puppet 6.15.0-universal-darwin → 6.19.1-universal-darwin

data/lib/puppet/ssl/ssl_context.rb

@@ -22,9 +22,9 @@ module Puppet::SSL
     # This is an idiom to initialize a Struct from keyword
     # arguments. Ruby 2.5 introduced `keyword_init: true` for
     # that purpose, but we need to support older versions.
-    def initialize(**kwargs)
+    def initialize(kwargs = {})
       super({})
-      DEFAULTS.merge(kwargs).each { |k,v| self[k] = v }
+      DEFAULTS.merge(**kwargs).each { |k,v| self[k] = v }
     end
   end
 end

data/lib/puppet/ssl/ssl_provider.rb

@@ -46,13 +46,32 @@ class Puppet::SSL::SSLProvider
   # perform revocation checking.
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
+  # @param path [String, nil] A file containing additional trusted CA certs.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise (see #create_context)
   # @api private
-  def create_system_context(cacerts:)
+  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
     store = create_x509_store(cacerts, [], false)
     store.set_default_paths
 
+    if path
+      stat = Puppet::FileSystem.stat(path)
+      if stat
+        if stat.ftype == 'file'
+          # don't add empty files as ruby/openssl will raise
+          if stat.size > 0
+            begin
+              store.add_file(path)
+            rescue => e
+              Puppet.err(_("Failed to add '%{path}' as a trusted CA file: %{detail}" % { path: path, detail: e.message }, e))
+            end
+          end
+        else
+          Puppet.warning(_("The 'ssl_trust_store' setting does not refer to a file and will be ignored: '%{path}'" % { path: path }))
+        end
+      end
+    end
+
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
   end
 

data/lib/puppet/ssl/state_machine.rb

@@ -279,8 +279,8 @@ class Puppet::SSL::StateMachine
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
         # close persistent connections and session state before sleeping
-        Puppet.runtime['http'].close
-        @machine.session = Puppet.runtime['http'].create_session
+        Puppet.runtime[:http].close
+        @machine.session = Puppet.runtime[:http].create_session
 
         @machine.unlock
         Kernel.sleep(time)
@@ -301,15 +301,31 @@ class Puppet::SSL::StateMachine
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
         NeedCACerts.new(@machine)
+      elsif @machine.waitforlock < 1
+        LockFailure.new(@machine, _("Another puppet instance is already running and the waitforlock setting is set to 0; exiting"))
+      elsif Time.now.to_i >= @machine.waitlock_deadline
+        LockFailure.new(@machine, _("Another puppet instance is already running and the maxwaitforlock timeout has been exceeded; exiting"))
       else
-        LockFailure.new(@machine, nil)
+        Puppet.info _("Another puppet instance is already running; waiting for it to finish")
+        Puppet.info _("Will try again in %{time} seconds.") % {time: @machine.waitforlock}
+        Kernel.sleep @machine.waitforlock
+
+        # try again
+        self
       end
     end
   end
 
   # We failed to acquire the lock, so exit
   #
-  class LockFailure < SSLState; end
+  class LockFailure < SSLState
+    attr_reader :message
+
+    def initialize(machine, message)
+      super(machine, nil)
+      @message = message
+    end
+  end
 
   # We cannot make progress due to an error.
   #
@@ -333,7 +349,7 @@ class Puppet::SSL::StateMachine
   #
   class Done < SSLState; end
 
-  attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider, :ca_fingerprint, :digest
+  attr_reader :waitforcert, :wait_deadline, :waitforlock, :waitlock_deadline, :cert_provider, :ssl_provider, :ca_fingerprint, :digest
   attr_accessor :session
 
   # Construct a state machine to manage the SSL initialization process. By
@@ -346,7 +362,12 @@ class Puppet::SSL::StateMachine
   # then then state machine will exit instead of wait.
   #
   # @param waitforcert [Integer] how many seconds to wait between attempts
-  # @param maxwiatforcert [Integer] maximum amount of second
+  # @param maxwaitforcert [Integer] maximum amount of seconds to wait for the
+  #   server to sign the certificate request
+  # @param waitforlock [Integer] how many seconds to wait between attempts for
+  #   acquiring the ssl lock
+  # @param maxwaitforlock [Integer] maximum amount of seconds to wait for an
+  #   already running process to release the ssl lock
   # @param onetime [Boolean] whether to run onetime
   # @param lockfile [Puppet::Util::Pidlock] lockfile to protect against
   #   concurrent modification by multiple processes
@@ -359,6 +380,8 @@ class Puppet::SSL::StateMachine
   #   downloaded CA bundle
   def initialize(waitforcert: Puppet[:waitforcert],
                  maxwaitforcert: Puppet[:maxwaitforcert],
+                 waitforlock: Puppet[:waitforlock],
+                 maxwaitforlock: Puppet[:maxwaitforlock],
                  onetime: Puppet[:onetime],
                  cert_provider: Puppet::X509::CertProvider.new,
                  ssl_provider: Puppet::SSL::SSLProvider.new,
@@ -367,13 +390,15 @@ class Puppet::SSL::StateMachine
                  ca_fingerprint: Puppet[:ca_fingerprint])
     @waitforcert = waitforcert
     @wait_deadline = Time.now.to_i + maxwaitforcert
+    @waitforlock = waitforlock
+    @waitlock_deadline = Time.now.to_i + maxwaitforlock
     @onetime = onetime
     @cert_provider = cert_provider
     @ssl_provider = ssl_provider
     @lockfile = lockfile
     @digest = digest
     @ca_fingerprint = ca_fingerprint
-    @session = Puppet.runtime['http'].create_session
+    @session = Puppet.runtime[:http].create_session
   end
 
   # Run the state machine for CA certs and CRLs.
@@ -427,7 +452,7 @@ class Puppet::SSL::StateMachine
       when stop
         break
       when LockFailure
-        raise Puppet::Error, _('Another puppet instance is already running; exiting')
+        raise Puppet::Error, state.message
       when Error
         if @onetime
           Puppet.log_exception(state.error)

data/lib/puppet/ssl/validator/default_validator.rb

@@ -104,7 +104,7 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
         crl = store_context.current_crl
         if crl
           if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
-            Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
+            Puppet.debug { "Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}" }
             preverify_ok = true
           else
             @verify_errors << "#{error_string} for #{crl.issuer.to_utf8}"

data/lib/puppet/ssl/verifier_adapter.rb

@@ -6,10 +6,18 @@
 #   loaded above.
 #
 class Puppet::SSL::VerifierAdapter
-  attr_reader :validator
+  attr_reader :validator, :ssl_context
 
   def initialize(validator)
     @validator = validator
+
+    if validator.is_a?(Puppet::SSL::Validator::NoValidator)
+      ssl = Puppet::SSL::SSLProvider.new
+      @ssl_context = ssl.create_insecure_context
+    else
+      # nil means use the default SSLContext
+      @ssl_context = nil
+    end
   end
 
   # Return true if `self` is reusable with `verifier` meaning they

data/lib/puppet/test/test_helper.rb

@@ -68,7 +68,14 @@ module Puppet::Test
     #  any individual tests.
     # @return nil
     def self.before_all_tests()
-      # Make sure that all of the setup is also done for any before(:all) blocks
+      # The process environment is a shared, persistent resource.
+      # Can't use Puppet.features.microsoft_windows? as it may be mocked out in a test.  This can cause test recurring test failures
+      if (!!File::ALT_SEPARATOR)
+        mode = :windows
+      else
+        mode = :posix
+      end
+      $old_env = Puppet::Util.get_environment(mode)
     end
 
     # Call this method once, at the end of a test run, when no more tests
@@ -113,20 +120,14 @@ module Puppet::Test
       indirections = Puppet::Indirector::Indirection.send(:class_variable_get, :@@indirections)
       indirections.each do |indirector|
         $saved_indirection_state[indirector.name] = {
-            :@terminus_class => indirector.instance_variable_get(:@terminus_class).value,
-            :@cache_class    => indirector.instance_variable_get(:@cache_class).value
+          :@terminus_class => indirector.instance_variable_get(:@terminus_class).value,
+          :@cache_class    => indirector.instance_variable_get(:@cache_class).value,
+          # dup the termini hash so termini created and registered during
+          # the test aren't stored in our saved_indirection_state
+          :@termini        => indirector.instance_variable_get(:@termini).dup
         }
       end
 
-      # The process environment is a shared, persistent resource.
-      # Can't use Puppet.features.microsoft_windows? as it may be mocked out in a test.  This can cause test recurring test failures
-      if (!!File::ALT_SEPARATOR)
-        mode = :windows
-      else
-        mode = :posix
-      end
-      $old_env = Puppet::Util.get_environment(mode)
-
       # So is the load_path
       $old_load_path = $LOAD_PATH.dup
 
@@ -137,7 +138,7 @@ module Puppet::Test
           trusted_information:
             Puppet::Context::TrustedInformation.new('local', 'testing', {}, { "trusted_testhelper" => true }),
           ssl_context: Puppet::SSL::SSLContext.new(cacerts: []).freeze,
-          http_session: proc { Puppet.runtime["http"].create_session }
+          http_session: proc { Puppet.runtime[:http].create_session }
         },
         "Context for specs")
 
@@ -178,7 +179,11 @@ module Puppet::Test
       indirections = Puppet::Indirector::Indirection.send(:class_variable_get, :@@indirections)
       indirections.each do |indirector|
         $saved_indirection_state.fetch(indirector.name, {}).each do |variable, value|
-          indirector.instance_variable_get(variable).value = value
+          if variable == :@termini
+            indirector.instance_variable_set(variable, value)
+          else
+            indirector.instance_variable_get(variable).value = value
+          end
         end
       end
       $saved_indirection_state = nil

data/lib/puppet/transaction.rb

@@ -202,7 +202,7 @@ class Puppet::Transaction
     # mark the end of transaction evaluate.
     report.transaction_completed = true
 
-    Puppet.debug "Finishing transaction #{object_id}"
+    Puppet.debug { "Finishing transaction #{object_id}" }
   end
 
   # Wraps application run state check to flag need to interrupt processing
@@ -373,7 +373,7 @@ class Puppet::Transaction
     type_name = provider_class.resource_type.name
     return if @prefetched_providers[type_name][provider_class.name] ||
       @prefetch_failed_providers[type_name][provider_class.name]
-    Puppet.debug "Prefetching #{provider_class.name} resources for #{type_name}"
+    Puppet.debug { "Prefetching #{provider_class.name} resources for #{type_name}" }
     begin
       provider_class.prefetch(resources)
     rescue LoadError, Puppet::MissingCommand => detail

data/lib/puppet/transaction/persistence.rb

@@ -62,7 +62,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol])
+        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 

data/lib/puppet/transaction/report.rb

@@ -63,9 +63,11 @@ class Puppet::Transaction::Report
   # or 'on_failure'
   attr_accessor :cached_catalog_status
 
-  # Contains the name and port of the master that was successfully contacted
+  # Contains the name and port of the server that was successfully contacted
   # @return [String] a string of the format 'servername:port'
-  attr_accessor :master_used
+  attr_accessor :server_used
+  alias :master_used :server_used
+  alias :master_used= :server_used=
 
   # The host name for which the report is generated
   # @return [String] the host name
@@ -122,7 +124,7 @@ class Puppet::Transaction::Report
 
   # @!attribute [r] corrective_change
   #   @return [Boolean] true if the report contains any events and resources that had
-  #      corrective changes.
+  #      corrective changes, including noop corrective changes.
   attr_reader :corrective_change
 
   # @return [Boolean] true if one or more resources attempted to generate
@@ -224,7 +226,7 @@ class Puppet::Transaction::Report
     @external_times ||= {}
     @host = Puppet[:node_name_value]
     @time = start_time
-    @report_format = 10
+    @report_format = 11
     @puppet_version = Puppet.version
     @configuration_version = configuration_version
     @transaction_uuid = transaction_uuid
@@ -232,7 +234,7 @@ class Puppet::Transaction::Report
     @job_id = job_id
     @catalog_uuid = nil
     @cached_catalog_status = nil
-    @master_used = nil
+    @server_used = nil
     @environment = environment
     @status = 'failed' # assume failed until the report is finalized
     @noop = Puppet[:noop]
@@ -256,8 +258,10 @@ class Puppet::Transaction::Report
     @time = data['time']
     @corrective_change = data['corrective_change']
 
-    if data['master_used']
-      @master_used = data['master_used']
+    if data['server_used']
+      @server_used = data['server_used']
+    elsif data['master_used']
+      @server_used = data['master_used']
     end
 
     if data['catalog_uuid']
@@ -322,7 +326,7 @@ class Puppet::Transaction::Report
     }
 
     # The following is include only when set
-    hash['master_used'] = @master_used unless @master_used.nil?
+    hash['master_used'] = hash['server_used'] = @server_used unless @server_used.nil?
     hash['catalog_uuid'] = @catalog_uuid unless @catalog_uuid.nil?
     hash['code_id'] = @code_id unless @code_id.nil?
     hash['job_id'] = @job_id unless @job_id.nil?

data/lib/puppet/trusted_external.rb

@@ -3,11 +3,39 @@ module Puppet::TrustedExternal
   def retrieve(certname)
     command = Puppet[:trusted_external_command]
     return nil unless command
+    Puppet.debug { _("Retrieving trusted external data from %{command}") % {command: command} }
+    setting_type = Puppet.settings.setting(:trusted_external_command).type
+    if setting_type == :file
+      return fetch_data(command, certname)
+    end
+    # command is a directory. Thus, data is a hash of <basename> => <data> for
+    # each executable file in command. For example, if the files 'servicenow.rb',
+    # 'unicorn.sh' are in command, then data is the following hash:
+    #   { 'servicenow' => <servicenow.rb output>, 'unicorn' => <unicorn.sh output> }
+    data = {}
+    Puppet::FileSystem.children(command).each do |file|
+      abs_path = Puppet::FileSystem.expand_path(file)
+      executable_file = Puppet::FileSystem.file?(abs_path) && Puppet::FileSystem.executable?(abs_path)
+      unless executable_file
+        Puppet.debug { _("Skipping non-executable file %{file}")  % { file: abs_path } }
+        next
+      end
+      basename = file.basename(file.extname).to_s
+      unless data[basename].nil?
+        raise Puppet::Error, _("There is more than one '%{basename}' script in %{dir}") % { basename: basename, dir: command }
+      end
+      data[basename] = fetch_data(abs_path, certname)
+    end
+    data
+  end
+  module_function :retrieve
+
+  def fetch_data(command, certname)
     result = Puppet::Util::Execution.execute([command, certname], {
       :combine => false,
       :failonfail => true,
     })
     JSON.parse(result)
   end
-  module_function :retrieve
+  module_function :fetch_data
 end

data/lib/puppet/type.rb

@@ -116,8 +116,10 @@ class Type
 
   # Allow declaring that a type is actually a capability
   class << self
+    # @deprecated application orchestration will be removed in puppet 7
     attr_accessor :is_capability
 
+    # @deprecated application orchestration will be removed in puppet 7
     def is_capability?
       c = is_capability
       c.nil? ? false : c
@@ -129,6 +131,8 @@ class Type
   # represent application instances, this implementation always returns
   # +false+. Having this method though makes code checking whether a
   # resource is an application instance simpler
+  #
+  # @deprecated application orchestration will be removed in puppet 7
   def self.application?
       false
   end
@@ -749,7 +753,7 @@ class Type
   # @param options [Hash] options merged with a fixed set of options defined by this method, passed on to {Puppet::Transaction::Event}.
   # @return [Puppet::Transaction::Event] the created event
   def event(options = {})
-    Puppet::Transaction::Event.new({:resource => self, :file => file, :line => line, :tags => tags}.merge(options))
+    Puppet::Transaction::Event.new(**{:resource => self, :file => file, :line => line, :tags => tags}.merge(options))
   end
 
   # @return [Object, nil] Returns the 'should' (wanted state) value for a specified property, or nil if the
@@ -1205,15 +1209,17 @@ class Type
       provider.instances.collect do |instance|
         # We always want to use the "first" provider instance we find, unless the resource
         # is already managed and has a different provider set
-        other = provider_instances[instance.name]
+        title = instance.respond_to?(:title) ? instance.title : instance.name
+        other = provider_instances[title]
         if other
-          Puppet.debug "%s %s found in both %s and %s; skipping the %s version" %
-            [self.name.to_s.capitalize, instance.name, other.class.name, instance.class.name, instance.class.name]
+          Puppet.debug {
+            "%s %s found in both %s and %s; skipping the %s version" % [self.name.to_s.capitalize, title, other.class.name, instance.class.name, instance.class.name]
+          }
           next
         end
-        provider_instances[instance.name] = instance
+        provider_instances[title] = instance
 
-        result = new(:name => instance.name, :provider => instance)
+        result = new(:name => instance.name, :provider => instance, :title => title)
         properties.each { |name| result.newattr(name) }
         result
       end
@@ -1714,6 +1720,7 @@ class Type
     }
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   newmetaparam(:export, :parent => RelationshipMetaparam, :attributes => {:direction => :out, :events => :NONE}) do
           desc <<EOS
 Export a capability resource.
@@ -1739,6 +1746,7 @@ web { server:
 EOS
   end
 
+  # @deprecated application orchestration will be removed in puppet 7
   newmetaparam(:consume, :parent => RelationshipMetaparam, :attributes => {:direction => :in, :events => :NONE}) do
           desc <<EOS
 Consume a capability resource.
@@ -1888,7 +1896,7 @@ end
     name = name.intern
 
     if unprovide(name)
-      Puppet.debug "Reloading #{name} #{self.name} provider"
+      Puppet.debug { "Reloading #{name} #{self.name} provider" }
     end
 
     pname = options[:parent]

data/lib/puppet/type/file.rb

@@ -116,9 +116,9 @@ Puppet::Type.newtype(:file) do
         that sufficient disk space is available for the file backups. Generally, you 
         can implement this using one of the following two options:
         - Use a `find` command and `crontab` entry to retain only the last X days 
-        of file backups. For example,
+        of file backups. For example:
         
-        ```shell script
+        ```
         find /opt/puppetlabs/server/data/puppetserver/bucket -type f -mtime +45 -atime +45 -print0 | xargs -0 rm
         ```
         
@@ -401,8 +401,12 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  CREATORS = [:content, :source, :target]
-  SOURCE_ONLY_CHECKSUMS = [:none, :ctime, :mtime]
+  # mutually exclusive ways to create files
+  CREATORS = [:content, :source, :target].freeze
+
+  # This is both "checksum types that can't be used with the content property"
+  # and "checksum types that are not digest based"
+  SOURCE_ONLY_CHECKSUMS = [:none, :ctime, :mtime].freeze
 
   validate do
     creator_count = 0
@@ -428,7 +432,7 @@ Puppet::Type.newtype(:file) do
       @parameters[:content].value = @parameters[:checksum].sum(@parameters[:content].actual_content)
     end
 
-    if self[:checksum] && self[:checksum_value] && !send("#{self[:checksum]}?", self[:checksum_value])
+    if self[:checksum] && self[:checksum_value] && !valid_checksum?(self[:checksum], self[:checksum_value])
       self.fail _("Checksum value '%{value}' is not a valid checksum type %{checksum}") % { value: self[:checksum_value], checksum: self[:checksum] }
     end
 
@@ -930,7 +934,7 @@ Puppet::Type.newtype(:file) do
           # that out.
         end
 
-        fail_if_checksum_is_wrong(file.path, content_checksum) if validate_checksum?
+        fail_if_checksum_is_wrong(property, file.path, content_checksum)
       end
     else
       umask = mode ? 000 : 022
@@ -1040,17 +1044,38 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  # Should we validate the checksum of the file we're writing?
-  def validate_checksum?
-    self[:checksum] !~ /time/
-  end
-
   # Make sure the file we wrote out is what we think it is.
-  def fail_if_checksum_is_wrong(path, content_checksum)
-    newsum = parameter(:checksum).sum_file(path)
-    return if [:absent, nil, content_checksum].include?(newsum)
+  # @param [Puppet::Parameter] property the param or property that wrote the file, or nil
+  # @param [String] path to the file
+  # @param [String] the checksum for the local file
+  #
+  # @api private
+  #
+  def fail_if_checksum_is_wrong(property, path, content_checksum)
+    desired_checksum = desired_checksum(property, path)
 
-    self.fail _("File written to disk did not match checksum; discarding changes (%{content_checksum} vs %{newsum})") % { content_checksum: content_checksum, newsum: newsum }
+    if desired_checksum && content_checksum != desired_checksum
+      self.fail _("File written to disk did not match desired checksum; discarding changes (%{content_checksum} vs %{desired_checksum})") % { content_checksum: content_checksum, desired_checksum: desired_checksum }
+    end
+  end
+
+  # Return the desired checksum or nil
+  def desired_checksum(property, path)
+    return if SOURCE_ONLY_CHECKSUMS.include?(self[:checksum])
+
+    if self[:checksum] && self[:checksum_value]
+      "{#{self[:checksum]}}#{self[:checksum_value]}"
+    elsif property && property.name == :source
+      meta = property.metadata
+      return unless meta
+
+      # due to HttpMetadata the checksum type may fallback to mtime, so recheck
+      return if SOURCE_ONLY_CHECKSUMS.include?(meta.checksum_type)
+      meta.checksum
+    elsif property && property.name == :content
+      str = property.actual_content
+      str ? parameter(:checksum).sum(str) : nil
+    end
   end
 
   def write_temporary_file?