bolt 0.21.7 → 0.21.8

data/vendored/puppet/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -0,0 +1,128 @@
+require 'puppet/parser/script_compiler'
+
+module Puppet::Pops
+module Evaluator
+
+# Utility class to help resolve instances of Puppet::Pops::Types::PDeferredType::Deferred
+#
+class DeferredResolver
+  DOLLAR = '$'.freeze
+  DIG    = 'dig'.freeze
+
+  # Resolves and replaces all Deferred values in a catalog's resource attributes
+  # found as direct values or nested inside Array, Hash or Sensitive values.
+  # Deferred values inside of custom Object instances are not resolved as this
+  # is expected to be done by such objects.
+  #
+  # @param node [Puppet::Node] the node for the catalog
+  # @param facts [Puppet::Node::Facts] the facts object for the node
+  # @param catalog [Puppet::Resource::Catalog] the catalog where all deferred values should be replaced
+  # @return [nil] does not return anything - the catalog is modified as a side effect
+  #
+  def self.resolve_and_replace(node, facts, catalog)
+    compiler = Puppet::Parser::ScriptCompiler.new(node.environment, node.name)
+    resolver = new(compiler)
+    resolver.set_facts_variable(facts)
+    # TODO:
+    #    # When scripting the trusted data are always local, but set them anyway
+    #    @scope.set_trusted(node.trusted_data)
+    #
+    #    # Server facts are always about the local node's version etc.
+    #    @scope.set_server_facts(node.server_facts)
+
+    resolver.resolve_futures(catalog)
+    nil
+  end
+
+  # Resolves a value such that a direct Deferred, or any nested Deferred values
+  # are resolved and used instead of the deferred value.
+  # A direct Deferred value, or nested deferred values inside of Array, Hash or
+  # Sensitive values are resolved and replaced inside of freshly created
+  # containers.
+  #
+  # The resolution takes place in the topscope of the given compiler.
+  # Variable values are supposed to already have been set.
+  #
+  # @param value [Object] the (possibly nested) value to resolve
+  # @param compiler [Puppet::Parser::ScriptCompiler, Puppet::Parser::Compiler] the compiler in effect
+  # @return [Object] the resolved value (a new Array, Hash, or Sensitive if needed), with all deferred values resolved
+  #
+  def self.resolve(value, compiler)
+    resolver = new(compiler)
+    resolver.resolve(value)
+  end
+
+  def initialize(compiler)
+    @compiler = compiler
+    # Always resolve in top scope
+    @scope = @compiler.topscope
+    @deferred_class = Puppet::Pops::Types::TypeFactory.deferred.implementation_class
+  end
+
+  # @param facts [Puppet::Node::Facts] the facts to set in $facts in the compiler's topscope
+  #
+  def set_facts_variable(facts)
+    @scope.set_facts(facts.nil? ? {} : facts.values)
+  end
+
+  def resolve_futures(catalog)
+    catalog.resources.each do |r|
+      overrides = {}
+      r.parameters.each_pair do |k, v|
+        resolved = resolve(v)
+        # If the value is instance of Sensitive - assign the unwrapped value
+        # and mark it as sensitive if not already marked
+        #
+        if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+          resolved = resolved.unwrap
+          unless r.sensitive_parameters.include?(k.to_sym)
+            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+          end
+        end
+        overrides[ k ] = resolved
+      end
+      r.parameters.merge!(overrides) unless overrides.empty?
+    end
+  end
+
+  def resolve(x)
+    if x.class == @deferred_class
+      resolve_future(x)
+    elsif x.is_a?(Array)
+      x.map {|v| resolve(v) }
+    elsif x.is_a?(Hash)
+      result = {}
+      x.each_pair {|k,v| result[k] = resolve(v) }
+      result
+    elsif x.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      # rewrap in a new Sensitive after resolving any nested deferred values
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(resolve(x.unwrap))
+    else
+      x
+    end
+  end
+
+  def resolve_future(f)
+    # If any of the arguments to a future is a future it needs to be resolved first
+    func_name = f.name
+    mapped_arguments = map_arguments(f.arguments)
+    # if name starts with $ then this is a call to dig 
+    if func_name[0] == DOLLAR
+      var_name = func_name[1..-1]
+      func_name = DIG
+      mapped_arguments.insert(0, @scope[var_name])
+    end
+
+    # call the function (name in deferred, or 'dig' for a variable)
+    @scope.call_function(func_name, mapped_arguments)
+  end
+
+  def map_arguments(args)
+    return [] if args.nil?
+    args.map {|v| resolve(v) }
+  end
+  private :map_arguments
+
+end
+end
+end

data/vendored/puppet/lib/puppet/pops/evaluator/evaluator_impl.rb

@@ -404,7 +404,7 @@ class EvaluatorImpl
     end
 
     left_o = bin_expr.left_expr
-    if left.is_a?(URI) && operator == '+'
+    if (left.is_a?(URI) || left.is_a?(Types::PBinaryType::Binary)) && operator == '+'
       concatenate(left, right)
     elsif (left.is_a?(Array) || left.is_a?(Hash)) && COLLECTION_OPERATORS.include?(operator)
       # Handle operation on collections
@@ -1221,6 +1221,9 @@ class EvaluatorImpl
     when URI
       raise ArgumentError.new(_('An URI can only be merged with an URI or String')) unless y.is_a?(String) || y.is_a?(URI)
       x + y
+    when Types::PBinaryType::Binary
+      raise ArgumentError.new(_('Can only append Binary to a Binary')) unless y.is_a?(Types::PBinaryType::Binary)
+      Types::PBinaryType::Binary.from_binary_string(x.binary_buffer + y.binary_buffer)
     else
       concatenate([x], y)
     end

data/vendored/puppet/lib/puppet/pops/functions/dispatch.rb

@@ -79,6 +79,8 @@ class Dispatch < Evaluator::CallableSignature
               scope
             when :pal_script_compiler
               Puppet.lookup(:pal_script_compiler)
+            when :cache
+              Puppet::Pops::Adapters::ObjectIdCacheAdapter.adapt(scope.compiler)
             else
               raise ArgumentError, _("Unknown injection %{injection_name}") % { injection_name: injection_name }
             end

data/vendored/puppet/lib/puppet/pops/issues.rb

@@ -286,7 +286,7 @@ module Issues
   end
 
   ILLEGAL_NAME = hard_issue :ILLEGAL_NAME, :name do
-    _("Illegal name. The given name '%{name}' does not conform to the naming rule /^((::)?[a-z_]\w*)(::[a-z]\\w*)*$/") % { name: name }
+    _("Illegal name. The given name '%{name}' does not conform to the naming rule /^((::)?[a-z_]\\w*)(::[a-z]\\w*)*$/") % { name: name }
   end
 
   ILLEGAL_SINGLE_TYPE_MAPPING = hard_issue :ILLEGAL_TYPE_MAPPING, :expression do
@@ -886,10 +886,18 @@ module Issues
     _("The catalog operation '%{operation}' is only available when compiling a catalog") % { operation: operation }
   end
 
+  EXPRESSION_NOT_SUPPORTED_WHEN_SCRIPTING = issue :EXPRESSION_NOT_SUPPORTED_WHEN_SCRIPTING, :klass do
+    _("%{expr} is only available when compiling a catalog") % { expr: label.a_an_uc(klass) }
+  end
+
   TASK_OPERATION_NOT_SUPPORTED_WHEN_COMPILING = issue :TASK_OPERATION_NOT_SUPPORTED_WHEN_COMPILING, :operation do
     _("The task operation '%{operation}' is not available when compiling a catalog") % { operation: operation }
   end
 
+  EXPRESSION_NOT_SUPPORTED_WHEN_COMPILING = issue :EXPRESSION_NOT_SUPPORTED_WHEN_COMPILING, :klass do
+    _("%{expr} is not available when compiling a catalog") % { expr: label.a_an_uc(klass) }
+  end
+
   TASK_MISSING_BOLT = issue :TASK_MISSING_BOLT, :action do
     _("The 'bolt' library is required to %{action}") % { action: action }
   end

data/vendored/puppet/lib/puppet/pops/loader/static_loader.rb

@@ -6,38 +6,22 @@ module Loader
 class StaticLoader < Loader
 
   BUILTIN_TYPE_NAMES = %w{
-      Augeas
       Component
-      Computer
       Cron
       Exec
       File
       Filebucket
       Group
-      Host
-      Interface
-      K5login
-      Macauthorization
-      Mcx
-      Mount
       Node
       Notify
       Package
       Resources
-      Router
       Schedule
-      Scheduled_task
-      Selboolean
-      Selmodule
       Service
-      Ssh_authorized_key
-      Sshkey
       Stage
       Tidy
       User
-      Vlan
       Whit
-      Yumrepo
     }.freeze
 
   BUILTIN_TYPE_NAMES_LC = Set.new(BUILTIN_TYPE_NAMES.map { |n| n.downcase }).freeze

data/vendored/puppet/lib/puppet/pops/loaders.rb

@@ -63,15 +63,13 @@ class Loaders
   # be pre-loaded with a fully configured loader system
   def pre_load
     @puppet_system_loader.load(:type, 'error')
-
-    # Will move to Bolt
-    @puppet_system_loader.load(:type, 'executionresult')
   end
 
   # Clears the cached static and puppet_system loaders (to enable testing)
   #
   def self.clear
     @@static_loader = nil
+    Puppet::Pops::Types::TypeFactory.clear
     Model.class_variable_set(:@@pcore_ast_initialized, false)
     Model.register_pcore_types
   end

data/vendored/puppet/lib/puppet/pops/parser/eparser.rb

@@ -38,8 +38,8 @@ clist = [
 '116,74,72,154,118,154,121,471,403,470,117,131,271,414,118,128,121,429',
 '21,20,117,-280,154,404,413,54,157,57,157,69,12,120,63,46,49,475,56,47',
 '10,11,116,120,66,19,476,157,48,130,304,17,18,127,330,97,118,331,121',
-'84,131,129,117,459,128,55,-280,131,458,45,80,128,82,83,471,399,470,64',
-'51,70,71,58,-235,120,62,60,61,67,79,72,116,65,73,434,74,400,130,526',
+'84,131,129,117,526,128,55,-280,131,458,45,80,128,82,83,471,399,470,64',
+'51,70,71,58,-235,120,62,60,61,67,79,72,116,65,73,434,74,400,130,459',
 '98,99,127,436,458,130,118,97,121,127,129,131,117,21,20,128,399,129,124',
 '307,54,396,57,394,69,136,116,63,46,49,390,56,47,120,443,181,79,66,19',
 '182,118,48,121,444,17,18,117,130,98,99,131,127,84,131,128,97,388,128',
@@ -363,9 +363,9 @@ clist = [
 '246,146,246,468,308,468,246,230,118,314,137,230,137,329,336,336,137',
 '230,51,308,313,336,221,336,146,336,336,246,336,336,336,410,336,336,336',
 '336,249,137,336,336,410,51,336,230,305,336,336,230,192,246,249,192,249',
-'336,147,230,249,392,147,336,230,149,392,336,336,149,336,336,406,341',
+'336,147,230,249,504,147,336,230,149,504,336,336,149,336,336,406,341',
 '406,336,336,336,336,336,346,249,336,336,336,18,18,336,251,18,18,347',
-'18,304,147,504,249,249,147,349,504,149,251,249,251,149,147,12,251,18',
+'18,304,147,392,249,249,147,349,392,149,251,249,251,149,147,12,251,18',
 '18,12,298,149,12,295,18,294,18,293,18,18,244,18,18,18,288,18,18,251',
 '355,200,200,18,18,200,244,18,244,357,18,18,244,12,251,251,168,12,18',
 '58,168,251,284,58,18,12,60,359,18,18,60,18,18,244,197,197,18,18,18,18',
@@ -750,7 +750,7 @@ racc_action_pointer = [
    nil,   269,   nil,   nil,   nil,   nil,   nil,   nil,   nil,   nil,
    nil,   nil,   nil,   nil,   nil,   nil,   nil,   nil,   290,  7642,
  10571,   305,   nil,   332,   nil,   310,   nil,   314, 10397,   nil,
-   273,   nil,   150,   366,   369,   nil,  7460,   380,   319,   381,
+   273,   nil,   184,   366,   369,   nil,  7460,   380,   319,   381,
   7005,   nil,   nil,  6914,   nil,   395,   135,   404,   396,  9114,
    119,  6550,   nil,  6459,  6368, 10455,  6186,   441,   nil,   461,
    nil,  9037,   nil,   nil,   464,   nil,  5640,   nil,   nil,   nil,
@@ -761,7 +761,7 @@ racc_action_pointer = [
   2091,   517,   496,   nil,   524,  1909,   540,   nil,   nil,   542,
    nil,   nil,   544,   542,   546,   548,  1818,   nil,  1363,   547,
    nil,   nil,   551,   519,   nil,   nil,   nil,   nil,   553,   nil,
-   nil,   554,   555,   nil,   184,   nil,   nil,  1181,   nil,   726,
+   nil,   554,   555,   nil,   150,   nil,   nil,  1181,   nil,   726,
  10248,  1272,   nil,   nil,   563,   nil,  1090,   565,   nil,   566,
    570,   nil,  5913,   nil,   nil,   nil,   nil,   573,   nil,   582,
    nil,   583,   nil,   nil,   nil,   586,   nil,   nil,   nil,   nil,

data/vendored/puppet/lib/puppet/pops/pcore.rb

@@ -95,6 +95,17 @@ module Pcore
     Resource.register_ptypes(loader, ir)
     Lookup::Context.register_ptype(loader, ir);
     Lookup::DataProvider.register_types(loader)
+
+    add_object_type('Deferred', <<-PUPPET, loader)
+      {
+        attributes => {
+          # Fully qualified name of the function
+          name  => { type => Pattern[/\\A[$]?[a-z][a-z0-9_]*(?:::[a-z][a-z0-9_]*)*\\z/] },
+          arguments => { type => Optional[Array[Any]], value => undef},
+        }
+      }
+    PUPPET
+
   end
 
   # Create and register a new `Object` type in the Puppet Type System and map it to an implementation class

data/vendored/puppet/lib/puppet/pops/types/type_factory.rb

@@ -6,6 +6,19 @@ module Types
 module TypeFactory
   @type_calculator = TypeCalculator.singleton
 
+  # Clears caches - used when testing
+  def self.clear
+    # these types are cached and needs to be nulled as the representation may change if loaders are cleared
+    @data_t = nil
+    @rich_data_t = nil
+    @rich_data_key_t = nil
+    @array_of_data_t = nil
+    @hash_of_data_t = nil
+    @error_t = nil
+    @task_t = nil
+    @deferred_t = nil
+  end
+
   # Produces the Integer type
   # @api public
   #
@@ -526,6 +539,10 @@ module TypeFactory
     @task_t ||= TypeParser.singleton.parse('Task')
   end
 
+  def self.deferred
+    @deferred_t ||= TypeParser.singleton.parse('Deferred')
+  end
+
   # Produces a type for URI[String or Hash]
   # @api public
   #

data/vendored/puppet/lib/puppet/pops/validation/tasks_checker.rb

@@ -24,8 +24,12 @@ class TasksChecker < Checker4_0
   def check_CollectExpression(o)
     # Only virtual resource queries are allowed in apply blocks, not exported
     # resource queries
-    if in_ApplyExpression? && o.query.is_a?(Puppet::Pops::Model::VirtualQuery)
-      super(o)
+    if in_ApplyExpression?
+      if o.query.is_a?(Puppet::Pops::Model::VirtualQuery)
+        super(o)
+      else
+        acceptor.accept(Issues::EXPRESSION_NOT_SUPPORTED_WHEN_COMPILING, o, {:klass => o})
+      end
     else
       illegalTasksExpression(o)
     end
@@ -64,7 +68,11 @@ class TasksChecker < Checker4_0
   end
 
   def check_ResourceOverrideExpression(o)
-    illegalTasksExpression(o)
+    if in_ApplyExpression?
+      super(o)
+    else
+      illegalTasksExpression(o)
+    end
   end
 
   def check_ResourceTypeDefinition(o)
@@ -77,12 +85,12 @@ class TasksChecker < Checker4_0
 
   def check_ApplyExpression(o)
     if in_ApplyExpression?
-      acceptor.accept(Issues::TASK_OPERATION_NOT_SUPPORTED_WHEN_COMPILING, o, {:operation => o.class.to_s})
+      acceptor.accept(Issues::EXPRESSION_NOT_SUPPORTED_WHEN_COMPILING, o, {:klass => o})
     end
   end
 
   def illegalTasksExpression(o)
-    acceptor.accept(Issues::CATALOG_OPERATION_NOT_SUPPORTED_WHEN_SCRIPTING, o, {:operation => o.class.to_s})
+    acceptor.accept(Issues::EXPRESSION_NOT_SUPPORTED_WHEN_SCRIPTING, o, {:klass => o})
   end
 
   def resource_without_title?(o)

data/vendored/puppet/lib/puppet/pops.rb

@@ -70,6 +70,7 @@ module Puppet
       require 'puppet/pops/evaluator/epp_evaluator'
       require 'puppet/pops/evaluator/collector_transformer'
       require 'puppet/pops/evaluator/puppet_proc'
+      require 'puppet/pops/evaluator/deferred_resolver'
       module Collectors
         require 'puppet/pops/evaluator/collectors/abstract_collector'
         require 'puppet/pops/evaluator/collectors/fixed_set_collector'

data/vendored/puppet/lib/puppet/provider/service/debian.rb

@@ -19,6 +19,7 @@ Puppet::Type.type(:service).provide :debian, :parent => :init do
 
   defaultfor :operatingsystem => :cumuluslinux, :operatingsystemmajrelease => ['1','2']
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => ['5','6','7']
+  defaultfor :operatingsystem => :devuan
 
   # Remove the symlinks
   def disable

data/vendored/puppet/lib/puppet/provider/service/smf.rb

@@ -108,8 +108,6 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
   end
 
   def stop
-    # Don't try to stop non-existing services (PUP-8167)
-    return if self.status == :absent
     # Wait for the service to actually stop before returning.
     super
     self.wait('offline', 'disabled', 'uninitialized')
@@ -138,8 +136,9 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
       states = service_states
       state = states[1] == "-" ? states[0] : states[1]
     rescue Puppet::ExecutionFailure
+      # TODO (PUP-8957): Should this be set back to INFO ?
       debug "Could not get status on service #{self.name} #{$!}"
-      return :absent
+      return :stopped
     end
 
     case state

data/vendored/puppet/lib/puppet/provider/service/upstart.rb

@@ -16,8 +16,6 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
     Facter.value(:operatingsystem) == 'LinuxMint',
   ]
 
-  confine :exists => "/var/run/upstart-socket-bridge.pid"
-
   defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["10.04", "12.04", "14.04", "14.10"]
 
   commands :start   => "/sbin/start",
@@ -26,6 +24,16 @@ Puppet::Type.type(:service).provide :upstart, :parent => :debian do
            :status_exec  => "/sbin/status",
            :initctl => "/sbin/initctl"
 
+  # We only want to use upstart as our provider if the upstart daemon is running.
+  # This can be checked by running `initctl version --quiet` on a machine that has
+  # upstart installed.
+  confine :true => begin
+    initctl('version', '--quiet')
+    true
+  rescue
+    false
+  end
+
   # upstart developer haven't implemented initctl enable/disable yet:
   # http://www.linuxplanet.com/linuxplanet/tutorials/7033/2/
   has_feature :enableable

data/vendored/puppet/lib/puppet/ssl/certificate_authority.rb

@@ -193,26 +193,6 @@ class Puppet::SSL::CertificateAuthority
     Puppet::SSL::Certificate.indirection.search(name).collect { |c| c.name }
   end
 
-  # Return all the certificate objects as found by the indirector
-  # API for PE license checking.
-  #
-  # Created to prevent the case of reading all certs from disk, getting
-  # just their names and verifying the cert for each name, which then
-  # causes the cert to again be read from disk.
-  #
-  # @author Jeff Weiss <jeff.weiss@puppetlabs.com>
-  # @api Puppet Enterprise Licensing
-  #
-  # @param name [Array<string>] filter to cerificate names
-  #
-  # @return [Array<Puppet::SSL::Certificate>]
-  #
-  # @deprecated Use Puppet::SSL::CertificateAuthority#list or Puppet Server Certificate status API
-  def list_certificates(name='*')
-    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#list_certificates is deprecated. Please use Puppet::SSL::CertificateAuthority#list or the certificate status API to query certificate information. See https://puppet.com/docs/puppet/latest/http_api/http_certificate_status.html"))
-    Puppet::SSL::Certificate.indirection.search(name)
-  end
-
   # Read the next serial from the serial file, and increment the
   # file so this one is considered used.
   def next_serial
@@ -406,46 +386,15 @@ class Puppet::SSL::CertificateAuthority
     return true                 # good enough for us!
   end
 
-  # Utility method for optionally caching the X509 Store for verifying a
-  # large number of certificates in a short amount of time--exactly the
-  # case we have during PE license checking.
-  #
-  # @example Use the cached X509 store
-  #   x509store(:cache => true)
-  #
-  # @example Use a freshly create X509 store
-  #   x509store
-  #   x509store(:cache => false)
-  #
-  # @param [Hash] options the options used for retrieving the X509 Store
-  # @option options [Boolean] :cache whether or not to use a cached version
-  #   of the X509 Store
-  #
-  # @return [OpenSSL::X509::Store]
-  #
-  # @deprecated Strictly speaking, #x509_store is marked API private, so we
-  #   don't need to publicly deprecate it. But it marked as deprecated here to
-  #   avoid the exceedingly small chance that someone comes in and uses it from
-  #   within this class before it is removed.
-  def x509_store(options = {})
-    if (options[:cache])
-      return @x509store unless @x509store.nil?
-      @x509store = create_x509_store
-    else
-      create_x509_store
-    end
-  end
-  private :x509_store
-
   # Creates a brand new OpenSSL::X509::Store with the appropriate
   # Certificate Revocation List and flags
   #
   # @return [OpenSSL::X509::Store]
-  def create_x509_store
-    store = OpenSSL::X509::Store.new()
+  def create_x509_store(purpose)
+    store = OpenSSL::X509::Store.new
     store.add_file(Puppet[:cacert])
     store.add_crl(crl.content) if self.crl
-    store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    store.purpose = purpose
     if Puppet.settings[:certificate_revocation]
       store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | OpenSSL::X509::V_FLAG_CRL_CHECK
     end
@@ -453,50 +402,23 @@ class Puppet::SSL::CertificateAuthority
   end
   private :create_x509_store
 
-  # Utility method which is API for PE license checking.
-  # This is used rather than `verify` because
-  #  1) We have already read the certificate from disk into memory.
-  #     To read the certificate from disk again is just wasteful.
-  #  2) Because we're checking a large number of certificates against
-  #     a transient CertificateAuthority, we can relatively safely cache
-  #     the X509 Store that actually does the verification.
-  #
-  # Long running instances of CertificateAuthority will certainly
-  # want to use `verify` because it will recreate the X509 Store with
-  # the absolutely latest CRL.
-  #
-  # Additionally, this method explicitly returns a boolean whereas
-  # `verify` will raise an error if the certificate has been revoked.
-  #
-  # @author Jeff Weiss <jeff.weiss@puppetlabs.com>
-  # @api Puppet Enterprise Licensing
-  #
-  # @param cert [Puppet::SSL::Certificate] the certificate to check validity of
-  #
-  # @return [Boolean] true if signed, false if unsigned or revoked
-  #
-  # @deprecated use Puppet::SSL::CertificateAuthority#verify or Puppet Server certificate status API
-  def certificate_is_alive?(cert)
-    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#certificate_is_alive? is deprecated. Please use Puppet::SSL::CertificateAuthority#verify or the certificate status API to query certificate information. See https://puppet.com/docs/puppet/latest/http_api/http_certificate_status.html"))
-    x509_store(:cache => true).verify(cert.content)
-  end
-
   # Verify a given host's certificate. The certname is passed in, and
   # the indirector will be used to locate the actual contents of the
   # certificate with that name.
   #
   # @param name [String] certificate name to verify
+  # @param purpose [Integer] bitwise combination of X509::PURPOSE_*
   #
   # @raise [ArgumentError] if the certificate name cannot be found
   #   (i.e. doesn't exist or is unsigned)
   # @raise [CertificateVerficationError] if the certificate has been revoked
   #
   # @return [Boolean] true if signed, there are no cases where false is returned
-  def verify(name)
+  def verify(name, purpose = OpenSSL::X509::PURPOSE_ANY)
     unless cert = Puppet::SSL::Certificate.indirection.find(name)
       raise ArgumentError, _("Could not find a certificate for %{name}") % { name: name }
     end
-    store = create_x509_store
+    store = create_x509_store(purpose)
 
     raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content)
   end

data/vendored/puppet/lib/puppet/ssl/certificate_request.rb

@@ -266,9 +266,17 @@ DOC
     end
 
     if options[:dns_alt_names]
-      names = options[:dns_alt_names].split(/\s*,\s*/).map(&:strip) + [name]
-      names = names.sort.uniq.map {|name| "DNS:#{name}" }.join(", ")
-      alt_names_ext = extension_factory.create_extension("subjectAltName", names, false)
+      raw_names = options[:dns_alt_names].split(/\s*,\s*/).map(&:strip) + [name]
+
+      parsed_names = raw_names.map do |name|
+        if !name.start_with?("IP:") && !name.start_with?("DNS:")
+          "DNS:#{name}"
+        else
+          name
+        end
+      end.sort.uniq.join(", ")
+
+      alt_names_ext = extension_factory.create_extension("subjectAltName", parsed_names, false)
 
       extensions << alt_names_ext
     end

data/vendored/puppet/lib/puppet/type/file.rb

@@ -835,6 +835,9 @@ Puppet::Type.newtype(:file) do
     rescue Errno::EACCES
       warning _("Could not stat; permission denied")
       nil
+    rescue Errno::EINVAL
+      warning _("Could not stat; invalid pathname")
+      nil
     end
   end
 

data/vendored/puppet/lib/puppet/type/user.rb

@@ -675,13 +675,23 @@ module Puppet
     end
 
     def generate
-      return [] if self[:purge_ssh_keys].empty?
-      find_unmanaged_keys
+      if !self[:purge_ssh_keys].empty?
+        if Puppet::Type.type(:ssh_authorized_key).nil?
+          warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
+        else
+          return find_unmanaged_keys
+        end
+      end
+
+      []
     end
 
     newparam(:purge_ssh_keys) do
       desc "Whether to purge authorized SSH keys for this user if they are not managed
-        with the `ssh_authorized_key` resource type. Allowed values are:
+        with the `ssh_authorized_key` resource type. This parameter is a noop if the
+        ssh_authorized_key type is not available.
+        
+        Allowed values are:
 
         * `false` (default) --- don't purge SSH keys for this user.
         * `true` --- look for keys in the `.ssh/authorized_keys` file in the user's
@@ -780,6 +790,10 @@ module Puppet
     # @return [Array<Puppet::Type::Ssh_authorized_key] a list of resources
     #   representing the found keys
     def unknown_keys_in_file(keyfile)
+      # The ssh_authorized_key type is distributed as a module on the Forge,
+      # so we shouldn't rely on it being available.
+      return [] unless Puppet::Type.type(:ssh_authorized_key)
+
       names = []
       name_index = 0
       # RFC 4716 specifies UTF-8 allowed in public key files per https://www.ietf.org/rfc/rfc4716.txt