puppet 7.7.0 → 7.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '05951232f5875c134c0334797ae29444327333084c4fe8260e5c2e6c71251633'
-  data.tar.gz: 81ec4d7dca3f2c1858993c4feb1fe03dffb83b790e5b6d9c4eb087a6d50308c4
+  metadata.gz: acea3dc4fe14113e0ff4cacd327dda518e52ef5b69705573d538d417c677a6ac
+  data.tar.gz: 0c5d176a6c15d1850ec8a0579360dca046818cb3a89622444f93a717d6b3c519
 SHA512:
-  metadata.gz: d2110fc36c2a0be3a11126cd90af46d05f208adc10800bfa3d5377dc6eced7e08d020a4be7434e6b8250591fe09c0b468db690585f498acec02887856756f5d8
-  data.tar.gz: '08306b72933e81f87cc49fdca65154cc13b1545f63d7159316c6aa93c550e6b5105ac0f4ec3a1f7c2aa30a197f6b7dc9e0e173e37f196d12719e93e392148da1'
+  metadata.gz: 1f3f289599b56be4ec50fec65af00d84f767eb4551c73d58c5fc325cf69aaf0368827c110b00115245c71c91aec1bfeafe11660d9386db3635dc0ce376065d49
+  data.tar.gz: 9ab440f65ee22b93546023166f22f65fb9c8d562c4d0adf037fce02312d6cb08bbc7b8897adcc865c20b99ced83043a4dba28754354211bb10a5d6cba9c063f3

data/CONTRIBUTING.md

@@ -114,7 +114,7 @@ respectively.
 
 ## Submitting Changes
 
-* Sign the [Contributor License Agreement](https://cla.puppet.com).
+* Sign the [Contributor License Agreement](https://cla-assistant.io/puppetlabs/).
 * Push your changes to a topic branch in your fork of the repository.
 * Submit a pull request to the repository in the puppetlabs organization.
 * Update the related Jira ticket to mark that you have submitted code and are ready
@@ -158,4 +158,4 @@ ensure the issue has been resolved.
 * [General GitHub documentation](https://help.github.com/)
 * [GitHub pull request documentation](https://help.github.com/articles/creating-a-pull-request/)
 * [puppet-dev mailing list](https://groups.google.com/forum/#!forum/puppet-dev)
-* [Puppet community slack](https://slack.puppet.com)
+* [Puppet community slack](https://slack.puppet.com)

data/Gemfile

@@ -37,12 +37,13 @@ end
 group(:test) do
   gem "ffi", require: false
   gem "json-schema", "~> 2.0", require: false
-  gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
+  gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
   gem "rspec", "~> 3.1", require: false
   gem "rspec-expectations", ["~> 3.9", "!= 3.9.3"]
   gem "rspec-its", "~> 1.1", require: false
   gem 'vcr', '~> 5.0', require: false
   gem 'webmock', '~> 3.0', require: false
+  gem 'webrick', '~> 1.7', require: false if RUBY_VERSION.to_f >= 3.0
   gem 'yard', require: false
 
   gem 'rubocop', '~> 0.49', require: false, platforms: [:ruby]

data/Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: git://github.com/puppetlabs/packaging
-  revision: 36e0078116659d6fc7a9312c8465ec9b183b8f26
+  revision: 56b3c7db09d6cafe878ff4a9dfc048b5a5bea89c
   branch: 1.0.x
   specs:
-    packaging (0.99.76.12.g36e0078)
+    packaging (0.99.77.2.g56b3c7d)
       artifactory (~> 2)
       csv (= 3.1.5)
       rake (>= 12.3)
@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.7.0)
+    puppet (7.8.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -33,14 +33,14 @@ GEM
     artifactory (2.8.2)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.9)
     crack (0.4.5)
       rexml
     csv (3.1.5)
     deep_merge (1.2.1)
     diff-lcs (1.4.4)
     docopt (0.6.1)
-    facter (4.1.1)
+    facter (4.2.1)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
@@ -78,14 +78,14 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
-    puppet-resource_api (1.8.13)
+    puppet-resource_api (1.8.14)
       hocon (>= 1.0)
     puppetserver-ca (2.1.0)
       facter (>= 2.0.1, < 5)
     racc (1.4.9)
     rainbow (2.2.2)
       rake
-    rake (12.3.3)
+    rake (13.0.3)
     rdiscount (2.2.0.2)
     rdoc (6.3.1)
     release-metrics (1.1.0)
@@ -124,7 +124,7 @@ GEM
     ruby-prof (1.4.3)
     ruby-progressbar (1.11.0)
     scanf (1.0.0)
-    semantic_puppet (1.0.3)
+    semantic_puppet (1.0.4)
     text (1.3.1)
     thor (1.1.0)
     unicode-display_width (1.7.0)
@@ -154,7 +154,7 @@ DEPENDENCIES
   puppet-resource_api (~> 1.5)
   puppetserver-ca (~> 2.0)
   racc (= 1.4.9)
-  rake (~> 12.2)
+  rake (~> 13.0)
   rdoc (~> 6.0)
   ronn (~> 0.7.3)
   rspec (~> 3.1)

data/ext/osx/puppet.plist

@@ -26,5 +26,7 @@
         <string>/var/log/puppetlabs/puppet/puppet.log</string>
         <key>StandardOutPath</key>
         <string>/var/log/puppetlabs/puppet/puppet.log</string>
+        <key>SessionCreate</key>
+        <true />
 </dict>
 </plist>

data/lib/puppet/defaults.rb

@@ -1426,7 +1426,9 @@ EOT
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)",
+        `puppet/reports/NAME.rb`.)
+
+        To turn off reports entirely, set this to `none`",
     },
     :reportdir => {
       :default => "$vardir/reports",

data/lib/puppet/pops/types/p_sem_ver_type.rb

@@ -95,16 +95,22 @@ class PSemVerType < PScalarType
       end
 
       def from_args(major, minor, patch, prerelease = nil, build = nil)
-        SemanticPuppet::Version.new(major, minor, patch, prerelease, build)
+        SemanticPuppet::Version.new(major, minor, patch, to_array(prerelease), to_array(build))
       end
 
       def from_hash(hash)
-        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], hash['prerelease'], hash['build'])
+        SemanticPuppet::Version.new(hash['major'], hash['minor'], hash['patch'], to_array(hash['prerelease']), to_array(hash['build']))
       end
 
       def on_error(str)
         _("The string '%{str}' cannot be converted to a SemVer") % { str: str }
       end
+
+      private
+
+      def to_array(component)
+        component ? [component] : nil
+      end
     end
   end
 

data/lib/puppet/pops/types/p_sensitive_type.rb

@@ -24,6 +24,16 @@ class PSensitiveType < PTypeWithContainedType
     def inspect
       "#<#{self}>"
     end
+
+    def hash
+      @value.hash
+    end
+
+    def ==(other)
+      other.is_a?(Sensitive) &&
+        other.hash == hash
+    end
+    alias eql? ==
   end
 
   def self.register_ptype(loader, ir)

data/lib/puppet/provider/package/apt.rb

@@ -91,20 +91,20 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
   end
 
   def best_version(should_range)
-    available_versions = SortedSet.new
+    versions = []
 
     output = aptcache :madison, @resource[:name]
     output.each_line do |line|
       is = line.split('|')[1].strip
       begin
         is_version = DebianVersion.parse(is)
-        available_versions << is_version if should_range.include?(is_version)
+        versions << is_version if should_range.include?(is_version)
       rescue DebianVersion::ValidationFailure
         Puppet.debug("Cannot parse #{is} as a debian version")
       end
     end
 
-    return available_versions.to_a.last unless available_versions.empty?
+    return versions.sort.last if versions.any?
 
     Puppet.debug("No available version for package #{@resource[:name]} is included in range #{should_range}")
     should_range

data/lib/puppet/provider/package/nim.rb

@@ -154,20 +154,25 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
   # I spent a lot of time trying to figure out a solution that didn't
   # require parsing the `nimclient -o showres` output and was unable to
   # do so.
-  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R):(\1)\s+[^\s]+$/
-  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R):(.*)$/
-  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+) \2$/
+  self::HEADER_LINE_REGEX      = /^([^\s]+)\s+[^@]+@@(I|R|S):(\1)\s+[^\s]+$/
+  self::PACKAGE_LINE_REGEX     = /^.*@@(I|R|S):(.*)$/
+  self::RPM_PACKAGE_REGEX      = /^(.*)-(.*-\d+\w*) \2$/
   self::INSTALLP_PACKAGE_REGEX = /^(.*) (.*)$/
 
   # Here is some sample output that shows what the above regexes will be up
   # against:
-  # FOR AN INSTALLP PACKAGE:
+  # FOR AN INSTALLP(bff) PACKAGE:
   #
   #    mypackage.foo                                                           ALL  @@I:mypackage.foo _all_filesets
-  #    @ 1.2.3.1  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.1
   #    + 1.2.3.4  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.4
   #    + 1.2.3.8  MyPackage Runtime Environment                       @@I:mypackage.foo 1.2.3.8
   #
+  # FOR AN INSTALLP(bff) PACKAGE with security update:
+  #
+  #    bos.net                                                                 ALL  @@S:bos.net _all_filesets
+  #    + 7.2.0.1  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.1
+  #    + 7.2.0.2  TCP/IP ntp Applications                             @@S:bos.net.tcp.ntp 7.2.0.2
+  #
   # FOR AN RPM PACKAGE:
   #
   # mypackage.foo                                                                ALL  @@R:mypackage.foo _all_filesets
@@ -243,7 +248,7 @@ Puppet::Type.type(:package).provide :nim, :parent => :aix, :source => :aix do
     package_string = match.captures[1]
 
     case package_type_flag
-      when "I"
+      when "I","S"
         parse_installp_package_string(package_string)
       when "R"
         parse_rpm_package_string(package_string)

data/lib/puppet/provider/package/yum.rb

@@ -203,17 +203,17 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
         Puppet.debug("Cannot parse #{should} as a RPM version range")
         return should
       end
-      sorted_versions = SortedSet.new
+      versions = []
       available_versions(@resource[:name]).each do |version|
         begin
           rpm_version = RPM_VERSION.parse(version)
-          sorted_versions << rpm_version if should_range.include?(rpm_version)
+          versions << rpm_version if should_range.include?(rpm_version)
         rescue RPM_VERSION::ValidationFailure
           Puppet.debug("Cannot parse #{version} as a RPM version")
         end
       end
 
-      version = sorted_versions.entries.last
+      version = versions.sort.last if versions.any?
 
       if version
         version = version.to_s.sub(/^\d+:/, '')

data/lib/puppet/provider/package/zypper.rb

@@ -63,7 +63,7 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
         return should
       end
 
-      sorted_versions = SortedSet.new
+      versions = []
 
       output = zypper('search', '--match-exact', '--type', 'package', '--uninstalled-only', '-s', @resource[:name])
       output.lines.each do |line|
@@ -72,13 +72,13 @@ Puppet::Type.type(:package).provide :zypper, :parent => :rpm, :source => :rpm do
         begin
           rpm_version = Puppet::Util::Package::Version::Rpm.parse(pkg_ver[3])
 
-          sorted_versions << rpm_version if should_range.include?(rpm_version)
+          versions << rpm_version if should_range.include?(rpm_version)
         rescue Puppet::Util::Package::Version::Rpm::ValidationFailure
           Puppet.debug("Cannot parse #{pkg_ver[3]} as a RPM version")
         end
       end
 
-      return sorted_versions.entries.last if sorted_versions.any?
+      return versions.sort.last if versions.any?
 
       Puppet.debug("No available version for package #{@resource[:name]} is included in range #{should_range}")
       should

data/lib/puppet/provider/service/freebsd.rb

@@ -74,7 +74,7 @@ Puppet::Type.type(:service).provide :freebsd, :parent => :init do
       if Puppet::FileSystem.exist?(filename)
         s = File.read(filename)
         if s.gsub!(/^(#{rcvar}(_enable)?)=\"?(YES|NO)\"?/, "\\1=\"#{yesno}\"")
-          File.open(filename, File::WRONLY) { |f| f << s }
+          Puppet::FileSystem.replace_file(filename) { |f| f << s  }
           self.debug("Replaced in #{filename}")
           success = true
         end

data/lib/puppet/provider/service/systemd.rb

@@ -164,10 +164,15 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   end
 
   def mask
-    self.disable
+    disable if exist?
     systemctl_change_enable(:mask)
   end
 
+  def exist?
+    result = execute([command(:systemctl), 'cat', '--', @resource[:name]], :failonfail => false)
+    result.exitstatus == 0
+  end
+
   def unmask
     systemctl_change_enable(:unmask)
   end

data/lib/puppet/provider/user/directoryservice.rb

@@ -435,7 +435,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   ['home', 'uid', 'gid', 'comment', 'shell'].each do |setter_method|
     define_method("#{setter_method}=") do |value|
       if @property_hash[setter_method.intern]
-        if self.class.get_os_version.split('.').last.to_i >= 14 && %w(home uid).include?(setter_method)
+        if %w(home uid).include?(setter_method)
           raise Puppet::Error, "OS X version #{self.class.get_os_version} does not allow changing #{setter_method} using puppet"
         end
         begin
@@ -536,6 +536,14 @@ Puppet::Type.type(:user).provide :directoryservice do
       if (shadow_hash_data.class == Hash) && (shadow_hash_data.has_key?('SALTED-SHA512'))
         shadow_hash_data.delete('SALTED-SHA512')
       end
+
+      # Starting with macOS 11 Big Sur, the AuthenticationAuthority field
+      # could be missing entirely and without it the managed user cannot log in
+      if needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+        Puppet.debug("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user '#{@resource.name}'")
+        merge_attribute_with_dscl('Users', @resource.name, 'AuthenticationAuthority', ERB::Util.html_escape(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY))
+      end
+
       set_salted_pbkdf2(users_plist, shadow_hash_data, 'entropy', value)
     end
   end
@@ -562,6 +570,17 @@ Puppet::Type.type(:user).provide :directoryservice do
     end
   end
 
+  # This method will check if authentication_authority key of a user's plist
+  # needs SALTED_SHA512_PBKDF2 to be added. This is a valid case for macOS 11 (Big Sur)
+  # where users created with `dscl` started to have this field missing
+  def needs_sha512_pbkdf2_authentication_authority_to_be_added?(users_plist)
+    authority = users_plist['authentication_authority']
+    return false if Puppet::Util::Package.versioncmp(self.class.get_os_version, '11.0.0') < 0 && authority && authority.include?(SHA512_PBKDF2_AUTHENTICATION_AUTHORITY)
+
+    Puppet.debug("User '#{@resource.name}' is missing the 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash")
+    true
+  end
+
   # This method will embed the binary plist data comprising the user's
   # password hash (and Salt/Iterations value if the OS is 10.8 or greater)
   # into the ShadowHashData key of the user's plist.
@@ -572,11 +591,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       users_plist['ShadowHashData'] = [binary_plist]
     end
-    if Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') < 0
-      write_users_plist_to_disk(users_plist)
-    else
-      write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
-    end
+    write_and_import_shadow_hash_data(users_plist['ShadowHashData'].first)
   end
 
   # This method writes the ShadowHashData plist in a temporary file,
@@ -652,9 +667,7 @@ Puppet::Type.type(:user).provide :directoryservice do
     set_shadow_hash_data(users_plist, binary_plist)
   end
 
-  # This method will accept a plist in XML format, save it to disk, convert
-  # the plist to a binary format, and flush the dscl cache.
-  def write_users_plist_to_disk(users_plist)
-    Puppet::Util::Plist.write_plist_file(users_plist, "#{users_plist_dir}/#{@resource.name}.plist", :binary)
-  end
+  private
+
+  SHA512_PBKDF2_AUTHENTICATION_AUTHORITY = ';ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>'
 end

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/type/service.rb

@@ -38,6 +38,12 @@ module Puppet
     feature :enableable, "The provider can enable and disable the service.",
       :methods => [:disable, :enable, :enabled?]
 
+    feature :delayed_startable, "The provider can set service to delayed start",
+      :methods => [:delayed_start]
+
+    feature :manual_startable, "The provider can set service to manual start",
+      :methods => [:manual_start]
+
     feature :controllable, "The provider uses a control variable."
 
     feature :flaggable, "The provider can pass flags to the service."
@@ -67,7 +73,7 @@ module Puppet
         provider.disable
       end
 
-      newvalue(:manual, :event => :service_manual_start) do
+      newvalue(:manual, :event => :service_manual_start, :required_features => :manual_startable) do
         provider.manual_start
       end
 
@@ -81,8 +87,7 @@ module Puppet
         provider.enabled?
       end
 
-      # This only works on Windows systems.
-      newvalue(:delayed, :event => :service_delayed_start) do
+      newvalue(:delayed, :event => :service_delayed_start, :required_features => :delayed_startable) do
         provider.delayed_start
       end
 
@@ -90,12 +95,6 @@ module Puppet
         return provider.enabled_insync?(current) if provider.respond_to?(:enabled_insync?)
         super(current)
       end
-
-      validate do |value|
-        if (value == :manual || value == :delayed) && !Puppet::Util::Platform.windows?
-          raise Puppet::Error.new(_("Setting enable to %{value} is only supported on Microsoft Windows.") % { value: value.to_s} )
-        end
-      end
     end
 
     # Handle whether the service should actually be running right now.

data/lib/puppet/type/user.rb

@@ -67,6 +67,7 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
+        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,6 +696,7 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
+        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -743,25 +745,6 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
-
-      munge do |value|
-        # Resolve string, boolean and symbol forms of true and false to a
-        # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
-
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
-
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
-      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -783,7 +766,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      self[:purge_ssh_keys].
+      munged_unmanaged_keys.
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -795,6 +778,41 @@ module Puppet
         end
     end
 
+    def munged_unmanaged_keys
+      value = self[:purge_ssh_keys]
+
+      # Resolve string, boolean and symbol forms of true and false to a
+      # single representation.
+      test_sym = value.to_s.intern
+      value = test_sym if [:true, :false].include? test_sym
+
+      return [] if value == :false
+
+      home = self[:home]
+      begin
+        home ||= provider.home
+      rescue
+        Puppet.debug("User '#{self[:name]}' does not exist")
+      end
+
+      if home.to_s.empty? || !Dir.exist?(home.to_s)
+        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
+          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
+          return []
+        end
+      end
+
+      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
+
+      # value is an array - munge each value
+      [ value ].flatten.map do |entry|
+        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(/^~\//, "#{home}/")
+        entry.gsub!(/^%h\//, "#{home}/")
+        entry
+      end
+    end
+
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.