puppet 7.7.0-x64-mingw32 → 7.11.0-x64-mingw32

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/transaction/persistence.rb

@@ -87,7 +87,17 @@ class Puppet::Transaction::Persistence
 
   # Save data from internal class to persistence store on disk.
   def save
-    Puppet::Util::Yaml.dump(@new_data, Puppet[:transactionstorefile])
+    converted_data = Puppet::Pops::Serialization::ToDataConverter.convert(
+      @new_data, {
+        symbol_as_string: false,
+        local_reference: false,
+        type_by_reference: true,
+        force_symbol: true,
+        silence_warnings: true,
+        message_prefix: to_s
+      }
+    )
+    Puppet::Util::Yaml.dump(converted_data, Puppet[:transactionstorefile])
   end
 
   # Use the catalog and run_mode to determine if persistence should be enabled or not

data/lib/puppet/transaction/report.rb

@@ -75,6 +75,10 @@ class Puppet::Transaction::Report
   # @return [String] the environment name
   attr_accessor :environment
 
+  # The name of the environment the agent initially started in
+  # @return [String] the environment name
+  attr_accessor :initial_environment
+
   # Whether there are changes that we decided not to apply because of noop
   # @return [Boolean]
   #
@@ -375,7 +379,17 @@ class Puppet::Transaction::Report
   # @api public
   #
   def raw_summary
-    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
+    report = {
+      "version" => {
+        "config" => configuration_version,
+        "puppet" => Puppet.version
+      },
+      "application" => {
+        "run_mode" => Puppet.run_mode.name.to_s,
+        "initial_environment" => initial_environment,
+        "converged_environment" => environment
+      }
+    }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s

data/lib/puppet/type/exec.rb

@@ -11,7 +11,10 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met.
+        Puppet from running the command unless some condition is met. The
+        `onlyif` and `unless` commands of an `exec` are used in the process of
+        determining whether the `exec` is already in sync, therefore they must be run
+        during a noop Puppet run.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -198,10 +201,20 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique."
+        only uses the resource title to ensure `exec`s are unique.
+
+        On *nix platforms, the command can be specified as an array of
+        strings and Puppet will invoke it using the more secure method of
+        parameterized system calls. For example, rather than executing the
+        malicious injected code, this command will echo it out:
+
+            command => ['/bin/echo', 'hello world; rm -rf /']
+      "
 
       validate do |command|
-        raise ArgumentError, _("Command must be a String, got value of class %{klass}") % { klass: command.class } unless command.is_a? String
+        unless command.is_a?(String) || command.is_a?(Array)
+          raise ArgumentError, _("Command must be a String or Array<String>, got value of class %{klass}") % { klass: command.class }
+        end
       end
     end
 
@@ -454,10 +467,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            unless => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has a
         non-zero exit code.
       EOT
@@ -510,10 +530,17 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],
 
+        or an array of arrays. For example:
+
+            onlyif => [['test', '-f', '/tmp/file1'], 'test -f /tmp/file2']
+
         This `exec` would only run if every command in the array has an
         exit code of 0 (success).
       EOT
@@ -562,12 +589,14 @@ module Puppet
       reqs << self[:cwd] if self[:cwd]
 
       file_regex = Puppet::Util::Platform.windows? ? %r{^([a-zA-Z]:[\\/]\S+)} : %r{^(/\S+)}
+      cmd = self[:command]
+      cmd = cmd[0] if cmd.is_a? Array
 
-      self[:command].scan(file_regex) { |str|
+      cmd.scan(file_regex) { |str|
         reqs << str
       }
 
-      self[:command].scan(/^"([^"]+)"/) { |str|
+      cmd.scan(/^"([^"]+)"/) { |str|
         reqs << str
       }
 
@@ -583,6 +612,7 @@ module Puppet
           # fully qualified.  It might not be a bad idea to add
           # unqualified files, but, well, that's a bit more annoying
           # to do.
+          line = line[0] if line.is_a? Array
           reqs += line.scan(file_regex)
         end
       }

data/lib/puppet/type/file/mode.rb

@@ -90,9 +90,15 @@ module Puppet
         raise Puppet::Error, "The file mode specification is invalid: #{value.inspect}"
       end
 
+      # normalizes to symbolic form, e.g. u+a, an octal string without leading 0
       normalize_symbolic_mode(value)
     end
 
+    unmunge do |value|
+      # return symbolic form or octal string *with* leading 0's
+      display_mode(value) if value
+    end
+
     def desired_mode_from_current(desired, current)
       current = current.to_i(8) if current.is_a? String
       is_a_directory = @resource.stat && @resource.stat.directory?

data/lib/puppet/type/file.rb

@@ -91,23 +91,23 @@ Puppet::Type.newtype(:file) do
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
-      puppet master server's filebucket service. This requires declaring a
+      primary Puppet server's filebucket service. This requires declaring a
       filebucket resource and a resource default for the `backup` attribute
       in site.pp:
 
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary Puppet server.
           }
 
           File { backup => main, }
 
-      If you are using multiple puppet master servers, you will want to
+      If you are using multiple primary servers, you will want to
       centralize the contents of the filebucket. Either configure your load
-      balancer to direct all filebucket traffic to a single master, or use
+      balancer to direct all filebucket traffic to a single primary server, or use
       something like an out-of-band rsync task to synchronize the content on all
-      masters.
+      primary servers.
 
       > **Note**: Enabling and using the backup option, and by extension the 
         filebucket resource, requires appropriate planning and management to ensure 
@@ -359,7 +359,7 @@ Puppet::Type.newtype(:file) do
       This command must have a fully qualified path, and should contain a
       percent (`%`) token where it would expect an input file. It must exit `0`
       if the syntax is correct, and non-zero otherwise. The command will be
-      run on the target system while applying the catalog, not on the puppet master.
+      run on the target system while applying the catalog, not on the primary Puppet server.
 
       Example:
 

data/lib/puppet/type/filebucket.rb

@@ -4,7 +4,7 @@ module Puppet
   Type.newtype(:filebucket) do
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
-      be local to each agent node, or centralized on a puppet master server. All
+      be local to each agent node, or centralized on a primary Puppet server. All
       puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
@@ -25,7 +25,7 @@ module Puppet
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary server.
           }
 
           File { backup => main, }

data/lib/puppet/type/group.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require_relative '../../puppet/property/keyvalue'
 require_relative '../../puppet/parameter/boolean'
 

data/lib/puppet/type/resources.rb

@@ -175,7 +175,7 @@ Puppet::Type.newtype(:resources) do
     end
 
     # Otherwise, use a sensible default based on the OS family
-    @system_users_max_uid ||= case Facter.value(:osfamily)
+    @system_users_max_uid ||= case Puppet.runtime[:facter].value(:osfamily)
       when 'OpenBSD', 'FreeBSD'
         999
       else

data/lib/puppet/type/service.rb

@@ -38,6 +38,12 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
+    feature :delayed_startable, "The provider can set service to delayed start",
+      :methods => [:delayed_start]
+
+    feature :manual_startable, "The provider can set service to manual start",
+      :methods => [:manual_start]
+
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -67,7 +73,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start) do
+      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
         provider.manual_start
       end
 
@@ -81,8 +87,7 @@ module Puppet
         provider.enabled?
       end
 
-      # This only works on Windows systems.
-      newvalue(:delayed, :event => :service_delayed_start) do
+      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
         provider.delayed_start
       end
 
@@ -90,12 +95,6 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
-
-      validate do |value|
-        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
-          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
-        end
-      end
     end
 
     # Handle whether the service should actually be running right now.

data/lib/puppet/type/tidy.rb

@@ -144,7 +144,7 @@ Puppet::Type.newtype(:tidy) do
 
     def tidy?(path, stat)
       # If the file's older than we allow, we should get rid of it.
-      (Time.now.to_i - stat.send(resource[:type]).to_i) > value
+      (Time.now.to_i - stat.send(resource[:type]).to_i) >= value
     end
 
     munge do |age|

data/lib/puppet/type/user.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require_relative '../../puppet/parameter/boolean'
 require_relative '../../puppet/property/list'
 require_relative '../../puppet/property/ordered_list'
@@ -67,6 +66,7 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
+        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -694,7 +694,8 @@ module Puppet
     end
 
     def generate
-      if !self[:purge_ssh_keys].empty?
+      if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false
+        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -743,25 +744,6 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
-
-      munge do |value|
-        # Resolve string, boolean and symbol forms of true and false to a
-        # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
-
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
-
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
-      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -783,7 +765,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      self[:purge_ssh_keys].
+      munged_unmanaged_keys.
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -795,6 +777,41 @@ module Puppet
         end
     end
 
+    def munged_unmanaged_keys
+      value = self[:purge_ssh_keys]
+
+      # Resolve string, boolean and symbol forms of true and false to a
+      # single representation.
+      test_sym = value.to_s.intern
+      value = test_sym if [:true, :false].include? test_sym
+
+      return [] if value == :false
+
+      home = self[:home]
+      begin
+        home ||= provider.home
+      rescue
+        Puppet.debug("User '#{self[:name]}' does not exist")
+      end
+
+      if home.to_s.empty? || !Dir.exist?(home.to_s)
+        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
+          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
+          return []
+        end
+      end
+
+      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+
+      # value is an array - munge each value
+      [ value ].flatten.map do |entry|
+        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(/^~\//, "#{home}/")
+        entry.gsub!(/^%h\//, "#{home}/")
+        entry
+      end
+    end
+
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.

data/lib/puppet/type.rb

@@ -1272,7 +1272,7 @@ class Type
       like it does when running normally. However, if a resource attribute is not in
       the desired state (as declared in the catalog), Puppet will take no
       action, and will instead report the changes it _would_ have made. These
-      simulated changes will appear in the report sent to the puppet master, or
+      simulated changes will appear in the report sent to the primary Puppet server, or
       be shown on the console if running puppet agent or puppet apply in the
       foreground. The simulated changes will not send refresh events to any
       subscribing or notified resources, although Puppet will log that a refresh

data/lib/puppet/util/command_line.rb

@@ -135,7 +135,7 @@ module Puppet
 
               # Puppet requires Facter, which initializes its lookup paths. Reset Facter to
               # pickup the new $LOAD_PATH.
-              Facter.reset
+              Puppet.runtime[:facter].reset
             end
           end
 

data/lib/puppet/util/filetype.rb

@@ -215,7 +215,7 @@ class Puppet::Util::FileType
     # Remove a specific @path's cron tab.
     def remove
       cmd = "#{cmdbase} -r"
-      if %w{Darwin FreeBSD DragonFly}.include?(Facter.value("operatingsystem"))
+      if %w{Darwin FreeBSD DragonFly}.include?(Puppet.runtime[:facter].value("operatingsystem"))
         cmd = "/bin/echo yes | #{cmd}"
       end
 
@@ -244,7 +244,7 @@ class Puppet::Util::FileType
     # Only add the -u flag when the @path is different.  Fedora apparently
     # does not think I should be allowed to set the @path to my own user name
     def cmdbase
-      if @uid == Puppet::Util::SUIDManager.uid || Facter.value(:operatingsystem) == "HP-UX"
+      if @uid == Puppet::Util::SUIDManager.uid || Puppet.runtime[:facter].value(:operatingsystem) == "HP-UX"
         return "crontab"
       else
         return "crontab -u #{@path}"

data/lib/puppet/util/log.rb

@@ -2,7 +2,6 @@ require_relative '../../puppet/util/tagging'
 require_relative '../../puppet/util/classgen'
 require_relative '../../puppet/util/psych_support'
 require_relative '../../puppet/network/format_support'
-require 'facter'
 
 # Pass feedback to the user.  Log levels are modeled after syslog's, and it is
 # expected that that will be the most common log destination.  Supports
@@ -111,7 +110,7 @@ class Puppet::Util::Log
     @loglevel = @levels.index(level)
 
     # Enable or disable Facter debugging
-    Facter.debugging(level == :debug) if Facter.respond_to? :debugging
+    Puppet.runtime[:facter].debugging(level == :debug)
   end
 
   def Log.levels