puppet 6.7.2-universal-darwin → 6.8.0-universal-darwin

data/lib/puppet/provider/service/launchd.rb

@@ -241,12 +241,20 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def status
     if @resource && ((@resource[:hasstatus] == :false) || (@resource[:status]))
       return super
-    else
-      if @property_hash[:status].nil?
-        :absent
+    elsif @property_hash[:status].nil?
+      # property_hash was flushed so the service changed status
+      service_name = @resource[:name]
+      # Updating services with new statuses
+      job_list = self.class.job_list
+      # if job is present in job_list, return its status
+      if job_list.key?(service_name)
+        job_list[service_name]
+      # if job is no longer present in job_list, it was stopped
       else
-        @property_hash[:status]
+        :stopped
       end
+    else
+      @property_hash[:status]
     end
   end
 
@@ -314,7 +322,14 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = nil
     overrides_disabled = nil
 
-    _, job_plist = plist_from_label(resource[:name])
+    begin
+      _, job_plist = plist_from_label(resource[:name])
+    rescue Puppet::Error => err
+      # if job does not exist, log the error and return false as on other platforms
+      Puppet.log_exception(err)
+      return :false
+    end
+
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     overrides = self.class.read_overrides if FileTest.file?(self.class.launchd_overrides)

data/lib/puppet/provider/service/systemd.rb

@@ -1,5 +1,7 @@
 # Manage systemd services using systemctl
 
+require 'puppet/file_system'
+
 Puppet::Type.type(:service).provide :systemd, :parent => :base do
   desc "Manages `systemd` services using `systemctl`.
 
@@ -9,14 +11,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
 
   commands :systemctl => "systemctl"
 
-  if Facter.value(:osfamily).downcase == 'debian'
-    # With multiple init systems on Debian, it is possible to have
-    # pieces of systemd around (e.g. systemctl) but not really be
-    # using systemd.  We do not do this on other platforms as it can
-    # cause issues when running in a chroot without /run mounted
-    # (PUP-5577)
-    confine :exists => "/run/systemd/system"
-  end
+  confine :true => Puppet::FileSystem.exist?('/proc/1/exe') && Puppet::FileSystem.readlink('/proc/1/exe').include?('systemd')
 
   defaultfor :osfamily => [:archlinux]
   defaultfor :osfamily => :redhat, :operatingsystemmajrelease => ["7", "8"]
@@ -24,8 +19,8 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :suse
   defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2"]
-  defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid"]
-
+  defaultfor :operatingsystem => :debian
+  notdefaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["5", "6", "7"] # These are using the "debian" method
   defaultfor :operatingsystem => :LinuxMint
   notdefaultfor :operatingsystem => :LinuxMint, :operatingsystemmajrelease => ["10", "11", "12", "13", "14", "15", "16", "17"] # These are using upstart
   defaultfor :operatingsystem => :ubuntu

data/lib/puppet/provider/user/pw.rb

@@ -67,11 +67,11 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
 
   # use pw to update password hash
   def password=(cryptopw)
-    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash [redacted]"
     stdin, _, _ = Open3.popen3("pw user mod #{@resource[:name]} -H 0")
     stdin.puts(cryptopw)
     stdin.close
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash [redacted]"
   end
 
   # get password from /etc/master.passwd
@@ -79,10 +79,19 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
     Puppet.debug "checking password for user '#{@resource[:name]}' method called"
     current_passline = `getent passwd #{@resource[:name]}`
     current_password = current_passline.chomp.split(':')[1] if current_passline
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called : '#{current_password}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called : [redacted]"
     current_password
   end
 
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   # Get expiry from system and convert to Puppet-style date
   def expiry
     expiry = self.get(:expiry)

data/lib/puppet/provider/user/user_role_add.rb

@@ -204,6 +204,10 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     shadow_entry[5].empty? ? -1 : shadow_entry[5]
   end
 
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # Read in /etc/shadow, find the line for our used and rewrite it with the
   # new pw.  Smooth like 80 grit sandpaper.
   #

data/lib/puppet/provider/user/useradd.rb

@@ -147,21 +147,35 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     # validproperties is a list of properties in undefined order
     # sort them to have a predictable command line in tests
     Puppet::Type.type(:user).validproperties.sort.each do |property|
-      next if property == :ensure
-      next if property_manages_password_age?(property)
-      next if (property == :groups) && @resource.forcelocal?
-      next if (property == :expiry) && @resource.forcelocal?
-      
-      value = @resource.should(property)
-      if value && value != ""
-        # the value needs to be quoted, mostly because -c might
-        # have spaces in it
-        cmd << flag(property) << munge(property, value)
-      end
+      value = get_value_for_property(property)
+      next if value.nil?
+      # the value needs to be quoted, mostly because -c might
+      # have spaces in it
+      cmd << flag(property) << munge(property, value)
     end
     cmd
   end
 
+  def get_value_for_property(property)
+    return nil if property == :ensure
+    return nil if property_manages_password_age?(property)
+    return nil if property == :groups and @resource.forcelocal?
+    return nil if property == :expiry and @resource.forcelocal?
+    value = @resource.should(property)
+    return nil if !value || value == ""
+
+    value
+  end
+
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   def addcmd
     if @resource.forcelocal?
       cmd = [command(:localadd)]

data/lib/puppet/ssl/certificate.rb

@@ -5,6 +5,8 @@ require 'puppet/ssl/base'
 # for turning CSRs into certificates; we can only
 # retrieve them from the CA (or not, as is often
 # the case).
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Certificate < Puppet::SSL::Base
   # This is defined from the base class
   wraps OpenSSL::X509::Certificate

data/lib/puppet/ssl/host.rb

@@ -9,6 +9,8 @@ require 'puppet/rest/routes'
 
 # The class that manages all aspects of our SSL certificates --
 # private keys, public keys, requests, etc.
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Host
   # Yay, ruby's strange constant lookups.
   Key = Puppet::SSL::Key
@@ -230,6 +232,7 @@ ERROR_STRING
     @key = @certificate = @certificate_request = nil
     @crl_usage = Puppet.settings[:certificate_revocation]
     @crl_path = Puppet.settings[:hostcrl]
+    Puppet.deprecation_warning(_("Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet."));
   end
 
   # Extract the public key from the private key.

data/lib/puppet/ssl/key.rb

@@ -2,6 +2,8 @@ require 'puppet/ssl/base'
 require 'puppet/indirector'
 
 # Manage private and public keys as a pair.
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Key < Puppet::SSL::Base
   wraps OpenSSL::PKey::RSA
 

data/lib/puppet/util/http_proxy.rb

@@ -33,8 +33,8 @@ module Puppet::Util::HttpProxy
   #   .example.com
   # We'll accommodate both here.
   def self.no_proxy?(dest)
-    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
-    unless no_proxy_env
+    no_proxy = self.no_proxy
+    unless no_proxy
       return false
     end
 
@@ -46,7 +46,7 @@ module Puppet::Util::HttpProxy
       end
     end
 
-    no_proxy_env.split(/\s*,\s*/).each do |d|
+    no_proxy.split(/\s*,\s*/).each do |d|
       host, port = d.split(':')
       host = Regexp.escape(host).gsub('\*', '.*')
 
@@ -128,6 +128,20 @@ module Puppet::Util::HttpProxy
     return Puppet.settings[:http_proxy_password]
   end
 
+  def self.no_proxy
+    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
+
+    if no_proxy_env
+      return no_proxy_env
+    end
+
+    if Puppet.settings[:no_proxy] == 'none'
+      return nil
+    end
+
+    return Puppet.settings[:no_proxy]
+  end
+
   # Return a Net::HTTP::Proxy object.
   #
   # This method optionally configures SSL correctly if the URI scheme is

data/lib/puppet/util/monkey_patches.rb

@@ -99,22 +99,6 @@ unless OpenSSL::X509::Name.instance_methods.include?(:to_utf8)
   end
 end
 
-if RUBY_VERSION =~ /^2\.3/
-  module OpenSSL::PKey
-    alias __original_read read
-    def read(*args)
-      __original_read(*args)
-    rescue ArgumentError => e
-      # ruby <= 2.3 raises ArgumentError if it can't decrypt
-      # passphrase protected private keys, fixed in 2.4.0
-      # see https://bugs.ruby-lang.org/issues/11774
-      raise OpenSSL::PKey::PKeyError, e.message
-    end
-    module_function :read
-    module_function :__original_read
-  end
-end
-
 unless OpenSSL::PKey::EC.instance_methods.include?(:private?)
   class OpenSSL::PKey::EC
     # Added in ruby 2.4.0 in https://github.com/ruby/ruby/commit/7c971e61f04

data/lib/puppet/util/selinux.rb

@@ -13,7 +13,7 @@ require 'pathname'
 
 module Puppet::Util::SELinux
 
-  def selinux_support?
+  def self.selinux_support?
     return false unless defined?(Selinux)
     if Selinux.is_selinux_enabled == 1
       return true
@@ -21,6 +21,10 @@ module Puppet::Util::SELinux
     false
   end
 
+  def selinux_support?
+    Puppet::Util::SELinux.selinux_support?
+  end
+
   # Retrieve and return the full context of the file.  If we don't have
   # SELinux support or if the SELinux call fails then return nil.
   def get_selinux_current_context(file)

data/lib/puppet/util/windows/security.rb

@@ -200,6 +200,7 @@ module Puppet::Util::Windows::Security
     well_known_world_sid = Puppet::Util::Windows::SID::Everyone
     well_known_nobody_sid = Puppet::Util::Windows::SID::Nobody
     well_known_system_sid = Puppet::Util::Windows::SID::LocalSystem
+    well_known_app_packages_sid = Puppet::Util::Windows::SID::AllAppPackages
 
     mode = S_ISYSTEM_MISSING
 
@@ -234,6 +235,7 @@ module Puppet::Util::Windows::Security
         if (ace.mask & FILE::FILE_APPEND_DATA).nonzero?
           mode |= S_ISVTX
         end
+      when well_known_app_packages_sid
       when well_known_system_sid
       else
         #puts "Warning, unable to map SID into POSIX mode: #{ace.sid}"

data/lib/puppet/util/windows/sid.rb

@@ -46,6 +46,7 @@ module Puppet::Util::Windows
     PrintOperators              = 'S-1-5-32-550'
     BackupOperators             = 'S-1-5-32-551'
     Replicators                 = 'S-1-5-32-552'
+    AllAppPackages              = 'S-1-15-2-1'
 
     # Convert an account name, e.g. 'Administrators' into a SID string,
     # e.g. 'S-1-5-32-544'. The name can be specified as 'Administrators',

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.7.2'
+  PUPPETVERSION = '6.8.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509/cert_provider.rb

@@ -191,22 +191,20 @@ class Puppet::X509::CertProvider
     # and corrected in https://github.com/ruby/openssl/commit/a896c3d1dfa090e92dec1abf8ac12843af6af721
     password ||= '    '
 
-    if Puppet::Util::Platform.jruby?
-      begin
-        if pem =~ EC_HEADER
-          OpenSSL::PKey::EC.new(pem, password)
-        else
-          OpenSSL::PKey::RSA.new(pem, password)
-        end
-      rescue OpenSSL::PKey::PKeyError => e
-        if e.message =~ /Neither PUB key nor PRIV key/
-          raise OpenSSL::PKey::PKeyError, "Could not parse PKey: no start line"
-        else
-          raise e
-        end
+    # Can't use OpenSSL::PKey.read, because it's broken in MRI 2.3, doesn't exist
+    # in JRuby 9.1, and is broken in JRuby 9.2
+    begin
+      if pem =~ EC_HEADER
+        OpenSSL::PKey::EC.new(pem, password)
+      else
+        OpenSSL::PKey::RSA.new(pem, password)
+      end
+    rescue OpenSSL::PKey::PKeyError => e
+      if e.message =~ /Neither PUB key nor PRIV key/
+        raise OpenSSL::PKey::PKeyError, "Could not parse PKey: no start line"
+      else
+        raise e
       end
-    else
-      OpenSSL::PKey.read(pem, password)
     end
   end