puppet 6.10.1 → 6.11.0

data/lib/puppet/application/script.rb

@@ -210,8 +210,8 @@ Copyright (c) 2017 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
           compiler.compile()
 
-        rescue Puppet::ParseErrorWithIssue, Puppet::Error
-          # already logged and handled by the compiler for these two cases
+        rescue Puppet::Error
+          # already logged and handled by the compiler, including Puppet::ParseErrorWithIssue
           exit(1)
         end
 

data/lib/puppet/application/ssl.rb

@@ -90,6 +90,7 @@ HELP
     @cert_provider = Puppet::X509::CertProvider.new
     @ssl_provider = Puppet::SSL::SSLProvider.new
     @machine = Puppet::SSL::StateMachine.new
+    @session = Puppet.runtime['http'].create_session
   end
 
   def setup_logs
@@ -160,14 +161,13 @@ HELP
     end
 
     csr = @cert_provider.create_request(Puppet[:certname], key)
-    Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], ssl_context)
+    route = create_route(ssl_context)
+    route.put_certificate_request(Puppet[:certname], csr, ssl_context: ssl_context)
     @cert_provider.save_request(Puppet[:certname], csr)
-    Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
-      name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
-    }
-  rescue Puppet::Rest::ResponseError => e
-    if e.response.code.to_i == 400
-      raise Puppet::Error.new(_("Could not submit certificate request for '%{name}' to https://%{server}:%{port} due to a conflict on the server") % { name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port] })
+    Puppet.notice _("Submitted certificate request for '%{name}' to %{url}") % { name: Puppet[:certname], url: route.url }
+  rescue Puppet::HTTP::ResponseError => e
+    if e.response.code == 400
+      raise Puppet::Error.new(_("Could not submit certificate request for '%{name}' to %{url} due to a conflict on the server") % { name: Puppet[:certname], url: route.url })
     else
       raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
     end
@@ -178,27 +178,23 @@ HELP
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
-    Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
-      name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
-    }
-
     # try to download cert
-    x509 = Puppet::Rest::Routes.get_certificate(Puppet[:certname], ssl_context)
+    route = create_route(ssl_context)
+    Puppet.info _("Downloading certificate '%{name}' from %{url}") % { name: Puppet[:certname], url: route.url }
+
+    x509 = route.get_certificate(Puppet[:certname], ssl_context: ssl_context)
     cert = OpenSSL::X509::Certificate.new(x509)
     Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
+
     # verify client cert before saving
     @ssl_provider.create_context(
       cacerts: ssl_context.cacerts, crls: ssl_context.crls, private_key: key, client_cert: cert
     )
     @cert_provider.save_client_cert(Puppet[:certname], cert)
     @cert_provider.delete_request(Puppet[:certname])
-
-    Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
-      name: Puppet[:certname], fingerprint: fingerprint(cert)
-    }
     cert
-  rescue Puppet::Rest::ResponseError => e
-    if e.response.code.to_i == 404
+  rescue Puppet::HTTP::ResponseError => e
+    if e.response.code == 404
       return nil
     else
       raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
@@ -229,8 +225,9 @@ HELP
 
       begin
         ssl_context = @machine.ensure_ca_certificates
-        cert = Puppet::Rest::Routes.get_certificate(certname, ssl_context)
-      rescue Puppet::Rest::ResponseError => e
+        route = create_route(ssl_context)
+        cert = route.get_certificate(certname, ssl_context: ssl_context)
+      rescue Puppet::HTTP::ResponseError => e
         if e.response.code.to_i != 404
           raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
         end
@@ -255,7 +252,10 @@ END
       'certificate' => Puppet[:hostcert],
       'private key password file' => Puppet[:passfile]
     }
-    paths.merge!('local CA certificate' => Puppet[:localcacert], 'local CRL' => Puppet[:hostcrl]) if options[:localca]
+    if options[:localca]
+      paths['local CA certificate'] = Puppet[:localcacert]
+      paths['local CRL'] = Puppet[:hostcrl]
+    end
     paths.each_pair do |label, path|
       if Puppet::FileSystem.exist?(path)
         Puppet::FileSystem.unlink(path)
@@ -269,4 +269,8 @@ END
   def fingerprint(cert)
     Puppet::SSL::Digest.new(nil, cert.to_der)
   end
+
+  def create_route(ssl_context)
+    @session.route_to(:ca, ssl_context: ssl_context)
+  end
 end

data/lib/puppet/configurer.rb

@@ -387,6 +387,14 @@ class Puppet::Configurer
       execute_postrun_command or return nil
     end
   ensure
+    if Puppet[:resubmit_facts]
+      # TODO: Should mark the report as "failed" if an error occurs and
+      #       resubmit_facts returns false. There is currently no API for this.
+      resubmit_facts_time = thinmark { resubmit_facts }
+
+      report.add_times(:resubmit_facts, resubmit_facts_time)
+    end
+
     report.cached_catalog_status ||= @cached_catalog_status
     report.add_times(:total, Time.now - start)
     report.finalize_report
@@ -434,6 +442,40 @@ class Puppet::Configurer
     Puppet.log_exception(detail, _("Could not save last run local report: %{detail}") % { detail: detail })
   end
 
+  # Submit updated facts to the Puppet Server
+  #
+  # This method will clear all current fact values, load a fresh set of
+  # fact data, and then submit it to the Puppet Server.
+  #
+  # @return [true] If fact submission succeeds.
+  # @return [false] If an exception is raised during fact generation or
+  #   submission.
+  def resubmit_facts
+    ::Facter.clear
+    facts = find_facts
+
+    saved_fact_terminus = Puppet::Node::Facts.indirection.terminus_class
+    begin
+      Puppet::Node::Facts.indirection.terminus_class = :rest
+
+      server = Puppet::Node::Facts::Rest.server
+      Puppet.info(_("Uploading facts for %{node} to %{server}") % {
+                    node: facts.name,
+                    server: server})
+
+      Puppet::Node::Facts.indirection.save(facts, nil, :environment => Puppet::Node::Environment.remote(@environment))
+
+      return true
+    ensure
+      Puppet::Node::Facts.indirection.terminus_class = saved_fact_terminus
+    end
+  rescue => detail
+    Puppet.log_exception(detail, _("Failed to submit facts: %{detail}") %
+                                 { detail: detail })
+
+    return false
+  end
+
   private
 
   def execute_from_setting(setting)

data/lib/puppet/configurer/downloader.rb

@@ -55,12 +55,8 @@ class Puppet::Configurer::Downloader
       :noop => false
     }
     if !Puppet::Util::Platform.windows?
-      defargs.merge!(
-        {
-          :owner => Process.uid,
-          :group => Process.gid
-        }
-      )
+      defargs[:owner] = Process.uid
+      defargs[:group] = Process.gid
     end
     return defargs
   end

data/lib/puppet/context/trusted_information.rb

@@ -1,3 +1,5 @@
+require 'puppet/trusted_external'
+
 # @api private
 class Puppet::Context::TrustedInformation
   # one of 'remote', 'local', or false, where 'remote' is authenticated via cert,
@@ -27,7 +29,12 @@ class Puppet::Context::TrustedInformation
   # @return [String]
   attr_reader :hostname
 
-  def initialize(authenticated, certname, extensions)
+  # Additional external facts loaded through `trusted_external_command`.
+  #
+  # @return [Hash]
+  attr_reader :external
+
+  def initialize(authenticated, certname, extensions, external = {})
     @authenticated = authenticated.freeze
     @certname = certname.freeze
     @extensions = extensions.freeze
@@ -39,9 +46,12 @@ class Puppet::Context::TrustedInformation
     end
     @hostname = hostname.freeze
     @domain = domain.freeze
+    @external = external.freeze
   end
 
   def self.remote(authenticated, node_name, certificate)
+    external = retrieve_trusted_external(node_name)
+
     if authenticated
       extensions = {}
       if certificate.nil?
@@ -51,9 +61,9 @@ class Puppet::Context::TrustedInformation
           [ext['oid'].freeze, ext['value'].freeze]
         end]
       end
-      new('remote', node_name, extensions)
+      new('remote', node_name, extensions, external)
     else
-      new(false, nil, {})
+      new(false, nil, {}, external)
     end
   end
 
@@ -61,8 +71,35 @@ class Puppet::Context::TrustedInformation
     # Always trust local data by picking up the available parameters.
     client_cert = node ? node.parameters['clientcert'] : nil
 
-    new('local', client_cert, {})
+    new('local', client_cert, {}, retrieve_trusted_external(client_cert))
+  end
+
+  def self.retrieve_trusted_external(certname)
+    deep_freeze(Puppet::TrustedExternal.retrieve(certname) || {})
+  end
+  private_class_method :retrieve_trusted_external
+
+  # Deeply freezes the given object. The object and its content must be of the types:
+  # Array, Hash, Numeric, Boolean, Regexp, NilClass, or String. All other types raises an Error.
+  # (i.e. if they are assignable to Puppet::Pops::Types::Data type).
+  def self.deep_freeze(object)
+    case object
+    when Array
+      object.each {|v| deep_freeze(v) }
+      object.freeze
+    when Hash
+      object.each {|k, v| deep_freeze(k); deep_freeze(v) }
+      object.freeze
+    when NilClass, Numeric, TrueClass, FalseClass
+      # do nothing
+    when String
+      object.freeze
+    else
+      raise Puppet::Error, _("Unsupported data type: '%{klass}'") % { klass: object.class }
+    end
+    object
   end
+  private_class_method :deep_freeze
 
   def to_h
     {
@@ -71,6 +108,7 @@ class Puppet::Context::TrustedInformation
       'extensions'.freeze => extensions,
       'hostname'.freeze => hostname,
       'domain'.freeze => domain,
+      'external'.freeze => external,
     }.freeze
   end
 end

data/lib/puppet/defaults.rb

@@ -306,7 +306,6 @@ module Puppet
         :default  => ! Puppet::Util::Platform.windows?,
         :type     => :boolean,
         :desc     => "Whether Puppet should manage the owner, group, and mode of files it uses internally.
-        
           **Note**: For Windows agents, the default is `false` for versions 4.10.13 and greater, versions 5.5.6 and greater, and versions 6.0 and greater.",
     },
     :onetime => {
@@ -536,6 +535,16 @@ module Puppet
       :default => 'facter',
       :desc => "The node facts terminus.",
     },
+    :trusted_external_command => {
+      :default  => nil,
+      :desc     => "The external trusted facts script to use.
+        This setting's value can be set to the path to an executable command that
+        can produce external trusted facts. The command must:
+
+        * Take the name of a node as a command-line argument.
+        * Return a JSON hash with the external trusted facts for this node.
+        * For unknown or invalid nodes, exit with a non-zero exit code.",
+    },
     :default_file_terminus => {
       :type       => :terminus,
       :default    => "rest",
@@ -546,9 +555,10 @@ module Puppet
     },
     :http_proxy_host => {
       :default    => "none",
-      :desc       => "The HTTP proxy host to use for outgoing connections.  Note: You
+      :desc       => "The HTTP proxy host to use for outgoing connections. The proxy will be bypassed if
+      the server's hostname matches the NO_PROXY environment variable or `no_proxy` setting. Note: You
       may need to use a FQDN for the server hostname when using a proxy. Environment variable
-      http_proxy or HTTP_PROXY will override this value",
+      http_proxy or HTTP_PROXY will override this value. ",
     },
     :http_proxy_port => {
       :default    => 3128,
@@ -574,7 +584,7 @@ module Puppet
     },
     :no_proxy => {
       :default    => "localhost, 127.0.0.1",
-      :desc       => "List of domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value.",
+      :desc       => "List of host or domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value. Names can be specified as an FQDN `host.example.com`, wildcard `*.example.com`, dotted domain `.example.com`, or suffix `example.com`.",
     },
     :http_keepalive_timeout => {
       :default    => "4s",
@@ -1706,6 +1716,11 @@ EOT
       :type     => :boolean,
       :desc     => "Whether to send reports after every transaction.",
     },
+    :resubmit_facts => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether to send updated facts after every transaction.",
+    },
     :lastrunfile =>  {
       :default  => "$statedir/last_run_summary.yaml",
       :type     => :file,

data/lib/puppet/face/module/list.rb

@@ -123,10 +123,10 @@ Puppet::Face.define(:module, '1.0.0') do
       unmet_grouped.each do |type, deps|
         unless deps.empty?
           unmet_grouped[type].sort_by { |dep| dep[:name] }.each do |dep|
-            dep_name           = dep[:name].gsub('/', '-')
+            dep_name           = dep[:name].tr('/', '-')
             installed_version  = dep[:mod_details][:installed_version]
             version_constraint = dep[:version_constraint]
-            parent_name        = dep[:parent][:name].gsub('/', '-')
+            parent_name        = dep[:parent][:name].tr('/', '-')
             parent_version     = dep[:parent][:version]
 
             msg = _("'%{parent_name}' (%{parent_version}) requires '%{dependency_name}' (%{dependency_version})") % { parent_name: parent_name, parent_version: parent_version, dependency_name: dep_name, dependency_version: version_constraint }
@@ -146,7 +146,7 @@ Puppet::Face.define(:module, '1.0.0') do
     error_display_order.each do |type|
       unless @unmet_deps[type].empty?
         @unmet_deps[type].keys.sort.each do |dep|
-          name    = dep.gsub('/', '-')
+          name    = dep.tr('/', '-')
           errors  = @unmet_deps[type][dep][:errors]
           version = @unmet_deps[type][dep][:version]
 
@@ -214,7 +214,7 @@ Puppet::Face.define(:module, '1.0.0') do
           dep[:reason] == :missing
         end
         missing_deps.map do |mis_mod|
-          str = "#{colorize(:bg_red, _('UNMET DEPENDENCY'))} #{mis_mod[:name].gsub('/', '-')} "
+          str = "#{colorize(:bg_red, _('UNMET DEPENDENCY'))} #{mis_mod[:name].tr('/', '-')} "
           str << "(#{colorize(:cyan, mis_mod[:version_constraint])})"
           node[:dependencies] << { :text => str }
         end
@@ -239,7 +239,7 @@ Puppet::Face.define(:module, '1.0.0') do
   #
   def list_build_node(mod, parent, params)
     str = ''
-    str << (mod.forge_name ? mod.forge_name.gsub('/', '-') : mod.name)
+    str << (mod.forge_name ? mod.forge_name.tr('/', '-') : mod.name)
     str << ' (' + colorize(:cyan, mod.version ? "v#{mod.version}" : '???') + ')'
 
     unless File.dirname(mod.path) == params[:path]

data/lib/puppet/face/module/search.rb

@@ -81,7 +81,7 @@ Puppet::Face.define(:module, '1.0.0') do
 
       highlight = proc do |s|
         s = s.gsub(term, colorize(:green, term))
-        s = s.gsub(term.gsub('/', '-'), colorize(:green, term.gsub('/', '-'))) if term =~ /\//
+        s = s.gsub(term.tr('/', '-'), colorize(:green, term.tr('/', '-'))) if term =~ /\//
         s = s.gsub(' DEPRECATED', colorize(:red, ' DEPRECATED'))
         s
       end

data/lib/puppet/face/module/uninstall.rb

@@ -57,7 +57,7 @@ Puppet::Face.define(:module, '1.0.0') do
     end
 
     when_invoked do |name, options|
-      name = name.gsub('/', '-')
+      name = name.tr('/', '-')
 
       Puppet::ModuleTool.set_option_defaults options
       message = if options[:version]

data/lib/puppet/face/module/upgrade.rb

@@ -63,7 +63,7 @@ Puppet::Face.define(:module, '1.0.0') do
     end
 
     when_invoked do |name, options|
-      name = name.gsub('/', '-')
+      name = name.tr('/', '-')
       Puppet.notice _("Preparing to upgrade '%{name}' ...") % { name: name }
       Puppet::ModuleTool.set_option_defaults options
       Puppet::ModuleTool::Applications::Upgrader.new(name, options).run

data/lib/puppet/file_serving/http_metadata.rb

@@ -42,7 +42,7 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
     [ @checksum_type, :md5, :sha256, :sha384, :sha512, :sha224, :mtime ].each do |type|
       @checksum_type = type
       @checksum = @checksums[type]
-      return if @checksum
+      break if @checksum
     end
   end
 end

data/lib/puppet/file_system.rb

@@ -92,14 +92,6 @@ module Puppet::FileSystem
     @impl.path_string(@impl.basename(assert_path(path)))
   end
 
-  # @return [Integer] the size of the file
-  #
-  # @api public
-  #
-  def self.size(path)
-    @impl.size(assert_path(path))
-  end
-
   # Allows exclusive updates to a file to be made by excluding concurrent
   # access using flock. This means that if the file is on a filesystem that
   # does not support flock, this method will provide no protection.

data/lib/puppet/file_system/memory_file.rb

@@ -61,6 +61,6 @@ class Puppet::FileSystem::MemoryFile
   end
 
   def inspect
-    "<Puppet::FileSystem::MemoryFile:#{to_s}>"
+    "<Puppet::FileSystem::MemoryFile:#{self}>"
   end
 end

data/lib/puppet/file_system/posix.rb

@@ -14,11 +14,12 @@ class Puppet::FileSystem::Posix < Puppet::FileSystem::FileImpl
       bsize = stream_blksize(this, stream)
       sa = "".force_encoding('ASCII-8BIT')
       sb = "".force_encoding('ASCII-8BIT')
-      begin
+      loop do
         this.read(bsize, sa)
         stream.read(bsize, sb)
         return true if sa.empty? && sb.empty?
-      end while sa == sb
+        break if sa != sb
+      end
       false
     end
   end

data/lib/puppet/forge.rb

@@ -58,7 +58,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
     matches = []
     uri = "/v3/modules?query=#{term}"
     if Puppet[:module_groups]
-      uri += "&module_groups=#{Puppet[:module_groups].gsub('+', ' ')}"
+      uri += "&module_groups=#{Puppet[:module_groups].tr('+', ' ')}"
     end
 
     while uri
@@ -94,7 +94,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
     name = input.tr('/', '-')
     uri = "/v3/releases?module=#{name}&sort_by=version&exclude_fields=#{MODULE_RELEASE_EXCLUSIONS}"
     if Puppet[:module_groups]
-      uri += "&module_groups=#{Puppet[:module_groups].gsub('+', ' ')}"
+      uri += "&module_groups=#{Puppet[:module_groups].tr('+', ' ')}"
     end
     releases = []
 
@@ -254,6 +254,6 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
   def decode_uri(uri)
     return if uri.nil?
 
-    URI.decode(uri.gsub('+', ' '))
+    URI.decode(uri.tr('+', ' '))
   end
 end