puppet 6.7.2-universal-darwin → 6.8.0-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e37f78bdb2bb4c71f4302ae7a4868fb892e48cacaae5550d362ff7bbc5d2e2d5
-  data.tar.gz: e26741edd0ed42842461e2045de4d4b0d86681d87fa7d1788e17033fd41b22ed
+  metadata.gz: 6499c686c4bf854eadd79ed655461b3e64e9ba7a9bf9164728717c8e69679748
+  data.tar.gz: 34fff83b7811ccf9bf0cec90ab5c6fb4d4251b2cfeaa5331d8d6fb01860db2ff
 SHA512:
-  metadata.gz: ad6b08a5e46c208230ff970289ba60ecc14d353c350d5665b7c3313d6d5d89f9a4a70e6394345ee76e3d741ca1ca973a81a88ed38644208a31b95a4f6026c195
-  data.tar.gz: a3cc0b4a465313780d9a70f7b8bf1c42048cd974e7914c976dace9b999295446e91d18896e9b904223dd3daec6c4c94b064d7ec1629d07734858ed291e666fcb
+  metadata.gz: d856db8d30bc8a77198998525cfb5dea36db856096862ffba21cc2d8792de03c8575b8e5dc065f6351412f5c081f6a8b8e537750f58f0f95022dec218c0d882f
+  data.tar.gz: 36f03ab60e5ffe8126c4dafcae83cfe51bf3798fd460077b468bedea14c135d52f681867f99a013aea266a5bc6e84124f698527b214a060b06c7653f670c9815

data/CODEOWNERS

@@ -1,15 +1,15 @@
 # default to platform-core
 * @puppetlabs/platform-core
 
-# platform-os
-/lib/puppet/type/group @puppetlabs/platform-os
-/lib/puppet/type/package @puppetlabs/platform-os
-/lib/puppet/type/service @puppetlabs/platform-os
-/lib/puppet/type/user @puppetlabs/platform-os
-/lib/puppet/provider/group @puppetlabs/platform-os
-/lib/puppet/provider/package @puppetlabs/platform-os
-/lib/puppet/provider/service @puppetlabs/platform-os
-/lib/puppet/provider/user @puppetlabs/platform-os
+# Night's Watch
+/lib/puppet/type/group @puppetlabs/night-s-watch
+/lib/puppet/type/package @puppetlabs/night-s-watch
+/lib/puppet/type/service @puppetlabs/night-s-watch
+/lib/puppet/type/user @puppetlabs/night-s-watch
+/lib/puppet/provider/group @puppetlabs/night-s-watch
+/lib/puppet/provider/package @puppetlabs/night-s-watch
+/lib/puppet/provider/service @puppetlabs/night-s-watch
+/lib/puppet/provider/user @puppetlabs/night-s-watch
 
 # language
 /lib/puppet/datatypes @puppetlabs/language

data/Gemfile

@@ -23,7 +23,7 @@ group(:features) do
   gem 'hiera-eyaml', require: false
   gem 'hocon', '~> 1.0', require: false
   # requires native libshadow headers/libs
-  # gem 'libshadow', '~> 1.0', require: false, platforms: [:ruby]
+  #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
   gem 'minitar', '~> 0.6', require: false
   gem 'msgpack', '~> 1.2', require: false
   gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    puppet (6.7.2)
+    puppet (6.8.0)
       CFPropertyList (~> 2.2)
       facter (>= 2.4.0, < 4)
       fast_gettext (~> 1.1)
@@ -28,7 +28,7 @@ GEM
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
-    gettext-setup (0.30)
+    gettext-setup (0.31)
       fast_gettext (~> 1.1.0)
       gettext (>= 3.0.2)
       locale
@@ -47,11 +47,11 @@ GEM
     memory_profiler (0.9.14)
     method_source (0.9.2)
     minitar (0.8)
-    msgpack (1.3.0)
+    msgpack (1.3.1)
     multi_json (1.13.1)
     mustache (1.1.0)
     optimist (3.0.0)
-    packaging (0.99.36)
+    packaging (0.99.38)
       artifactory (~> 2)
       rake (~> 12.3)
     parallel (1.17.0)
@@ -64,7 +64,7 @@ GEM
     public_suffix (3.1.1)
     puppet-resource_api (1.8.6)
       hocon (>= 1.0)
-    puppetserver-ca (1.3.2)
+    puppetserver-ca (1.4.0)
       facter (>= 2.0.1, < 4)
     racc (1.4.9)
     rainbow (2.2.2)
@@ -103,7 +103,7 @@ GEM
       unicode-display_width (~> 1.0, >= 1.0.1)
     rubocop-i18n (1.2.0)
       rubocop (~> 0.49.0)
-    ruby-prof (0.18.0)
+    ruby-prof (1.0.0)
     ruby-progressbar (1.10.1)
     safe_yaml (1.0.5)
     semantic_puppet (1.0.2)
@@ -149,4 +149,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   1.16.5
+   1.17.3

data/install.rb

@@ -62,24 +62,6 @@ def do_configs(configs, target, strip = 'conf/')
     ocf = File.join(InstallOptions.config_dir, cf.gsub(/#{strip}/, ''))
     FileUtils.install(cf, ocf, {:mode => 0644, :preserve => true, :verbose => true})
   end
-
-  if $operatingsystem == 'windows'
-    src_dll = 'ext/windows/eventlog/puppetres.dll'
-    dst_dll = File.join(InstallOptions.bin_dir, 'puppetres.dll')
-    FileUtils.install(src_dll, dst_dll, {:mode => 0644, :preserve => true, :verbose => true})
-
-    require 'win32/registry'
-    include Win32::Registry::Constants
-
-    begin
-      Win32::Registry::HKEY_LOCAL_MACHINE.create('SYSTEM\CurrentControlSet\services\eventlog\Application\Puppet', KEY_ALL_ACCESS | 0x0100) do |reg|
-        reg.write_s('EventMessageFile', dst_dll.tr('/', '\\'))
-        reg.write_i('TypesSupported', 0x7)
-      end
-    rescue Win32::Registry::Error => e
-      warn "Failed to create puppet eventlog registry key: #{e}"
-    end
-  end
 end
 
 def do_bins(bins, target, strip = 's?bin/')
@@ -140,12 +122,12 @@ def check_prereqs
         facter_version = Facter.version.to_f
         if facter_version < MIN_FACTER_VERSION
           puts "Facter version: #{facter_version}; minimum required: #{MIN_FACTER_VERSION}; cannot install"
-          exit -1
+          exit (-1)
         end
       end
     rescue LoadError
       puts "Could not load #{pre}; cannot install"
-      exit -1
+      exit (-1)
     end
   }
 end
@@ -266,7 +248,7 @@ def prepare_installation
       require 'win32/dir'
     rescue LoadError => e
       puts "Cannot run on Microsoft Windows without the win32-process, win32-dir & win32-service gems: #{e}"
-      exit -1
+      exit (-1)
     end
   end
 

data/lib/puppet/application/agent.rb

@@ -124,31 +124,35 @@ configuration and apply it.
 USAGE NOTES
 -----------
 'puppet agent' does its best to find a compromise between interactive
-use and daemon use. Run with no arguments and no configuration, it will
-go into the background, attempt to get a signed certificate, and retrieve
-and apply its configuration every 30 minutes.
+use and daemon use. If you run it with no arguments and no configuration, it
+goes into the background, attempts to get a signed certificate, and retrieves
+and applies its configuration every 30 minutes.
 
-Some flags are meant specifically for interactive use -- in particular,
+Some flags are meant specifically for interactive use --- in particular,
 'test', 'tags' and 'fingerprint' are useful.
 
-'--test' does a single run in the foreground with verbose logging, then exits.
-It will also exit if it can't get a valid catalog. The exit code after running
-with '--test' is 0 if the catalog was successfully applied, and 1 if the run
-either failed or wasn't attempted (due to another run already in progress).
+'--test' runs once in the foreground with verbose logging, then exits.
+It also exits if it can't get a valid catalog. `--test` includes the '--detailed-exitcodes' option by default and exits with one of the following exit codes:
+
+* 0: The run succeeded with no changes or failures; the system was already in the desired state.
+* 1: The run failed, or wasn't attempted due to another run already in progress.
+* 2: The run succeeded, and some resources were changed.
+* 4: The run succeeded, and some resources failed.
+* 6: The run succeeded, and included both changes and failures.
 
 '--tags' allows you to specify what portions of a configuration you want
 to apply. Puppet elements are tagged with all of the class or definition
 names that contain them, and you can use the 'tags' flag to specify one
 of these names, causing only configuration elements contained within
 that class or definition to be applied. This is very useful when you are
-testing new configurations -- for instance, if you are just starting to
+testing new configurations --- for instance, if you are just starting to
 manage 'ntpd', you would put all of the new elements into an 'ntpd'
 class, and call puppet with '--tags ntpd', which would only apply that
 small portion of the configuration during your testing, rather than
 applying the whole thing.
 
-'--fingerprint' is a one-time flag. In this mode 'puppet agent' will run
-once and display on the console (and in the log) the current certificate
+'--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
+once and displays on the console (and in the log) the current certificate
 (or certificate request) fingerprint. Providing the '--digest' option
 allows to use a different digest algorithm to generate the fingerprint.
 The main use is to verify that before signing a certificate request on
@@ -192,8 +196,8 @@ generated by running puppet agent with '--genconfig'.
   Enable full debugging.
 
 * --detailed-exitcodes:
-  Provide extra information about the run via exit codes; only works if '--test'
-  or '--onetime' is also specified. If enabled, 'puppet agent' will use the
+  Provide extra information about the run via exit codes; works only if '--test'
+  or '--onetime' is also specified. If enabled, 'puppet agent' uses the
   following exit codes:
 
   0: The run succeeded with no changes or failures; the system was already in

data/lib/puppet/application/device.rb

@@ -238,6 +238,7 @@ Licensed under the Apache 2.0 License
     libdir = Puppet[:libdir]
     vardir = Puppet[:vardir]
     confdir = Puppet[:confdir]
+    ssldir = Puppet[:ssldir]
     certname = Puppet[:certname]
 
     env = Puppet::Node::Environment.remote(Puppet[:environment])
@@ -267,15 +268,23 @@ Licensed under the Apache 2.0 License
             port = ":#{device_url.port}" if device_url.port
 
             # override local $vardir and $certname
+            Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
             Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
             Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
             Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
             Puppet[:certname] = device.name
             ssl_context = nil
 
+            # create device directory under $deviceconfdir
+            Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
+
             # this will reload and recompute default settings and create device-specific sub vardir
             Puppet.settings.use :main, :agent, :ssl
 
+            # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
+            optssldir = File.join(Puppet[:confdir], 'ssl')
+            Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
+
             unless options[:resource] || options[:facts] || options[:apply]
               # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
               # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
@@ -359,6 +368,7 @@ Licensed under the Apache 2.0 License
             Puppet[:libdir] = libdir
             Puppet[:vardir] = vardir
             Puppet[:confdir] = confdir
+            Puppet[:ssldir] = ssldir
             Puppet[:certname] = certname
           end
         end

data/lib/puppet/defaults.rb

@@ -572,6 +572,10 @@ module Puppet
         contains any characters with special meanings in URLs (as specified by RFC 3986
         section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)",
     },
+    :no_proxy => {
+      :default    => "localhost, 127.0.0.1",
+      :desc       => "List of domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value.",
+    },
     :http_keepalive_timeout => {
       :default    => "4s",
       :type       => :duration,
@@ -642,7 +646,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
 
       * With Puppet Server, you should refresh environments by calling the
         `environment-cache` API endpoint. See the docs for the Puppet Server
-        administrative API.
+        [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
 
       Any value other than `0` or `unlimited` is deprecated, since most Puppet
       servers use a pool of Ruby interpreters which all have their own cache
@@ -929,17 +933,20 @@ EOT
       :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
         considered authentic unless they possess a certificate issued by an authority
         listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used."
+        certificate (localcacert) will be used.",
+      :hook => proc do |val|
+        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
+      end
     },
     :ssl_server_ca_auth => {
       :type  => :file,
       :mode  => "0644",
       :owner => "service",
       :group => "service",
-      :desc  => "Certificate authorities who issue client certificates.  SSL clients will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used."
+      :deprecated  => :completely,
+      :desc => "The setting is deprecated and has no effect. Ensure all root and
+        intermediate certificate authorities used to issue client certificates are
+        contained in the server's `cacert` file on the server."
     },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
@@ -1516,6 +1523,14 @@ EOT
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
         or read them online at https://puppet.com/docs/puppet/latest/man/."
     },
+    :deviceconfdir => {
+      :default  => "$confdir/devices",
+      :type     => :directory,
+      :mode     => "0750",
+      :owner    => "service",
+      :group    => "service",
+      :desc     => "The root directory of devices' $confdir.",
+    },
     :server => {
       :default => "puppet",
       :desc => "The puppet master server to which the puppet agent should connect.",

data/lib/puppet/face/facts.rb

@@ -81,7 +81,7 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
                     node: Puppet[:node_name_value],
                     server: server})
 
-      Puppet::Node::Facts.indirection.save(facts)
+      Puppet::Node::Facts.indirection.save(facts, nil, :environment => Puppet.lookup(:current_environment))
     end
   end
 end

data/lib/puppet/face/parser.rb

@@ -42,7 +42,8 @@ Puppet::Face.define(:parser, '0.0.1') do
       if files.empty?
         if not STDIN.tty?
           Puppet[:code] = STDIN.read
-          parse_errors['STDIN'] = validate_manifest(nil)
+          error = validate_manifest(nil)
+          parse_errors['STDIN'] = error if error
         else
           manifest = Puppet.lookup(:current_environment).manifest
           files << manifest
@@ -88,7 +89,7 @@ Puppet::Face.define(:parser, '0.0.1') do
           [file, file_errors]
         end.to_h
 
-        puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false), :pretty => true)
+        puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false, symbol_as_string: true), :pretty => true)
 
         exit(1)
       end

data/lib/puppet/forge.rb

@@ -172,7 +172,18 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       Puppet.warning "#{@metadata['name']} has been deprecated by its author! View module on Puppet Forge for more info." if deprecated?
 
       download(@data['file_uri'], tmpfile)
-      validate_checksum(tmpfile, @data['file_md5'])
+      checksum = @data['file_sha256']
+      if checksum
+        validate_checksum(tmpfile, checksum, Digest::SHA256)
+      else
+        checksum = @data['file_md5']
+        if checksum
+          validate_checksum(tmpfile, checksum, Digest::MD5)
+        else
+          raise _("Forge module is missing SHA256 and MD5 checksums")
+        end
+      end
+
       unpack(tmpfile, tmpdir)
 
       @unpacked_into = Pathname.new(tmpdir)
@@ -201,9 +212,13 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       end
     end
 
-    def validate_checksum(file, checksum)
-      if Digest::MD5.file(file.path).hexdigest != checksum
-        raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum") % { name: name }
+    def validate_checksum(file, checksum, digest_class)
+      if Facter.value(:fips_enabled) && digest_class == Digest::MD5
+        raise _("Module install using MD5 is prohibited in FIPS mode.")
+      end
+
+      if digest_class.file(file.path).hexdigest != checksum
+        raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum %{checksum}") % { name: name, checksum: checksum }
       end
     end
 

data/lib/puppet/indirector/certificate/file.rb

@@ -1,6 +1,7 @@
 require 'puppet/indirector/ssl_file'
 require 'puppet/ssl/certificate'
 
+# @deprecated
 class Puppet::SSL::Certificate::File < Puppet::Indirector::SslFile
   desc "Manage SSL certificates on disk."
 

data/lib/puppet/indirector/certificate/rest.rb

@@ -1,6 +1,7 @@
 require 'puppet/ssl/certificate'
 require 'puppet/indirector/rest'
 
+# @deprecated
 class Puppet::SSL::Certificate::Rest < Puppet::Indirector::REST
   desc "Find certificates over HTTP via REST."
 

data/lib/puppet/indirector/certificate_request/file.rb

@@ -1,6 +1,7 @@
 require 'puppet/indirector/ssl_file'
 require 'puppet/ssl/certificate_request'
 
+# @deprecated
 class Puppet::SSL::CertificateRequest::File < Puppet::Indirector::SslFile
   desc "Manage the collection of certificate requests on disk."
 

data/lib/puppet/indirector/certificate_request/memory.rb

@@ -1,6 +1,7 @@
 require 'puppet/ssl/certificate_request'
 require 'puppet/indirector/memory'
 
+# @deprecated
 class Puppet::SSL::CertificateRequest::Memory < Puppet::Indirector::Memory
   desc "Store certificate requests in memory. This is used for testing puppet."
 end

data/lib/puppet/indirector/certificate_request/rest.rb

@@ -1,6 +1,7 @@
 require 'puppet/ssl/certificate_request'
 require 'puppet/indirector/rest'
 
+# @deprecated
 class Puppet::SSL::CertificateRequest::Rest < Puppet::Indirector::REST
   desc "Find and save certificate requests over HTTP via REST."
 

data/lib/puppet/indirector/key/file.rb

@@ -1,6 +1,7 @@
 require 'puppet/indirector/ssl_file'
 require 'puppet/ssl/key'
 
+# @deprecated
 class Puppet::SSL::Key::File < Puppet::Indirector::SslFile
   desc "Manage SSL private and public keys on disk."
 

data/lib/puppet/indirector/key/memory.rb

@@ -1,6 +1,7 @@
 require 'puppet/ssl/key'
 require 'puppet/indirector/memory'
 
+# @deprecated
 class Puppet::SSL::Key::Memory < Puppet::Indirector::Memory
   desc "Store keys in memory. This is used for testing puppet."
 end

data/lib/puppet/module_tool/applications/installer.rb

@@ -51,9 +51,6 @@ module Puppet::ModuleTool
       end
 
       def run
-        # Disallow anything that invokes md5 to avoid un-friendly termination due to FIPS
-        raise _("Module install is prohibited in FIPS mode.") if Facter.value(:fips_enabled)
-
         name = @name.tr('/', '-')
         version = options[:version] || '>= 0.0.0'
 

data/lib/puppet/network/http/factory.rb

@@ -25,17 +25,7 @@ class Puppet::Network::HTTP::Factory
   def create_connection(site)
     Puppet.debug("Creating new connection for #{site}")
 
-    args = [site.host, site.port]
-
-    unless Puppet::Util::HttpProxy.no_proxy?(site)
-      if Puppet[:http_proxy_host] == "none"
-        args << nil << nil
-      else
-        args << Puppet[:http_proxy_host] << Puppet[:http_proxy_port]
-      end
-    end
-
-    http = Net::HTTP.new(*args)
+    http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
     http.use_ssl = site.use_ssl?
     http.read_timeout = Puppet[:http_read_timeout]
     http.open_timeout = Puppet[:http_connect_timeout]

data/lib/puppet/pops/lookup/key_recorder.rb

@@ -0,0 +1,18 @@
+# This class defines the private API of the Lookup Key Recorder support.
+# @api private
+#
+class Puppet::Pops::Lookup::KeyRecorder
+
+  def initialize()
+  end
+
+  def self.singleton
+    @null_recorder ||= self.new
+  end
+
+  # Records a key
+  # (This implementation does nothing)
+  #
+  def record(key)
+  end
+end

data/lib/puppet/pops/lookup/lookup_adapter.rb

@@ -27,6 +27,8 @@ class LookupAdapter < DataAdapter
     super()
     @compiler = compiler
     @lookup_options = {}
+    # Get a KeyRecorder from context, and set a "null recorder" if not defined
+    @key_recorder = Puppet.lookup(:lookup_key_recorder) { KeyRecorder.singleton }
   end
 
   # Performs a lookup using global, environment, and module data providers. Merge the result using the given
@@ -48,6 +50,11 @@ class LookupAdapter < DataAdapter
       end
     end
 
+    # Record that the key was looked up. This will record all keys for which a lookup is performed
+    # except 'lookup_options' (since that is illegal from a user perspective,
+    # and from an impact perspective is always looked up).
+    @key_recorder.record(key)
+
     key = LookupKey.new(key)
     lookup_invocation.lookup(key, key.module_name) do
       if lookup_invocation.only_explain_options?

data/lib/puppet/pops/lookup.rb

@@ -94,3 +94,4 @@ end
 end
 
 require_relative 'lookup/lookup_adapter'
+require_relative 'lookup/key_recorder'

data/lib/puppet/provider/file/posix.rb

@@ -8,6 +8,11 @@ Puppet::Type.type(:file).provide :posix do
   include Puppet::Util::Warnings
 
   require 'etc'
+  require 'puppet/util/selinux'
+
+  def self.post_resource_eval
+    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  end
 
   def uid2name(id)
     return id.to_s if id.is_a?(Symbol) or id.is_a?(String)

data/lib/puppet/provider/nameservice.rb

@@ -173,9 +173,10 @@ class Puppet::Provider::NameService < Puppet::Provider
     end
 
     begin
-      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      sensitive = has_sensitive_data?
+      execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       if feature?(:manages_password_age) && (cmd = passcmd)
-        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+        execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
       end
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
@@ -279,13 +280,19 @@ class Puppet::Provider::NameService < Puppet::Provider
     self.class.validate(param, value)
     cmd = modifycmd(param, munge(param, value))
     raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
+    sensitive = has_sensitive_data?(param)
     begin
-      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
+      execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
     end
   end
 
+  #Derived classes can override to declare sensitive data so a flag can be passed to execute
+  def has_sensitive_data?(property = nil)
+    false
+  end
+
   # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
   # returns a struct with binary encoded string values, and >= 2.1.0 will return
   # binary encoded strings for values incompatible with current locale charset,

data/lib/puppet/provider/package/apt.rb

@@ -8,7 +8,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     These options should be specified as an array where each element is either a
      string or a hash."
 
-  has_feature :versionable, :install_options
+  has_feature :versionable, :install_options, :virtual_packages
 
   commands :aptget => "/usr/bin/apt-get"
   commands :aptcache => "/usr/bin/apt-cache"

data/lib/puppet/provider/package/dpkg.rb

@@ -5,7 +5,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
     and not `apt`, you must specify the source of any packages you want
     to manage."
 
-  has_feature :holdable
+  has_feature :holdable, :virtual_packages 
 
   commands :dpkg => "/usr/bin/dpkg"
   commands :dpkg_deb => "/usr/bin/dpkg-deb"
@@ -45,16 +45,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
   # Note: self:: is required here to keep these constants in the context of what will
   # eventually become this Puppet::Type::Package::ProviderDpkg class.
   self::DPKG_QUERY_FORMAT_STRING = %Q{'${Status} ${Package} ${Version}\\n'}
+  self::DPKG_QUERY_PROVIDES_FORMAT_STRING = %Q{'${Status} ${Package} ${Version} [${Provides}]\\n'}
   self::FIELDS_REGEX = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
+  self::FIELDS_REGEX_WITH_PROVIDES = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$} 
   self::FIELDS= [:desired, :error, :status, :name, :ensure]
 
   # @param line [String] one line of dpkg-query output
   # @return [Hash,nil] a hash of FIELDS or nil if we failed to match
   # @api private
-  def self.parse_line(line)
+  def self.parse_line(line, regex=self::FIELDS_REGEX)
     hash = nil
 
-    match = self::FIELDS_REGEX.match(line)
+    match = regex.match(line)
     if match
       hash = {}
 
@@ -116,6 +118,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
 
     # list out our specific package
     begin
+      if @resource.allow_virtual?
+        output = dpkgquery(
+          "-W",
+          "--showformat",
+          self.class::DPKG_QUERY_PROVIDES_FORMAT_STRING
+        ).lines.find {|package| package.match(/\[.*#{@resource[:name]}.*\]/)}
+        if output          
+          hash = self.class.parse_line(output,self.class::FIELDS_REGEX_WITH_PROVIDES)
+          Puppet.info("Package #{@resource[:name]} is virtual, defaulting to #{hash[:name]}")
+          @resource[:name] = hash[:name]
+        end
+      end
       output = dpkgquery(
         "-W",
         "--showformat",