LOGON_ACCOUNT:                      0x20000,
-      ADS_UF_SMARTCARD_REQUIRED:                     0x40000,
-      ADS_UF_TRUSTED_FOR_DELEGATION:                 0x80000,
-      ADS_UF_NOT_DELEGATED:                          0x100000,
-      ADS_UF_USE_DES_KEY_ONLY:                       0x200000,
-      ADS_UF_DONT_REQUIRE_PREAUTH:                   0x400000,
-      ADS_UF_PASSWORD_EXPIRED:                       0x800000,
+      ADS_UF_LOCKOUT:                                0x0010,
+      ADS_UF_PASSWD_NOTREQD:                         0x0020,
+      ADS_UF_PASSWD_CANT_CHANGE:                     0x0040,
+      ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED:        0x0080,
+      ADS_UF_TEMP_DUPLICATE_ACCOUNT:                 0x0100,
+      ADS_UF_NORMAL_ACCOUNT:                         0x0200,
+      ADS_UF_INTERDOMAIN_TRUST_ACCOUNT:              0x0800,
+      ADS_UF_WORKSTATION_TRUST_ACCOUNT:              0x1000,
+      ADS_UF_SERVER_TRUST_ACCOUNT:                   0x2000,
+      ADS_UF_DONT_EXPIRE_PASSWD:                     0x10000,
+      ADS_UF_MNS_LOGON_ACCOUNT:                      0x20000,
+      ADS_UF_SMARTCARD_REQUIRED:                     0x40000,
+      ADS_UF_TRUSTED_FOR_DELEGATION:                 0x80000,
+      ADS_UF_NOT_DELEGATED:                          0x100000,
+      ADS_UF_USE_DES_KEY_ONLY:                       0x200000,
+      ADS_UF_DONT_REQUIRE_PREAUTH:                   0x400000,
+      ADS_UF_PASSWORD_EXPIRED:                       0x800000,
       ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0x1000000
     }

data/lib/puppet/util/windows/registry.rb CHANGED

@@ -46,11 +46,12 @@ module Puppet::Util::Windows
       subkey_max_len, _ = reg_query_info_key_max_lengths(key)
-      begin
+      loop do
         subkey, filetime = reg_enum_key(key, index, subkey_max_len)
         yield subkey, filetime if !subkey.nil?
         index += 1
-      end while !subkey.nil?
+        break if subkey.nil?
+      end
       index
     end
@@ -93,11 +94,12 @@ module Puppet::Util::Windows
       _, value_max_len = reg_query_info_key_max_lengths(key)
-      begin
+      loop do
         subkey, type, data = reg_enum_value(key, index, value_max_len)
         yield subkey, type, data if !subkey.nil?
         index += 1
-      end while !subkey.nil?
+        break if subkey.nil?
+      end
       index
     end
@@ -314,7 +316,7 @@ module Puppet::Util::Windows
     def sanitize(value)
       # Replace null bytes with a space
-      value.gsub!("\x00", ' ')
+      value.tr!("\x00", ' ')
       value
     end

data/lib/puppet/vendor.rb CHANGED

@@ -45,7 +45,7 @@ module Puppet
       #
       def load_vendored
         Dir.entries(vendor_dir).each do |entry|
-          if entry.match(/load_(\w+?)\.rb$/)
+          if entry =~ /load_(\w+?)\.rb$/
             load_entry entry
           end
         end

data/lib/puppet/version.rb CHANGED

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 module Puppet
-  PUPPETVERSION = '6.4.4'
+  PUPPETVERSION = '6.4.5'
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509/cert_provider.rb CHANGED

@@ -15,12 +15,16 @@ class Puppet::X509::CertProvider
                  crlpath: Puppet[:hostcrl],
                  privatekeydir: Puppet[:privatekeydir],
                  certdir: Puppet[:certdir],
-                 requestdir: Puppet[:requestdir])
+                 requestdir: Puppet[:requestdir],
+                 hostprivkey: Puppet.settings.set_by_config?(:hostprivkey) ? Puppet[:hostprivkey] : nil,
+                 hostcert: Puppet.settings.set_by_config?(:hostcert) ? Puppet[:hostcert] : nil)
     @capath = capath
     @crlpath = crlpath
     @privatekeydir = privatekeydir
     @certdir = certdir
     @requestdir = requestdir
+    @hostprivkey = hostprivkey
+    @hostcert = hostcert
   end
   # Save `certs` to the configured `capath`.
@@ -117,7 +121,7 @@ class Puppet::X509::CertProvider
   # @raise [Puppet::Error] if the private key cannot be saved
   # @api private
   def save_private_key(name, key)
-    path = to_path(@privatekeydir, name)
+    path = @hostprivkey || to_path(@privatekeydir, name)
     save_pem(key.to_pem, path, **permissions_for_setting(:hostprivkey))
   rescue SystemCallError => e
     raise Puppet::Error.new(_("Failed to save private key for '%{name}'") % {name: name}, e)
@@ -133,7 +137,7 @@ class Puppet::X509::CertProvider
   # @raise [Puppet::Error] if the private key cannot be loaded
   # @api private
   def load_private_key(name, required: false)
-    path = to_path(@privatekeydir, name)
+    path = @hostprivkey || to_path(@privatekeydir, name)
     pem = load_pem(path)
     if !pem && required
       raise Puppet::Error, _("The private key is missing from '%{path}'") % { path: path }
@@ -163,7 +167,7 @@ class Puppet::X509::CertProvider
   # @raise [Puppet::Error] if the client cert cannot be saved
   # @api private
   def save_client_cert(name, cert)
-    path = to_path(@certdir, name)
+    path = @hostcert || to_path(@certdir, name)
     save_pem(cert.to_pem, path, **permissions_for_setting(:hostcert))
   rescue SystemCallError => e
     raise Puppet::Error.new(_("Failed to save client certificate for '%{name}'") % {name: name}, e)
@@ -178,7 +182,7 @@ class Puppet::X509::CertProvider
   # @raise [Puppet::Error] if the client cert cannot be loaded
   # @api private
   def load_client_cert(name, required: false)
-    path = to_path(@certdir, name)
+    path = @hostcert || to_path(@certdir, name)
     pem = load_pem(path)
     if !pem && required
       raise Puppet::Error, _("The client certificate is missing from '%{path}'") % { path: path }
@@ -280,7 +284,10 @@ class Puppet::X509::CertProvider
   def permissions_for_setting(name)
     setting = Puppet.settings.setting(name)
     perm = { mode: setting.mode.to_i(8) }
-    perm.merge!(owner: setting.owner, group: setting.group) if Puppet.features.root? && !Puppet::Util::Platform.windows?
+    if Puppet.features.root? && !Puppet::Util::Platform.windows?
+      perm[:owner] = setting.owner
+      perm[:group] = setting.group
+    end
     perm
   end
 end