puppet 8.6.0-universal-darwin → 8.8.1-universal-darwin

data/examples/hiera/modules/users/manifests/dc1.pp

@@ -1,4 +1,9 @@
-# notifies
+# @summary Notify to demonstrate users::dc1 in catalog
+#
+# A Class that should be present in dc1 node(s) catalog
+#
+# @example
+#   include users::dc1
 class users::dc1 {
-  notify{'Adding users::dc1': }
+  notify { 'Adding users::dc1': }
 }

data/examples/hiera/site.pp

@@ -1,3 +1,3 @@
 node default {
-  hiera_include('classes')
+  include lookup('classes')
 }

data/ext/project_data.yaml

@@ -1,53 +1,8 @@
 ---
 project: 'puppet'
-author: 'Puppet Labs'
-email: 'info@puppetlabs.com'
-homepage: 'https://github.com/puppetlabs/puppet'
-summary: 'Puppet, an automated configuration management tool'
-description: 'Puppet, an automated configuration management tool'
-version_file: 'lib/puppet/version.rb'
-# files and gem_files are space separated lists
-files: '[A-Z]* install.rb bin lib conf man examples ext tasks locales'
-# Make sure these gem requirements are in sync with the gemspec and Gemfile
-gem_files: '[A-Z]* install.rb bin lib conf man examples ext tasks locales'
-gem_test_files:
-gem_executables: 'puppet'
-gem_default_executables: 'puppet'
-gem_license: 'Apache-2.0'
-gem_forge_project: 'puppet'
-gem_required_ruby_version: '>= 3.1.0'
-gem_required_rubygems_version: '> 1.3.1'
-gem_runtime_dependencies:
-  facter: ['>= 4.3.0', '< 5']
-  semantic_puppet: '~> 1.0'
-  fast_gettext: ['>= 2.1', '< 3']
-  locale: '~> 2.1'
-  multi_json: '~> 1.13'
-  puppet-resource_api: '~>1.5'
-  concurrent-ruby: "~> 1.0"
-  deep_merge: '~> 1.0'
-  scanf: '~> 1.0'
 gem_rdoc_options:
   - --title
   - "Puppet - Configuration Management"
   - --main
   - README.md
   - --line-numbers
-gem_platform_dependencies:
-  universal-darwin:
-    gem_runtime_dependencies:
-      CFPropertyList: '~> 2.2'
-  x86-mingw32:
-    gem_runtime_dependencies:
-      ffi: '1.15.5'
-      minitar: '~> 0.9'
-  x64-mingw32:
-    gem_runtime_dependencies:
-      ffi: '1.15.5'
-      minitar: '~> 0.9'
-bundle_platforms:
-  universal-darwin: all
-  x86-mingw32: mingw
-  x64-mingw32: x64_mingw
-pre_tasks:
-  'package:apple': 'cfpropertylist'

data/ext/windows/service/daemon.rb

@@ -155,12 +155,19 @@ class WindowsDaemon < Puppet::Util::Windows::Daemon
     end
   end
 
+  # Parses runinterval.
+  #
+  # @param puppet_path [String] The file path for the Puppet executable.
+  # @return runinterval [Integer] How often to do a Puppet run, in seconds.
   def parse_runinterval(puppet_path)
     begin
-      runinterval = %x(#{puppet_path} config --section agent --log_level notice print runinterval).to_i
-      if runinterval == 0
+      runinterval = %x(#{puppet_path} config --section agent --log_level notice print runinterval).chomp
+      if runinterval == ''
         runinterval = 1800
         log_err("Failed to determine runinterval, defaulting to #{runinterval} seconds")
+      else
+        # Use Kernel#Integer because to_i will return 0 with non-numeric strings.
+        runinterval = Integer(runinterval)
       end
     rescue Exception => e
       log_exception(e)

data/lib/puppet/application/doc.rb

@@ -173,11 +173,7 @@ class Puppet::Application::Doc < Puppet::Application
 
     text += Puppet::Util::Reference.footer unless with_contents # We've only got one reference
 
-    if options[:mode] == :pdf
-      Puppet::Util::Reference.pdf(text)
-    else
-      puts text
-    end
+    puts text
 
     exit exit_code
   end

data/lib/puppet/application/lookup.rb

@@ -3,6 +3,7 @@
 require_relative '../../puppet/application'
 require_relative '../../puppet/pops'
 require_relative '../../puppet/node'
+require_relative '../../puppet/node/server_facts'
 require_relative '../../puppet/parser/compiler'
 
 class Puppet::Application::Lookup < Puppet::Application
@@ -403,6 +404,7 @@ class Puppet::Application::Lookup < Puppet::Application
       end
     end
     node.environment = Puppet[:environment] if Puppet.settings.set_by_cli?(:environment)
+    node.add_server_facts(Puppet::Node::ServerFacts.load)
     Puppet[:code] = 'undef' unless options[:compile]
     compiler = Puppet::Parser::Compiler.new(node)
     if options[:node]

data/lib/puppet/defaults.rb

@@ -47,29 +47,15 @@ module Puppet
   end
 
   def self.default_basemodulepath
-    if Puppet::Util::Platform.windows?
-      path = ['$codedir/modules']
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        path << "#{installdir}/puppet/modules"
-      end
-      path.join(File::PATH_SEPARATOR)
-    else
-      '$codedir/modules:/opt/puppetlabs/puppet/modules'
+    path = ['$codedir/modules']
+    if (run_mode_dir = Puppet.run_mode.common_module_dir)
+      path << run_mode_dir
     end
+    path.join(File::PATH_SEPARATOR)
   end
 
   def self.default_vendormoduledir
-    if Puppet::Util::Platform.windows?
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        "#{installdir}\\puppet\\vendor_modules"
-      else
-        nil
-      end
-    else
-      '/opt/puppetlabs/puppet/vendor_modules'
-    end
+    Puppet.run_mode.vendor_module_dir
   end
 
   ############################################################################################

data/lib/puppet/file_serving/http_metadata.rb

@@ -51,6 +51,8 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
     # Prefer the checksum_type from the indirector request options
     # but fall back to the alternative otherwise
     [@checksum_type, :sha256, :sha1, :md5, :mtime].each do |type|
+      next if type == :md5 && Puppet::Util::Platform.fips_enabled?
+
       @checksum_type = type
       @checksum = @checksums[type]
       break if @checksum

data/lib/puppet/functions/regsubst.rb

@@ -20,13 +20,10 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
   # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
+  #      Deprecated and ignored parameter, only here for compatibility.
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
+  # @deprecated
+  #   This method has the optional encoding parameter, which is ignored.
   # @example Get the third octet from the node's IP address:
   #   ```puppet
   #   $i3 = regsubst($ipaddress,'^(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)$','\\3')
@@ -56,13 +53,6 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *I*         Ignore case in regexps
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
-  # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
   # @example Put angle brackets around each octet in the node's IP address:
   #   ```puppet
@@ -76,6 +66,13 @@ Puppet::Functions.create_function(:regsubst) do
   end
 
   def regsubst_string(target, pattern, replacement, flags = nil, encoding = nil)
+    if encoding
+      Puppet.warn_once(
+        'deprecations', 'regsubst_function_encoding',
+        _("The regsubst() function's encoding argument has been ignored since Ruby 1.9 and will be removed in a future release")
+      )
+    end
+
     re_flags = 0
     operation = :sub
     unless flags.nil?
@@ -88,7 +85,7 @@ Puppet::Functions.create_function(:regsubst) do
         end
       end
     end
-    inner_regsubst(target, Regexp.compile(pattern, re_flags, encoding), replacement, operation)
+    inner_regsubst(target, Regexp.compile(pattern, re_flags), replacement, operation)
   end
 
   def regsubst_regexp(target, pattern, replacement, flags = nil)

data/lib/puppet/indirector/catalog/compiler.rb

@@ -2,6 +2,7 @@
 
 require_relative '../../../puppet/environments'
 require_relative '../../../puppet/node'
+require_relative '../../../puppet/node/server_facts'
 require_relative '../../../puppet/resource/catalog'
 require_relative '../../../puppet/indirector/code'
 require_relative '../../../puppet/util/profiler'
@@ -426,40 +427,6 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   #
   # See also set_server_facts in Puppet::Server::Compiler in puppetserver.
   def set_server_facts
-    @server_facts = {}
-
-    # Add our server Puppet Enterprise version, if available.
-    pe_version_file = '/opt/puppetlabs/server/pe_version'
-    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
-      @server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
-    end
-
-    # Add our server version to the fact list
-    @server_facts["serverversion"] = Puppet.version.to_s
-
-    # And then add the server name and IP
-    { "servername" => "networking.fqdn",
-      "serverip" => "networking.ip",
-      "serverip6" => "networking.ip6" }.each do |var, fact|
-      value = Puppet.runtime[:facter].value(fact)
-      unless value.nil?
-        @server_facts[var] = value
-      end
-    end
-
-    if @server_facts["servername"].nil?
-      host = Puppet.runtime[:facter].value('networking.hostname')
-      if host.nil?
-        Puppet.warning _("Could not retrieve fact servername")
-      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
-        @server_facts["servername"] = [host, domain].join(".")
-      else
-        @server_facts["servername"] = host
-      end
-    end
-
-    if @server_facts["serverip"].nil? && @server_facts["serverip6"].nil?
-      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
-    end
+    @server_facts = Puppet::Node::ServerFacts.load
   end
 end

data/lib/puppet/module_tool/tar/gnu.rb

@@ -4,18 +4,20 @@ require 'shellwords'
 
 class Puppet::ModuleTool::Tar::Gnu
   def unpack(sourcefile, destdir, owner)
-    sourcefile = File.expand_path(sourcefile)
+    safe_sourcefile = Shellwords.shellescape(File.expand_path(sourcefile))
     destdir = File.expand_path(destdir)
+    safe_destdir = Shellwords.shellescape(destdir)
 
-    Dir.chdir(destdir) do
-      Puppet::Util::Execution.execute("gzip -dc #{Shellwords.shellescape(sourcefile)} | tar xof -")
-      Puppet::Util::Execution.execute("find . -type d -exec chmod 755 {} +")
-      Puppet::Util::Execution.execute("find . -type f -exec chmod u+rw,g+r,a-st {} +")
-      Puppet::Util::Execution.execute("chown -R #{owner} .")
-    end
+    Puppet::Util::Execution.execute("gzip -dc #{safe_sourcefile} | tar --extract --no-same-owner --directory #{safe_destdir} --file -")
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'd', '-exec', 'chmod', '755', '{}', '+'])
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'f', '-exec', 'chmod', 'u+rw,g+r,a-st', '{}', '+'])
+    Puppet::Util::Execution.execute(['chown', '-R', owner, destdir])
   end
 
   def pack(sourcedir, destfile)
-    Puppet::Util::Execution.execute("tar cf - #{sourcedir} | gzip -c > #{File.basename(destfile)}")
+    safe_sourcedir = Shellwords.shellescape(sourcedir)
+    safe_destfile = Shellwords.shellescape(File.basename(destfile))
+
+    Puppet::Util::Execution.execute("tar cf - #{safe_sourcedir} | gzip -c > #{safe_destfile}")
   end
 end

data/lib/puppet/node/server_facts.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Puppet::Node::ServerFacts
+  def self.load
+    server_facts = {}
+
+    # Add our server Puppet Enterprise version, if available.
+    pe_version_file = '/opt/puppetlabs/server/pe_version'
+    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
+      server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
+    end
+
+    # Add our server version to the fact list
+    server_facts["serverversion"] = Puppet.version.to_s
+
+    # And then add the server name and IP
+    { "servername" => "networking.fqdn",
+      "serverip" => "networking.ip",
+      "serverip6" => "networking.ip6" }.each do |var, fact|
+      value = Puppet.runtime[:facter].value(fact)
+      unless value.nil?
+        server_facts[var] = value
+      end
+    end
+
+    if server_facts["servername"].nil?
+      host = Puppet.runtime[:facter].value('networking.hostname')
+      if host.nil?
+        Puppet.warning _("Could not retrieve fact servername")
+      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
+        server_facts["servername"] = [host, domain].join(".")
+      else
+        server_facts["servername"] = host
+      end
+    end
+
+    if server_facts["serverip"].nil? && server_facts["serverip6"].nil?
+      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
+    end
+
+    server_facts
+  end
+end

data/lib/puppet/parser/functions/generate.rb

@@ -31,7 +31,8 @@ Puppet::Parser::Functions.newfunction(:generate, :arity => -2, :type => :rvalue,
   end
 
   begin
-    Dir.chdir(File.dirname(args[0])) { Puppet::Util::Execution.execute(args).to_str }
+    dir = File.dirname(args[0])
+    Puppet::Util::Execution.execute(args, failonfail: true, combine: true, cwd: dir).to_str
   rescue Puppet::ExecutionFailure => detail
     raise Puppet::ParseError, _("Failed to execute generator %{generator}: %{detail}") % { generator: args[0], detail: detail }, detail.backtrace
   end

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -89,17 +89,25 @@ class DeferredResolver
       overrides = {}
       r.parameters.each_pair do |k, v|
         resolved = resolve(v)
-        # If the value is instance of Sensitive - assign the unwrapped value
-        # and mark it as sensitive if not already marked
-        #
         case resolved
         when Puppet::Pops::Types::PSensitiveType::Sensitive
+          # If the resolved value is instance of Sensitive - assign the unwrapped value
+          # and mark it as sensitive if not already marked
+          #
           resolved = resolved.unwrap
           mark_sensitive_parameters(r, k)
-        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
-        # The DeferredValue.resolve method will unwrap it during catalog application
+
         when Puppet::Pops::Evaluator::DeferredValue
-          if v.arguments.any? { |arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType) }
+          # If the resolved value is a DeferredValue and it has an argument of type
+          # PSensitiveType, mark it as sensitive. Since DeferredValues can nest,
+          # we must walk all arguments, e.g. the DeferredValue may call the `epp`
+          # function, where one of its arguments is a DeferredValue to call the
+          # `vault:lookup` function.
+          #
+          # The DeferredValue.resolve method will unwrap the sensitive during
+          # catalog application
+          #
+          if contains_sensitive_args?(v)
             mark_sensitive_parameters(r, k)
           end
         end
@@ -109,6 +117,33 @@ class DeferredResolver
     end
   end
 
+  # Return true if x contains an argument that is an instance of PSensitiveType:
+  #
+  #   Deferred('new', [Sensitive, 'password'])
+  #
+  # Or an instance of PSensitiveType::Sensitive:
+  #
+  #   Deferred('join', [['a', Sensitive('b')], ':'])
+  #
+  # Since deferred values can nest, descend into Arrays and Hash keys and values,
+  # short-circuiting when the first occurrence is found.
+  #
+  def contains_sensitive_args?(x)
+    case x
+    when @deferred_class
+      contains_sensitive_args?(x.arguments)
+    when Array
+      x.any? { |v| contains_sensitive_args?(v) }
+    when Hash
+      x.any? { |k, v| contains_sensitive_args?(k) || contains_sensitive_args?(v) }
+    when Puppet::Pops::Types::PSensitiveType, Puppet::Pops::Types::PSensitiveType::Sensitive
+      true
+    else
+      false
+    end
+  end
+  private :contains_sensitive_args?
+
   def mark_sensitive_parameters(r, k)
     unless r.sensitive_parameters.include?(k.to_sym)
       r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze

data/lib/puppet/pops/evaluator/runtime3_resource_support.rb

@@ -76,7 +76,8 @@ module Runtime3ResourceSupport
   end
 
   def self.resource_to_ptype(resource)
-    nil if resource.nil?
+    return nil if resource.nil?
+
     # inference returns the meta type since the 3x Resource is an alternate way to describe a type
     Puppet::Pops::Types::TypeCalculator.singleton().infer(resource).type
   end

data/lib/puppet/pops/evaluator/runtime3_support.rb

@@ -443,12 +443,6 @@ module Runtime3Support
     resource.valid_parameter?(name)
   end
 
-  def resource_to_ptype(resource)
-    nil if resource.nil?
-    # inference returns the meta type since the 3x Resource is an alternate way to describe a type
-    type_calculator.infer(resource).type
-  end
-
   # This is the same type of "truth" as used in the current Puppet DSL.
   #
   def is_true?(value, o)

data/lib/puppet/pops/loader/static_loader.rb

@@ -46,9 +46,9 @@ class StaticLoader < Loader
 
   def discover(type, error_collector = nil, name_authority = Pcore::RUNTIME_NAME_AUTHORITY)
     # Static loader only contains runtime types
-    return EMPTY_ARRAY unless type == :type && name_authority == name_authority = Pcore::RUNTIME_NAME_AUTHORITY
+    return EMPTY_ARRAY unless type == :type && name_authority == Pcore::RUNTIME_NAME_AUTHORITY
 
-    typed_names = type == :type && name_authority == Pcore::RUNTIME_NAME_AUTHORITY ? @loaded.keys : EMPTY_ARRAY
+    typed_names = @loaded.keys
     block_given? ? typed_names.select { |tn| yield(tn) } : typed_names
   end
 

data/lib/puppet/pops/lookup/module_data_provider.rb

@@ -47,16 +47,16 @@ class ModuleDataProvider < ConfiguredDataProvider
   def validate_data_hash(data_hash)
     super
     module_prefix = "#{module_name}::"
-    data_hash.each_key.reduce(data_hash) do |memo, k|
-      next memo if k == LOOKUP_OPTIONS || k.start_with?(module_prefix)
-
-      msg = "#{yield} must use keys qualified with the name of the module"
-      memo = memo.clone if memo.equal?(data_hash)
-      memo.delete(k)
-      Puppet.warning("Module '#{module_name}': #{msg}")
-      memo
+    data_hash_to_return = {}
+    data_hash.keys.each do |k|
+      if k == LOOKUP_OPTIONS || k.start_with?(module_prefix)
+        data_hash_to_return[k] = data_hash[k]
+      else
+        msg = "#{yield} must use keys qualified with the name of the module"
+        Puppet.warning("Module '#{module_name}': #{msg}; got #{k}")
+      end
     end
-    data_hash
+    data_hash_to_return
   end
 
   protected

data/lib/puppet/provider/aix_object.rb

@@ -131,7 +131,7 @@ class Puppet::Provider::AixObject < Puppet::Provider
 
       # AIX will do the right validation to ensure numeric attributes
       # can't be set to non-numeric values, so no need for the extra clutter.
-      info[:attribute_to_property] = lambda do |value|
+      info[:attribute_to_property] = lambda do |value| # rubocop:disable Style/SymbolProc
         value.to_i
       end
 

data/lib/puppet/provider/file/posix.rb

@@ -12,8 +12,22 @@ Puppet::Type.type(:file).provide :posix do
   require 'etc'
   require_relative '../../../puppet/util/selinux'
 
-  def self.post_resource_eval
-    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  class << self
+    def selinux_handle
+      return nil unless Puppet::Util::SELinux.selinux_support?
+
+      # selabel_open takes 3 args: backend, options, and nopt. The backend param
+      # is a constant, SELABEL_CTX_FILE, which happens to be 0. Since options is
+      # nil, nopt can be 0 since nopt represents the # of options specified.
+      @selinux_handle ||= Selinux.selabel_open(Selinux::SELABEL_CTX_FILE, nil, 0)
+    end
+
+    def post_resource_eval
+      if @selinux_handle
+        Selinux.selabel_close(@selinux_handle)
+        @selinux_handle = nil
+      end
+    end
   end
 
   def uid2name(id)

data/lib/puppet/provider/group/groupadd.rb

@@ -17,11 +17,20 @@ Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameSe
     value.is_a? Integer
   end
 
-  optional_commands :localadd => "lgroupadd", :localdelete => "lgroupdel", :localmodify => "lgroupmod"
-
-  has_feature :manages_local_users_and_groups, :manages_members if Puppet.features.libuser?
-
-  options :members, :flag => '-M', :method => :mem
+  optional_commands :localadd => "lgroupadd", :localdelete => "lgroupdel", :localmodify => "lgroupmod", :purgemember => "usermod"
+
+  has_feature :manages_local_users_and_groups if Puppet.features.libuser?
+  has_feature :manages_members if Puppet.features.libuser? ||
+                                  (Puppet.runtime[:facter].value('os.name') == "Fedora" &&
+                                  Puppet.runtime[:facter].value('os.release.major').to_i >= 40)
+
+  # Libuser's modify command 'lgroupmod' requires '-M' flag for member additions.
+  # 'groupmod' command requires the '-aU' flags for it.
+  if Puppet.features.libuser?
+    options :members, :flag => '-M', :method => :mem
+  else
+    options :members, :flag => '-aU', :method => :mem
+  end
 
   def exists?
     return !!localgid if @resource.forcelocal?
@@ -63,7 +72,8 @@ Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameSe
   end
 
   def addcmd
-    if @resource.forcelocal?
+    # The localadd command (lgroupadd) must only be called when libuser is supported.
+    if Puppet.features.libuser? && @resource.forcelocal?
       cmd = [command(:localadd)]
       @custom_environment = Puppet::Util::Libuser.getenv
     else
@@ -91,7 +101,8 @@ Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameSe
   end
 
   def modifycmd(param, value)
-    if @resource.forcelocal? || @resource[:members]
+    # The localmodify command (lgroupmod) must only be called when libuser is supported.
+    if Puppet.features.libuser? && (@resource.forcelocal? || @resource[:members])
       cmd = [command(:localmodify)]
       @custom_environment = Puppet::Util::Libuser.getenv
     else
@@ -114,7 +125,8 @@ Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameSe
   end
 
   def deletecmd
-    if @resource.forcelocal?
+    # The localdelete command (lgroupdel) must only be called when libuser is supported.
+    if Puppet.features.libuser? && @resource.forcelocal?
       @custom_environment = Puppet::Util::Libuser.getenv
       [command(:localdelete), @resource[:name]]
     else
@@ -133,7 +145,16 @@ Puppet::Type.type(:group).provide :groupadd, :parent => Puppet::Provider::NameSe
   end
 
   def purge_members
-    localmodify('-m', members_to_s(members), @resource.name)
+    # The groupadd provider doesn't have the ability currently to remove members from a group, libuser does.
+    # Use libuser's lgroupmod command to achieve purging members if libuser is supported.
+    # Otherwise use the 'usermod' command.
+    if Puppet.features.libuser?
+      localmodify('-m', members_to_s(members), @resource.name)
+    else
+      members.each do |member|
+        purgemember('-rG', @resource.name, member)
+      end
+    end
   end
 
   private

data/lib/puppet/provider/package/gem.rb

@@ -83,6 +83,7 @@ Puppet::Type.type(:package).provide :gem, :parent => Puppet::Provider::Package::
       custom_environment[:PATH] = windows_path_without_puppet_bin
     end
 
+    # This uses an unusual form of passing the command and args as [<cmd>, [<arg1>, <arg2>, ...]]
     execute(cmd, { :failonfail => true, :combine => true, :custom_environment => custom_environment })
   end
 

data/lib/puppet/provider/package/pkgutil.rb

@@ -115,11 +115,12 @@ Puppet::Type.type(:package).provide :pkgutil, :parent => :sun, :source => :sun d
 
   # Identify common types of pkgutil noise as it downloads catalogs etc
   def self.noise?(line)
-    true if line =~ /^#/
-    true if line =~ /^Checking integrity / # use_gpg
-    true if line =~ /^gpg: /               # gpg verification
-    true if line =~ /^=+> /                # catalog fetch
-    true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+    return true if line =~ /^#/
+    return true if line =~ /^Checking integrity / # use_gpg
+    return true if line =~ /^gpg: /               # gpg verification
+    return true if line =~ /^=+> /                # catalog fetch
+    return true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+
     false
   end