puppet 4.8.2-universal-darwin → 4.9.0-universal-darwin

data/lib/puppet/pops/validation/checker4_0.rb

@@ -295,8 +295,12 @@ class Checker4_0 < Evaluator::LiteralEvaluator
 
   def check_CaseExpression(o)
     rvalue(o.test)
-    # There should only be one LiteralDefault case option value
-    # TODO: Implement this check
+    # There can only be one LiteralDefault case option value
+    defaults = o.options.values.select {|v| v.is_a?(Model::LiteralDefault) }
+    unless defaults.size <= 1
+      # Flag the second default as 'unreachable'
+      acceptor.accept(Issues::DUPLICATE_DEFAULT, defaults[1], :container => o)
+    end
   end
 
   def check_CaseOption(o)
@@ -659,6 +663,12 @@ class Checker4_0 < Evaluator::LiteralEvaluator
 
   def check_SelectorExpression(o)
     rvalue(o.left_expr)
+    # There can only be one LiteralDefault case option value
+    defaults = o.selectors.select {|v| v.matching_expr.is_a?(Model::LiteralDefault) }
+    unless defaults.size <= 1
+      # Flag the second default as 'unreachable'
+      acceptor.accept(Issues::DUPLICATE_DEFAULT, defaults[1].matching_expr, :container => o)
+    end
   end
 
   def check_SelectorEntry(o)

data/lib/puppet/pops/validation/validator_factory_4_0.rb

@@ -28,6 +28,7 @@ class ValidatorFactory_4_0 < Factory
     p[Issues::FUTURE_RESERVED_WORD]          = :deprecation
 
     p[Issues::DUPLICATE_KEY]                 = Puppet[:strict] == :off ? :ignore : Puppet[:strict]
+    p[Issues::DUPLICATE_DEFAULT]             = Puppet[:strict] == :off ? :ignore : Puppet[:strict]
     p[Issues::NAME_WITH_HYPHEN]              = :error
     p[Issues::EMPTY_RESOURCE_SPECIALIZATION] = :ignore
     p

data/lib/puppet/pops/validation.rb

@@ -273,7 +273,7 @@ module Validation
   #
   class DiagnosticFormatter
     def format diagnostic
-      "#{loc(diagnostic)} #{format_severity(diagnostic)}#{format_message(diagnostic)}"
+      "#{format_location(diagnostic)} #{format_severity(diagnostic)}#{format_message(diagnostic)}"
     end
 
     def format_message diagnostic

data/lib/puppet/pops/visitor.rb

@@ -1,3 +1,4 @@
+module Puppet::Pops
 # A Visitor performs delegation to a given receiver based on the configuration of the Visitor.
 # A new visitor is created with a given receiver, a method prefix, min, and max argument counts.
 # e.g.
@@ -9,7 +10,7 @@
 # Raises RuntimeError if there are too few or too many arguments, or if the receiver is not
 # configured to handle a given visiting object.
 #
-class Puppet::Pops::Visitor
+class Visitor
   attr_reader :receiver, :message, :min_args, :max_args, :cache
   def initialize(receiver, message, min_args=0, max_args=nil)
     raise ArgumentError.new("min_args must be >= 0") if min_args < 0
@@ -27,8 +28,7 @@ class Puppet::Pops::Visitor
     visit_this(@receiver, thing, args)
   end
 
-  DOUBLE_COLON = '::'
-  NO_ARGS = [].freeze
+  NO_ARGS = EMPTY_ARRAY
 
   # Visit an explicit receiver
   def visit_this(receiver, thing, args)
@@ -92,3 +92,4 @@ class Puppet::Pops::Visitor
   end
 
 end
+end

data/lib/puppet/pops.rb

@@ -10,11 +10,14 @@ module Puppet
   #
   # @api public
   module Pops
-    EMPTY_HASH = {}.freeze
+     EMPTY_HASH = {}.freeze
     EMPTY_ARRAY = [].freeze
     EMPTY_STRING = ''.freeze
 
-    require 'semantic'
+    DOUBLE_COLON = '::'.freeze
+    USCORE = '_'.freeze
+
+    require 'semantic_puppet'
 
     require 'puppet/pops/patterns'
     require 'puppet/pops/utils'
@@ -33,12 +36,6 @@ module Puppet
     require 'puppet/pops/label_provider'
     require 'puppet/pops/validation'
     require 'puppet/pops/issue_reporter'
-    require 'puppet/pops/lookup'
-    require 'puppet/pops/lookup/interpolation'
-    require 'puppet/pops/lookup/invocation'
-    require 'puppet/pops/lookup/sub_lookup'
-    require 'puppet/pops/lookup/explainer'
-
     require 'puppet/pops/model/model'
 
     require 'puppet/pops/time/timespan'
@@ -47,7 +44,7 @@ module Puppet
     # (the Types module initializes itself)
     require 'puppet/pops/types/types'
     require 'puppet/pops/types/string_converter'
-    require 'puppet/pops/lookup/context'
+    require 'puppet/pops/lookup'
 
     require 'puppet/pops/merge_strategy'
 

data/lib/puppet/provider/mcx/mcxcontent.rb

@@ -116,7 +116,8 @@ Puppet::Type.type(:mcx).provide :mcxcontent, :parent => Puppet::Provider do
       dscl 'localhost', '-mcxdelete', ds_path
     end
 
-    tmp = Tempfile.new('puppet_mcx')
+    # val being passed in is resource[:content] which should be UTF-8
+    tmp = Tempfile.new('puppet_mcx', :encoding => Encoding::UTF_8)
     begin
       tmp << val
       tmp.flush

data/lib/puppet/provider/nameservice.rb

@@ -288,5 +288,20 @@ class Puppet::Provider::NameService < Puppet::Provider
       raise Puppet::Error, "Could not set #{param} on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
     end
   end
+
+  # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
+  # returns a struct with binary encoded string values, and >= 2.1.0 will return
+  # binary encoded strings for values incompatible with current locale charset,
+  # or Encoding.default_external if compatible. Compare a "should" value with
+  # encoding of "current" value, to avoid unnecessary property syncs and
+  # comparison of strings with different encodings. (PUP-6777)
+  #
+  # return basic string comparison after re-encoding (same as
+  # Puppet::Property#property_matches)
+  def comments_insync?(current, should)
+    # we're only doing comparison here so don't mutate the string
+    desired = should[0].to_s.dup
+    current == desired.force_encoding(current.encoding)
+  end
 end
 

data/lib/puppet/provider/package/appdmg.rb

@@ -44,7 +44,7 @@ Puppet::Type.type(:package).provide(:appdmg, :parent => Puppet::Provider::Packag
   def self.installapp(source, name, orig_source)
     appname = File.basename(source);
     ditto "--rsrc", source, "/Applications/#{appname}"
-    File.open("/var/db/.puppet_appdmg_installed_#{name}", "w") do |t|
+    Puppet::FileSystem.open("/var/db/.puppet_appdmg_installed_#{name}", nil, "w:UTF-8") do |t|
       t.print "name: '#{name}'\n"
       t.print "source: '#{orig_source}'\n"
     end

data/lib/puppet/provider/package/dnf.rb

@@ -28,7 +28,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
       end
   end
 
-  defaultfor :operatingsystem => :fedora, :operatingsystemmajrelease => ['22', '23', '24']
+  defaultfor :operatingsystem => :fedora, :operatingsystemmajrelease => ['22', '23', '24', '25']
 
   def self.update_command
     # In DNF, update is deprecated for upgrade

data/lib/puppet/provider/package/pkg.rb

@@ -23,7 +23,7 @@ Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package d
 
   confine :osfamily => :solaris
 
-  defaultfor :osfamily => :solaris, :kernelrelease => '5.11'
+  defaultfor :osfamily => :solaris, :kernelrelease => ['5.11', '5.12']
 
   def self.instances
     pkg(:list, '-Hv').split("\n").map{|l| new(parse_line(l))}

data/lib/puppet/provider/package/pkgdmg.rb

@@ -62,7 +62,7 @@ Puppet::Type.type(:package).provide :pkgdmg, :parent => Puppet::Provider::Packag
   def self.installpkg(source, name, orig_source)
     installer "-pkg", source, "-target", "/"
     # Non-zero exit status will throw an exception.
-    File.open("/var/db/.puppet_pkgdmg_installed_#{name}", "w") do |t|
+    Puppet::FileSystem.open("/var/db/.puppet_pkgdmg_installed_#{name}", nil, "w:UTF-8") do |t|
       t.print "name: '#{name}'\n"
       t.print "source: '#{orig_source}'\n"
     end

data/lib/puppet/provider/package/pkgng.rb

@@ -56,7 +56,7 @@ Puppet::Type.type(:package).provide :pkgng, :parent => Puppet::Provider::Package
 
       return packages
     rescue Puppet::ExecutionFailure
-      nil
+      return []
     end
   end
 

data/lib/puppet/provider/package/rpm.rb

@@ -101,7 +101,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
     #NOTE: Prior to a fix for issue 1243, this method potentially returned a cached value
     #IF YOU CALL THIS METHOD, IT WILL CALL RPM
     #Use get(:property) to check if cached values are available
-    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", self.class::NEVRA_FORMAT]
+    cmd = ["-q",  @resource[:name], "#{self.class.nosignature}", "#{self.class.nodigest}", "--qf", "'#{self.class::NEVRA_FORMAT}'"]
 
     begin
       output = rpm(*cmd)
@@ -131,7 +131,7 @@ Puppet::Type.type(:package).provide :rpm, :source => :rpm, :parent => Puppet::Pr
       @resource.fail "RPMs must specify a package source"
     end
 
-    cmd = [command(:rpm), "-q", "--qf", self.class::NEVRA_FORMAT, "-p", source]
+    cmd = [command(:rpm), "-q", "--qf", "'#{self.class::NEVRA_FORMAT}'", "-p", source]
     h = self.class.nevra_to_hash(execfail(cmd, Puppet::Error))
     h[:ensure]
   end

data/lib/puppet/provider/service/smf.rb

@@ -80,7 +80,7 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
     when :maintenance, :degraded
       [command(:adm), :clear, @resource[:name]]
     else
-      [command(:adm), :enable, "-s", @resource[:name]]
+      [command(:adm), :enable, "-rs", @resource[:name]]
     end
   end
 
@@ -135,8 +135,8 @@ Puppet::Type.type(:service).provide :smf, :parent => :base do
       states = service_states
       state = states[1] == "-" ? states[0] : states[1]
     rescue Puppet::ExecutionFailure
-      info "Could not get status on service #{self.name}"
-      return :stopped
+      debug "Could not get status on service #{self.name} #{$!}"
+      return :absent
     end
 
     case state

data/lib/puppet/provider/service/systemd.rb

@@ -22,6 +22,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   defaultfor :osfamily => :redhat, :operatingsystemmajrelease => "7"
   defaultfor :osfamily => :redhat, :operatingsystem => :fedora
   defaultfor :osfamily => :suse
+  defaultfor :osfamily => :coreos
   defaultfor :operatingsystem => :debian, :operatingsystemmajrelease => "8"
   defaultfor :operatingsystem => :ubuntu, :operatingsystemmajrelease => ["15.04","15.10","16.04","16.10"]
   defaultfor :operatingsystem => :cumuluslinux, :operatingsystemmajrelease => ["3"]
@@ -29,7 +30,7 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
   def self.instances
     i = []
     output = systemctl('list-unit-files', '--type', 'service', '--full', '--all',  '--no-pager')
-    output.scan(/^(\S+)\s+(disabled|enabled|masked)\s*$/i).each do |m|
+    output.scan(/^(\S+)\s+(disabled|enabled|masked|indirect)\s*$/i).each do |m|
       i << new(:name => m[0])
     end
     return i
@@ -82,6 +83,9 @@ Puppet::Type.type(:service).provide :systemd, :parent => :base do
     # We only return :mask if we're trying to mask the service. This prevents
     # flapping when simply trying to disable a masked service.
     return :mask if (@resource[:enable] == :mask) && (output == 'masked')
+
+    # The indirect state indicates that the unit is not enabled.
+    return :false if output == 'indirect'
     return :true if (code == 0)
     if (output.empty?) && (code > 0) && (Facter.value(:osfamily).downcase == 'debian')
       ret = debian_enabled?

data/lib/puppet/provider/user/directoryservice.rb

@@ -622,6 +622,7 @@ Puppet::Type.type(:user).provide :directoryservice do
 
   # This is a simple wrapper method for writing values to a file.
   def write_to_file(filename, value)
+    Puppet.deprecation_warning("Puppet::Type.type(:user).provider(:directoryservice).write_to_file is deprecated and will be removed in Puppet 5.")
     begin
       File.open(filename, 'w') { |f| f.write(value)}
     rescue Errno::EACCES => detail

data/lib/puppet/provider/user/user_role_add.rb

@@ -12,6 +12,7 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
+  options :shell, :flag => "-s"
   options :roles, :flag => "-R"
   options :auths, :flag => "-A"
   options :profiles, :flag => "-P"
@@ -26,8 +27,22 @@ Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd, :source =>
     value !~ /\s/
   end
 
+  def shell=(value)
+    check_valid_shell
+    set("shell", value)
+  end
+
   has_features :manages_homedir, :allows_duplicates, :manages_solaris_rbac, :manages_passwords, :manages_password_age, :manages_shell
 
+  def check_valid_shell
+    unless File.exists?(@resource.should(:shell))
+      raise(Puppet::Error, "Shell #{@resource.should(:shell)} must exist")
+    end
+    unless File.executable?(@resource.should(:shell).to_s)
+      raise(Puppet::Error, "Shell #{@resource.should(:shell)} must be executable")
+    end
+  end
+
   #must override this to hand the keyvalue pairs
   def add_properties
     cmd = []

data/lib/puppet/provider/yumrepo/inifile.rb

@@ -4,7 +4,7 @@ Puppet::Type.type(:yumrepo).provide(:inifile) do
   desc <<-EOD
     Manage yum repo configurations by parsing yum INI configuration files.
 
-    ## Fetching instances
+    ### Fetching instances
 
     When fetching repo instances, directory entries in '/etc/yum/repos.d',
     '/etc/yum.repos.d', and the directory optionally specified by the reposdir
@@ -12,7 +12,7 @@ Puppet::Type.type(:yumrepo).provide(:inifile) do
     will be ignored. In addition, all sections in '/etc/yum.conf' aside from
     'main' will be created as sections.
 
-    ## Storing instances
+    ### Storing instances
 
     When creating a new repository, a new section will be added in the first
     yum repo directory that exists. The custom directory specified by the

data/lib/puppet/provider/zone/solaris.rb

@@ -263,7 +263,10 @@ Puppet::Type.type(:zone).provide(:solaris) do
 
       unless Puppet::FileSystem.exist?(sysidcfg)
         begin
-          File.open(sysidcfg, "w", 0600) do |f|
+          # For compatibility reasons use System encoding for this OS file
+          # the manifest string is UTF-8 so this could result in conversion errors
+          # which should propagate to users
+          Puppet::FileSystem.open(sysidcfg, 0600, "w:#{Encoding.default_external.name}") do |f|
             f.puts cfg
           end
         rescue => detail

data/lib/puppet/reference/indirection.rb

@@ -41,7 +41,7 @@ An indirector has five methods, which are mapped into HTTP verbs for the REST in
 * `find(key)` - get a single value (mapped to GET or POST with a singular endpoint)
 * `search(key)` - get a list of matching values (mapped to GET with a plural endpoint)
 * `head(key)` - return true if the key exists (mapped to HEAD)
-* `destroy(key)` - remove the key van value (mapped to DELETE)
+* `destroy(key)` - remove the key and value (mapped to DELETE)
 * `save(instance)` - write the instance to the store, using the instance's name as the key (mapped to PUT)
 
 These methods are available via the `indirection` class method on the indirected classes.  For example:

data/lib/puppet/resource/catalog.rb

@@ -426,8 +426,10 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     if resources = data['resources']
       # TODO: The deserializer needs a loader in order to deserialize types defined using the puppet language.
       json_deserializer = nil
-      if Puppet[:rich_data] || result.environment_instance && result.environment_instance.rich_data?
-        json_deserializer = Puppet::Pops::Serialization::Deserializer.new(Puppet::Pops::Serialization::JSON::Reader.new([]), nil)
+      if resources.any? { |res| res.has_key?('ext_parameters') }
+        json_deserializer = Puppet::Pops::Serialization::Deserializer.new(
+            Puppet::Pops::Serialization::JSON::Reader.new([]),
+            Puppet::Pops::Loaders.catalog_loader)
       end
       result.add_resource(*resources.collect do |res|
         Puppet::Resource.from_data_hash(res, json_deserializer)
@@ -536,7 +538,10 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
 
   # Store the classes in the classfile.
   def write_class_file
-    ::File.open(Puppet[:classfile], "w") do |f|
+    # classfile paths may contain UTF-8
+    # https://docs.puppet.com/puppet/latest/reference/configuration.html#classfile
+    classfile = Puppet.settings.setting(:classfile)
+    Puppet::FileSystem.open(classfile.value, classfile.mode.to_i(8), "w:UTF-8") do |f|
       f.puts classes.join("\n")
     end
   rescue => detail
@@ -545,7 +550,10 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
 
   # Store the list of resources we manage
   def write_resource_file
-    ::File.open(Puppet[:resourcefile], "w") do |f|
+    # resourcefile contains resources that may be UTF-8 names
+    # https://docs.puppet.com/puppet/latest/reference/configuration.html#resourcefile
+    resourcefile = Puppet.settings.setting(:resourcefile)
+    Puppet::FileSystem.open(resourcefile.value, resourcefile.mode.to_i(8), "w:UTF-8") do |f|
       to_print = resources.map do |resource|
         next unless resource.managed?
         if resource.name_var

data/lib/puppet/resource/type.rb

@@ -545,11 +545,11 @@ class Puppet::Resource::Type
   def create_params_struct
     arg_types = argument_types
     type_factory = Puppet::Pops::Types::TypeFactory
-    members = { type_factory.optional(type_factory.string(nil, NAME)) =>  type_factory.any }
+    members = { type_factory.optional(type_factory.string(NAME)) =>  type_factory.any }
 
     if application?
       resource_type = type_factory.type_type(type_factory.resource)
-      members[type_factory.optional(type_factory.string(nil, NODES))] = type_factory.hash_of(type_factory.variant(
+      members[type_factory.optional(type_factory.string(NODES))] = type_factory.hash_of(type_factory.variant(
           resource_type, type_factory.array_of(resource_type)), type_factory.type_type(type_factory.resource('node')))
     end
 
@@ -559,7 +559,7 @@ class Puppet::Resource::Type
     end
 
     arguments.each_pair do |name, default|
-      key_type = type_factory.string(nil, name.to_s)
+      key_type = type_factory.string(name.to_s)
       key_type = type_factory.optional(key_type) unless default.nil?
 
       arg_type = arg_types[name]

data/lib/puppet/resource.rb

@@ -1,7 +1,6 @@
 require 'puppet'
 require 'puppet/util/tagging'
 require 'puppet/parameter'
-require 'puppet/data_providers'
 
 # The simplest resource class.  Eventually it will function as the
 # base class for all resource-like behaviour.
@@ -45,7 +44,7 @@ class Puppet::Resource
       raise Puppet::Error, 'Unable to deserialize non-Data type parameters unless a deserializer is provided' unless json_deserializer
       reader = json_deserializer.reader
       ext_params.each do |param, value|
-        reader.re_initialize([value])
+        reader.re_initialize(value)
         resource[param] = json_deserializer.read
       end
     end
@@ -104,7 +103,7 @@ class Puppet::Resource
         writer.clear_io
         json_serializer.write(ext_params[key])
         writer.finish
-        ext_params[key] = writer.to_a[0]
+        ext_params[key] = writer.to_a
       end
       data['ext_parameters'] = ext_params
     end

data/lib/puppet/settings/config_file.rb

@@ -25,7 +25,8 @@ class Puppet::Settings::ConfigFile
       allowed_section_names << 'main' unless allowed_section_names.include?('main')
     end
 
-    ini = Puppet::Settings::IniFile.parse(StringIO.new(text))
+    # in Ruby 1.9.3 strings are not UTF-8 by default, so ensure text is treated properly
+    ini = Puppet::Settings::IniFile.parse(StringIO.new(text).set_encoding(Encoding::UTF_8))
     unique_sections_in(ini, file, allowed_section_names).each do |section_name|
       section = Section.new(section_name.to_sym)
       result.with_section(section)

data/lib/puppet/settings/directory_setting.rb

@@ -4,6 +4,12 @@ class Puppet::Settings::DirectorySetting < Puppet::Settings::FileSetting
   end
 
   # @api private
+  #
+  # @param option [String] Extra file operation mode information to use
+  #   (defaults to read-only mode 'r')
+  #   This is the standard mechanism Ruby uses in the IO class, and therefore
+  #   encoding may be explicitly like fmode : encoding or fmode : "BOM|UTF-*"
+  #   for example, a:ASCII or w+:UTF-8
   def open_file(filename, option = 'r', &block)
     controlled_access do |mode|
       Puppet::FileSystem.open(filename, mode, option, &block)

data/lib/puppet/settings/environment_conf.rb

@@ -40,7 +40,7 @@ class Puppet::Settings::EnvironmentConf
   # without interpolation.  This is a special case for the default configured
   # environment returned by the Puppet::Environments::StaticPrivate loader.
   def self.static_for(environment, environment_timeout = 0, static_catalogs = false, rich_data = false)
-    Static.new(environment, environment_timeout, static_catalogs, 'none', rich_data)
+    Static.new(environment, environment_timeout, static_catalogs, nil, rich_data)
   end
 
   attr_reader :section, :path_to_env, :global_modulepath
@@ -176,7 +176,7 @@ class Puppet::Settings::EnvironmentConf
     attr_reader :rich_data
     attr_reader :static_catalogs
 
-    def initialize(environment, environment_timeout, static_catalogs, environment_data_provider = 'none', rich_data = false)
+    def initialize(environment, environment_timeout, static_catalogs, environment_data_provider = nil, rich_data = false)
       @environment = environment
       @environment_timeout = environment_timeout
       @static_catalogs = static_catalogs
@@ -184,6 +184,10 @@ class Puppet::Settings::EnvironmentConf
       @rich_data = rich_data
     end
 
+    def path_to_env
+      nil
+    end
+
     def manifest
       @environment.manifest
     end

data/lib/puppet/settings/file_or_directory_setting.rb

@@ -22,6 +22,12 @@ class Puppet::Settings::FileOrDirectorySetting < Puppet::Settings::FileSetting
   end
 
   # @api private
+  #
+  # @param option [String] Extra file operation mode information to use
+  #   (defaults to read-only mode 'r')
+  #   This is the standard mechanism Ruby uses in the IO class, and therefore
+  #   encoding may be explicitly like fmode : encoding or fmode : "BOM|UTF-*"
+  #   for example, a:ASCII or w+:UTF-8
   def open_file(filename, option = 'r', &block)
     if type == :file
       super

data/lib/puppet/settings/file_setting.rb

@@ -185,6 +185,11 @@ class Puppet::Settings::FileSetting < Puppet::Settings::StringSetting
   end
 
   # @api private
+  # @param option [String] Extra file operation mode information to use
+  #   (defaults to read-only mode 'r')
+  #   This is the standard mechanism Ruby uses in the IO class, and therefore
+  #   encoding may be explicitly like fmode : encoding or fmode : "BOM|UTF-*"
+  #   for example, a:ASCII or w+:UTF-8
   def exclusive_open(option = 'r', &block)
     controlled_access do |mode|
       Puppet::FileSystem.exclusive_open(file(), mode, option, &block)
@@ -192,6 +197,11 @@ class Puppet::Settings::FileSetting < Puppet::Settings::StringSetting
   end
 
   # @api private
+  # @param option [String] Extra file operation mode information to use
+  #   (defaults to read-only mode 'r')
+  #   This is the standard mechanism Ruby uses in the IO class, and therefore
+  #   encoding may be explicitly like fmode : encoding or fmode : "BOM|UTF-*"
+  #   for example, a:ASCII or w+:UTF-8
   def open(option = 'r', &block)
     controlled_access do |mode|
       Puppet::FileSystem.open(file, mode, option, &block)

data/lib/puppet/settings.rb

@@ -636,7 +636,7 @@ class Puppet::Settings
     # because multiple sections could set the same value
     # and I'm too lazy to only set the metadata once.
     if @configuration_file
-      searchpath(nil, preferred_run_mode).reverse.each do |source|
+      searchpath(nil, preferred_run_mode).reverse_each do |source|
         if source.type == :section && section = @configuration_file.sections[source.name]
           apply_metadata_from_section(section)
         end

data/lib/puppet/ssl/certificate_authority.rb

@@ -189,7 +189,7 @@ class Puppet::SSL::CertificateAuthority
   #
   # @return [Array<String>]
   def list(name='*')
-    list_certificates(name).collect { |c| c.name }
+    Puppet::SSL::Certificate.indirection.search(name).collect { |c| c.name }
   end
 
   # Return all the certificate objects as found by the indirector
@@ -205,7 +205,10 @@ class Puppet::SSL::CertificateAuthority
   # @param name [Array<string>] filter to cerificate names
   #
   # @return [Array<Puppet::SSL::Certificate>]
+  #
+  # @deprecated Use Puppet::SSL::CertificateAuthority#list or Puppet Server Certificate status API
   def list_certificates(name='*')
+    Puppet.deprecation_warning("Puppet::SSL::CertificateAuthority#list_certificates is deprecated. Please use Puppet::SSL::CertificateAuthority#list or the certificate status API to query certificate information. See https://docs.puppet.com/puppet/latest/http_api/http_certificate_status.html")
     Puppet::SSL::Certificate.indirection.search(name)
   end
 
@@ -417,6 +420,11 @@ class Puppet::SSL::CertificateAuthority
   #   of the X509 Store
   #
   # @return [OpenSSL::X509::Store]
+  #
+  # @deprecated Strictly speaking, #x509_store is marked API private, so we
+  #   don't need to publicly deprecate it. But it marked as deprecated here to
+  #   avoid the exceedingly small chance that someone comes in and uses it from
+  #   within this class before it is removed.
   def x509_store(options = {})
     if (options[:cache])
       return @x509store unless @x509store.nil?
@@ -464,7 +472,10 @@ class Puppet::SSL::CertificateAuthority
   # @param cert [Puppet::SSL::Certificate] the certificate to check validity of
   #
   # @return [Boolean] true if signed, false if unsigned or revoked
+  #
+  # @deprecated use Puppet::SSL::CertificateAuthority#verify or Puppet Server certificate status API
   def certificate_is_alive?(cert)
+    Puppet.deprecation_warning("Puppet::SSL::CertificateAuthority#certificate_is_alive? is deprecated. Please use Puppet::SSL::CertificateAuthority#verify or the certificate status API to query certificate information. See https://docs.puppet.com/puppet/latest/http_api/http_certificate_status.html")
     x509_store(:cache => true).verify(cert.content)
   end
 
@@ -483,7 +494,7 @@ class Puppet::SSL::CertificateAuthority
     unless cert = Puppet::SSL::Certificate.indirection.find(name)
       raise ArgumentError, "Could not find a certificate for #{name}"
     end
-    store = x509_store
+    store = create_x509_store
 
     raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content)
   end

data/lib/puppet/ssl/host.rb

@@ -227,7 +227,29 @@ ERROR_STRING
   # Generate all necessary parts of our ssl host.
   def generate
     generate_key unless key
-    generate_certificate_request unless certificate_request
+    # ask indirector to find any existing requests and download them
+    existing_request = certificate_request
+
+    # if CSR downloaded from master, but the local keypair was just generated and
+    # does not match the public key in the CSR, fail hard
+    if !existing_request.nil? &&
+      (key.content.public_key.to_s != existing_request.content.public_key.to_s)
+
+      raise Puppet::Error, <<ERROR_STRING
+The CSR retrieved from the master does not match the agent's public key.
+CSR fingerprint: #{existing_request.fingerprint}
+CSR public key: #{existing_request.content.public_key.to_text}
+Agent public key: #{key.content.public_key.to_text}
+To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
+On the master:
+  puppet cert clean #{Puppet[:certname]}
+On the agent:
+  1a. On most platforms: find #{Puppet[:ssldir]} -name #{Puppet[:certname]}.pem -delete
+  1b. On Windows: del "#{Puppet[:certdir].gsub('/', '\\')}\\#{Puppet[:certname]}.pem" /f
+  2. puppet agent -t
+ERROR_STRING
+    end
+    generate_certificate_request unless existing_request
 
     # If we can get a CA instance, then we're a valid CA, and we
     # should use it to sign our request; else, just try to read

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -79,6 +79,13 @@ class Puppet::Transaction::AdditionalResourceGenerator
 
   def contain_generated_resources_in(resource, made)
     sentinel = Puppet::Type.type(:whit).new(:name => "completed_#{resource.title}", :catalog => resource.catalog)
+    # Tag the completed whit with all of the tags of the generating resource
+    # except the type name to allow event propogation to succeed beyond the whit
+    # "boundary" when filtering resources with tags. We include auto-generated
+    # tags such as the type name to support implicit filtering as well as
+    # explicit. Note that resource#tags returns a duplicate of the resource's
+    # tags.
+    sentinel.tag(*resource.tags)
     priority = @prioritizer.generate_priority_contained_in(resource, sentinel)
     @relationship_graph.add_vertex(sentinel, priority)