puppet 6.7.2 → 6.8.0

data/lib/puppet/network/http/factory.rb

@@ -25,17 +25,7 @@ class Puppet::Network::HTTP::Factory
   def create_connection(site)
     Puppet.debug("Creating new connection for #{site}")
 
-    args = [site.host, site.port]
-
-    unless Puppet::Util::HttpProxy.no_proxy?(site)
-      if Puppet[:http_proxy_host] == "none"
-        args << nil << nil
-      else
-        args << Puppet[:http_proxy_host] << Puppet[:http_proxy_port]
-      end
-    end
-
-    http = Net::HTTP.new(*args)
+    http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
     http.use_ssl = site.use_ssl?
     http.read_timeout = Puppet[:http_read_timeout]
     http.open_timeout = Puppet[:http_connect_timeout]

data/lib/puppet/pops/lookup.rb

@@ -94,3 +94,4 @@ end
 end
 
 require_relative 'lookup/lookup_adapter'
+require_relative 'lookup/key_recorder'

data/lib/puppet/pops/lookup/key_recorder.rb

@@ -0,0 +1,18 @@
+# This class defines the private API of the Lookup Key Recorder support.
+# @api private
+#
+class Puppet::Pops::Lookup::KeyRecorder
+
+  def initialize()
+  end
+
+  def self.singleton
+    @null_recorder ||= self.new
+  end
+
+  # Records a key
+  # (This implementation does nothing)
+  #
+  def record(key)
+  end
+end

data/lib/puppet/pops/lookup/lookup_adapter.rb

@@ -27,6 +27,8 @@ class LookupAdapter < DataAdapter
     super()
     @compiler = compiler
     @lookup_options = {}
+    # Get a KeyRecorder from context, and set a "null recorder" if not defined
+    @key_recorder = Puppet.lookup(:lookup_key_recorder) { KeyRecorder.singleton }
   end
 
   # Performs a lookup using global, environment, and module data providers. Merge the result using the given
@@ -48,6 +50,11 @@ class LookupAdapter < DataAdapter
       end
     end
 
+    # Record that the key was looked up. This will record all keys for which a lookup is performed
+    # except 'lookup_options' (since that is illegal from a user perspective,
+    # and from an impact perspective is always looked up).
+    @key_recorder.record(key)
+
     key = LookupKey.new(key)
     lookup_invocation.lookup(key, key.module_name) do
       if lookup_invocation.only_explain_options?

data/lib/puppet/provider/file/posix.rb

@@ -8,6 +8,11 @@ Puppet::Type.type(:file).provide :posix do
   include Puppet::Util::Warnings
 
   require 'etc'
+  require 'puppet/util/selinux'
+
+  def self.post_resource_eval
+    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  end
 
   def uid2name(id)
     return id.to_s if id.is_a?(Symbol) or id.is_a?(String)

data/lib/puppet/provider/nameservice.rb

@@ -173,9 +173,10 @@ class Puppet::Provider::NameService < Puppet::Provider
     end
 
     begin
-      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      sensitive = has_sensitive_data?
+      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       if feature?(:manages_password_age) && (cmd = passcmd)
-        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       end
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
@@ -279,13 +280,19 @@ class Puppet::Provider::NameService < Puppet::Provider
     self.class.validate(param, value)
     cmd = modifycmd(param, munge(param, value))
     raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
+    sensitive = has_sensitive_data?(param)
     begin
-      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
     end
   end
 
+  #Derived classes can override to declare sensitive data so a flag can be passed to execute
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
   # returns a struct with binary encoded string values, and >= 2.1.0 will return
   # binary encoded strings for values incompatible with current locale charset,

data/lib/puppet/provider/package/apt.rb

@@ -8,7 +8,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     These options should be specified as an array where each element is either a
      string or a hash."
 
-  has_feature :versionable, :install_options
+  has_feature :versionable, :install_options, :virtual_packages
 
   commands :aptget => "/usr/bin/apt-get"
   commands :aptcache => "/usr/bin/apt-cache"

data/lib/puppet/provider/package/dpkg.rb

@@ -5,7 +5,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
     and not `apt`, you must specify the source of any packages you want
     to manage."
 
-  has_feature :holdable
+  has_feature :holdable, :virtual_packages 
 
   commands :dpkg => "/usr/bin/dpkg"
   commands :dpkg_deb => "/usr/bin/dpkg-deb"
@@ -45,16 +45,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
   # Note: self:: is required here to keep these constants in the context of what will
   # eventually become this Puppet::Type::Package::ProviderDpkg class.
   self::DPKG_QUERY_FORMAT_STRING = %Q{'${Status} ${Package} ${Version}\\n'}
+  self::DPKG_QUERY_PROVIDES_FORMAT_STRING = %Q{'${Status} ${Package} ${Version} [${Provides}]\\n'}
   self::FIELDS_REGEX = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
+  self::FIELDS_REGEX_WITH_PROVIDES = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$} 
   self::FIELDS= [:desired, :error, :status, :name, :ensure]
 
   # @param line [String] one line of dpkg-query output
   # @return [Hash,nil] a hash of FIELDS or nil if we failed to match
   # @api private
-  def self.parse_line(line)
+  def self.parse_line(line, regex=self::FIELDS_REGEX)
     hash = nil
 
-    match = self::FIELDS_REGEX.match(line)
+    match = regex.match(line)
     if match
       hash = {}
 
@@ -116,6 +118,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
 
     # list out our specific package
     begin
+      if @resource.allow_virtual?
+        output = dpkgquery(
+          "-W",
+          "--showformat",
+          self.class::DPKG_QUERY_PROVIDES_FORMAT_STRING
+        ).lines.find {|package| package.match(/\[.*#{@resource[:name]}.*\]/)}
+        if output          
+          hash = self.class.parse_line(output,self.class::FIELDS_REGEX_WITH_PROVIDES)
+          Puppet.info("Package #{@resource[:name]} is virtual, defaulting to #{hash[:name]}")
+          @resource[:name] = hash[:name]
+        end
+      end
       output = dpkgquery(
         "-W",
         "--showformat",

data/lib/puppet/provider/service/launchd.rb

@@ -241,12 +241,20 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
   def status
     if @resource && ((@resource[:hasstatus] == :false) || (@resource[:status]))
       return super
-    else
-      if @property_hash[:status].nil?
-        :absent
+    elsif @property_hash[:status].nil?
+      # property_hash was flushed so the service changed status
+      service_name = @resource[:name]
+      # Updating services with new statuses
+      job_list = self.class.job_list
+      # if job is present in job_list, return its status
+      if job_list.key?(service_name)
+        job_list[service_name]
+      # if job is no longer present in job_list, it was stopped
       else
-        @property_hash[:status]
+        :stopped
       end
+    else
+      @property_hash[:status]
     end
   end
 
@@ -314,7 +322,14 @@ Puppet::Type.type(:service).provide :launchd, :parent => :base do
     job_plist_disabled = nil
     overrides_disabled = nil
 
-    _, job_plist = plist_from_label(resource[:name])
+    begin
+      _, job_plist = plist_from_label(resource[:name])
+    rescue Puppet::Error => err
+      # if job does not exist, log the error and return false as on other platforms
+      Puppet.log_exception(err)
+      return :false
+    end
+
     job_plist_disabled = job_plist["Disabled"] if job_plist.has_key?("Disabled")
 
     overrides = self.class.read_overrides if FileTest.file?(self.class.launchd_overrides)

data/lib/puppet/provider/service/systemd.rb

@@ -1,5 +1,7 @@
 # Manage systemd services using systemctl
 
+require 'puppet/file_system'
+
 Puppet::Type.type(:service).provide :systemd, :parent => :base do
   desc "Manages `systemd` services using `systemctl`.
 
@@ -9,14 +11,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
 
   commands :systemctl => "systemctl"
 
-  if Facter.value(:osfamily).downcase == 'debian'
-    # With multiple init systems on Debian, it is possible to have
-    # pieces of systemd around (e.g. systemctl) but not really be
-    # using systemd.  We do not do this on other platforms as it can
-    # cause issues when running in a chroot without /run mounted
-    # (PUP-5577)
-    confine :exists => "/run/systemd/system"
-  end
+  confine :true => Puppet::FileSystem.exist?('/proc/1/exe') && Puppet::FileSystem.readlink('/proc/1/exe').include?('systemd')
 
   defaultfor :osfamily => [:archlinux]
   defaultfor :osfamily => :redhat, :operatingsystemmajrelease => ["7", "8"]
@@ -24,8 +19,8 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :suse
   defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2"]
-  defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["8", "stretch/sid", "9", "buster/sid"]
-
+  defaultfor :operatingsystem => :debian
+  notdefaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ["5", "6", "7"] # These are using the "debian" method
   defaultfor :operatingsystem => :LinuxMint
   notdefaultfor :operatingsystem => :LinuxMint, :operatingsystemmajrelease => ["10", "11", "12", "13", "14", "15", "16", "17"] # These are using upstart
   defaultfor :operatingsystem => :ubuntu

data/lib/puppet/provider/user/pw.rb

@@ -67,11 +67,11 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
 
   # use pw to update password hash
   def password=(cryptopw)
-    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "change password for user '#{@resource[:name]}' method called with hash [redacted]"
     stdin, _, _ = Open3.popen3("pw user mod #{@resource[:name]} -H 0")
     stdin.puts(cryptopw)
     stdin.close
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash '#{cryptopw}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called with hash [redacted]"
   end
 
   # get password from /etc/master.passwd
@@ -79,10 +79,19 @@ Puppet::Type.type(:user).provide :pw, :parent => Puppet::Provider::NameService::
     Puppet.debug "checking password for user '#{@resource[:name]}' method called"
     current_passline = `getent passwd #{@resource[:name]}`
     current_password = current_passline.chomp.split(':')[1] if current_passline
-    Puppet.debug "finished password for user '#{@resource[:name]}' method called : '#{current_password}'"
+    Puppet.debug "finished password for user '#{@resource[:name]}' method called : [redacted]"
     current_password
   end
 
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   # Get expiry from system and convert to Puppet-style date
   def expiry
     expiry = self.get(:expiry)

data/lib/puppet/provider/user/user_role_add.rb

@@ -204,6 +204,10 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     shadow_entry[5].empty? ? -1 : shadow_entry[5]
   end
 
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # Read in /etc/shadow, find the line for our used and rewrite it with the
   # new pw.  Smooth like 80 grit sandpaper.
   #

data/lib/puppet/provider/user/useradd.rb

@@ -147,21 +147,35 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     # validproperties is a list of properties in undefined order
     # sort them to have a predictable command line in tests
     Puppet::Type.type(:user).validproperties.sort.each do |property|
-      next if property == :ensure
-      next if property_manages_password_age?(property)
-      next if (property == :groups) && @resource.forcelocal?
-      next if (property == :expiry) && @resource.forcelocal?
-      
-      value = @resource.should(property)
-      if value && value != ""
-        # the value needs to be quoted, mostly because -c might
-        # have spaces in it
-        cmd << flag(property) << munge(property, value)
-      end
+      value = get_value_for_property(property)
+      next if value.nil?
+      # the value needs to be quoted, mostly because -c might
+      # have spaces in it
+      cmd << flag(property) << munge(property, value)
     end
     cmd
   end
 
+  def get_value_for_property(property)
+    return nil if property == :ensure
+    return nil if property_manages_password_age?(property)
+    return nil if property == :groups and @resource.forcelocal?
+    return nil if property == :expiry and @resource.forcelocal?
+    value = @resource.should(property)
+    return nil if !value || value == ""
+
+    value
+  end
+
+  def has_sensitive_data?(property = nil)
+    #Check for sensitive values?
+    properties = property ? [property] : Puppet::Type.type(:user).validproperties
+    properties.any? do |prop|
+      p = @resource.parameter(prop)
+      p && p.respond_to?(:is_sensitive) && p.is_sensitive
+    end
+  end
+
   def addcmd
     if @resource.forcelocal?
       cmd = [command(:localadd)]

data/lib/puppet/ssl/certificate.rb

@@ -5,6 +5,8 @@ require 'puppet/ssl/base'
 # for turning CSRs into certificates; we can only
 # retrieve them from the CA (or not, as is often
 # the case).
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Certificate < Puppet::SSL::Base
   # This is defined from the base class
   wraps OpenSSL::X509::Certificate

data/lib/puppet/ssl/host.rb

@@ -9,6 +9,8 @@ require 'puppet/rest/routes'
 
 # The class that manages all aspects of our SSL certificates --
 # private keys, public keys, requests, etc.
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Host
   # Yay, ruby's strange constant lookups.
   Key = Puppet::SSL::Key
@@ -230,6 +232,7 @@ ERROR_STRING
     @key = @certificate = @certificate_request = nil
     @crl_usage = Puppet.settings[:certificate_revocation]
     @crl_path = Puppet.settings[:hostcrl]
+    Puppet.deprecation_warning(_("Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet."));
   end
 
   # Extract the public key from the private key.

data/lib/puppet/ssl/key.rb

@@ -2,6 +2,8 @@ require 'puppet/ssl/base'
 require 'puppet/indirector'
 
 # Manage private and public keys as a pair.
+#
+# @deprecated Use {Puppet::SSL::SSLProvider} instead.
 class Puppet::SSL::Key < Puppet::SSL::Base
   wraps OpenSSL::PKey::RSA
 

data/lib/puppet/util/http_proxy.rb

@@ -33,8 +33,8 @@ module Puppet::Util::HttpProxy
   #   .example.com
   # We'll accommodate both here.
   def self.no_proxy?(dest)
-    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
-    unless no_proxy_env
+    no_proxy = self.no_proxy
+    unless no_proxy
       return false
     end
 
@@ -46,7 +46,7 @@ module Puppet::Util::HttpProxy
       end
     end
 
-    no_proxy_env.split(/\s*,\s*/).each do |d|
+    no_proxy.split(/\s*,\s*/).each do |d|
       host, port = d.split(':')
       host = Regexp.escape(host).gsub('\*', '.*')
 
@@ -128,6 +128,20 @@ module Puppet::Util::HttpProxy
     return Puppet.settings[:http_proxy_password]
   end
 
+  def self.no_proxy
+    no_proxy_env = ENV["no_proxy"] || ENV["NO_PROXY"]
+
+    if no_proxy_env
+      return no_proxy_env
+    end
+
+    if Puppet.settings[:no_proxy] == 'none'
+      return nil
+    end
+
+    return Puppet.settings[:no_proxy]
+  end
+
   # Return a Net::HTTP::Proxy object.
   #
   # This method optionally configures SSL correctly if the URI scheme is

data/lib/puppet/util/monkey_patches.rb

@@ -99,22 +99,6 @@ unless OpenSSL::X509::Name.instance_methods.include?(:to_utf8)
   end
 end
 
-if RUBY_VERSION =~ /^2\.3/
-  module OpenSSL::PKey
-    alias __original_read read
-    def read(*args)
-      __original_read(*args)
-    rescue ArgumentError => e
-      # ruby <= 2.3 raises ArgumentError if it can't decrypt
-      # passphrase protected private keys, fixed in 2.4.0
-      # see https://bugs.ruby-lang.org/issues/11774
-      raise OpenSSL::PKey::PKeyError, e.message
-    end
-    module_function :read
-    module_function :__original_read
-  end
-end
-
 unless OpenSSL::PKey::EC.instance_methods.include?(:private?)
   class OpenSSL::PKey::EC
     # Added in ruby 2.4.0 in https://github.com/ruby/ruby/commit/7c971e61f04

data/lib/puppet/util/selinux.rb

@@ -13,7 +13,7 @@ require 'pathname'
 
 module Puppet::Util::SELinux
 
-  def selinux_support?
+  def self.selinux_support?
     return false unless defined?(Selinux)
     if Selinux.is_selinux_enabled == 1
       return true
@@ -21,6 +21,10 @@ module Puppet::Util::SELinux
     false
   end
 
+  def selinux_support?
+    Puppet::Util::SELinux.selinux_support?
+  end
+
   # Retrieve and return the full context of the file.  If we don't have
   # SELinux support or if the SELinux call fails then return nil.
   def get_selinux_current_context(file)