puppet 6.15.0 → 6.16.0

data/lib/puppet/network/http/connection_adapter.rb

@@ -0,0 +1,182 @@
+class Puppet::Network::HTTP::ConnectionAdapter < Puppet::Network::HTTP::Connection
+  def initialize(host, port, options = {})
+    super(host, port, options)
+
+    @client = Puppet.runtime[:http]
+  end
+
+  def get(path, headers = {}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      resp = @client.get(to_url(path), headers: headers, options: options)
+      resp.nethttp
+    end
+  end
+
+  def post(path, data, headers = nil, options = {})
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    data ||= ''
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      resp = @client.post(to_url(path), data, headers: headers, options: options)
+      resp.nethttp
+    end
+  end
+
+  def head(path, headers = {}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      resp = @client.head(to_url(path), headers: headers, options: options)
+      resp.nethttp
+    end
+  end
+
+  def delete(path, headers = {'Depth' => 'Infinity'}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      resp = @client.delete(to_url(path), headers: headers, options: options)
+      resp.nethttp
+    end
+  end
+
+  def put(path, data, headers = nil, options = {})
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    data ||= ''
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      resp = @client.put(to_url(path), data, headers: headers, options: options)
+      resp.nethttp
+    end
+  end
+
+  def request_get(*args, &block)
+    path, headers = *args
+    headers ||= {}
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
+
+    resp = @client.get(to_url(path), headers: headers, options: options) do |response|
+      yield response.nethttp if block_given?
+    end
+    resp.nethttp
+  end
+
+  def request_head(*args, &block)
+    path, headers = *args
+    headers ||= {}
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
+
+    response = @client.head(to_url(path), headers: headers, options: options)
+    yield response.nethttp if block_given?
+    response.nethttp
+  end
+
+  def request_post(*args, &block)
+    path, data, headers = *args
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
+
+    resp = @client.post(to_url(path), data, headers: headers, options: options) do |response|
+      yield response.nethttp if block_given?
+    end
+    resp.nethttp
+  end
+
+  private
+
+  # The old Connection class ignores the ssl_context on the Puppet stack,
+  # and always loads certs/keys based on what is currently in the filesystem.
+  # If the files are missing, it would attempt to bootstrap the certs/keys
+  # while in the process of making a network request, due to the call to
+  # Puppet.lookup(:ssl_host) in Puppet::SSL::Validator::DefaultValidator#setup_connection.
+  # This class doesn't preserve the boostrap behavior because that is handled
+  # outside of this class, and can only be triggered by running `puppet ssl` or
+  # `puppet agent`.
+  def resolve_ssl_context
+    # don't need an ssl context for http connections
+    return nil unless @site.use_ssl?
+
+    # if our verifier has an ssl_context, use that
+    ctx = @verifier.ssl_context
+    return ctx if ctx
+
+    # load available certs
+    cert = Puppet::X509::CertProvider.new
+    ssl = Puppet::SSL::SSLProvider.new
+    begin
+      password = cert.load_private_key_password
+      ssl.load_context(certname: Puppet[:certname], password: password)
+    rescue Puppet::SSL::SSLError => e
+      Puppet.log_exception(e)
+
+      # if we don't have cacerts, then create a root context that doesn't
+      # trust anything. The old code used to fallback to VERIFY_NONE,
+      # which we don't want to emulate.
+      ssl.create_root_context(cacerts: [])
+    end
+  end
+
+  def to_url(path)
+    if path =~ /^https?:\/\//
+      # The old Connection class accepts a URL as the request path, and sends
+      # it in "absolute-form" in the request line, e.g. GET https://puppet:8140/.
+      # See https://httpwg.org/specs/rfc7230.html#absolute-form. It just so happens
+      # to work because HTTP 1.1 servers are required to accept absolute-form even
+      # though clients are only supposed to send them to proxies, so the proxy knows
+      # what upstream server to CONNECT to. This method creates a URL using the
+      # scheme/host/port that the connection was created with, and appends the path
+      # portion of the absolute-form. The resulting request will use "origin-form"
+      # as it should have done all along.
+      url = URI(path)
+      URI("#{@site.addr}/#{normalize_path(url.path)}")
+    else
+      URI("#{@site.addr}/#{Puppet::Util.uri_encode(normalize_path(path))}")
+    end
+  end
+
+  def normalize_path(path)
+    if path[0] == '/'
+      path[1..-1]
+    else
+      path
+    end
+  end
+
+  def with_error_handling(&block)
+    yield
+  rescue Puppet::HTTP::TooManyRedirects => e
+    raise Puppet::Network::HTTP::RedirectionLimitExceededException.new(_("Too many HTTP redirections for %{host}:%{port}") % { host: @host, port: @port }, e)
+  rescue Puppet::HTTP::HTTPError => e
+    Puppet.log_exception(e, e.message)
+    case e.cause
+    when Net::OpenTimeout, Net::ReadTimeout, Net::HTTPError, EOFError
+      raise e.cause
+    else
+      raise e
+    end
+  end
+end

data/lib/puppet/network/http/nocache_pool.rb

@@ -3,6 +3,7 @@
 # @api private
 class Puppet::Network::HTTP::NoCachePool < Puppet::Network::HTTP::BasePool
   def initialize(factory = Puppet::Network::HTTP::Factory.new)
+    Puppet.deprecation_warning(_('Puppet::Network::HTTP::NoCachePool is deprecated.'))
     @factory = factory
   end
 

data/lib/puppet/network/http_pool.rb

@@ -1,4 +1,5 @@
 require 'puppet/network/http/connection'
+require 'puppet/network/http/connection_adapter'
 require 'puppet/util/platform'
 
 module Puppet::Network; end
@@ -12,14 +13,13 @@ module Puppet::Network; end
 #
 module Puppet::Network::HttpPool
 
-  @http_client_class = Puppet::Network::HTTP::Connection
+  @http_client_class = Puppet::Network::HTTP::ConnectionAdapter
 
   def self.http_client_class
     @http_client_class
   end
   def self.http_client_class=(klass)
     @http_client_class = klass
-    Puppet.runtime['http'] = Puppet::HTTP::ExternalClient.new(klass)
   end
 
   # Retrieve a connection for the given host and port.

data/lib/puppet/pal/catalog_compiler.rb

@@ -97,6 +97,11 @@ module Pal
       internal_compiler.evaluate_additions
     end
 
+    # Attempts to evaluate AST for node defnintions https://puppet.com/docs/puppet/latest/lang_node_definitions.html
+    # if there are any.
+    def evaluate_ast_node
+      internal_compiler.evaluate_ast_node
+    end
   end
 
 end

data/lib/puppet/pal/pal_impl.rb

@@ -424,7 +424,6 @@ module Pal
       begin
         node.sanitize()
         compiler = create_internal_compiler(internal_compiler_class, node)
-        add_variables(compiler.topscope, pal_variables)
 
         case internal_compiler_class
         when :script
@@ -440,6 +439,10 @@ module Pal
         # TRANSLATORS: Do not translate, symbolic name
         Puppet.override(overrides, "PAL::with_#{internal_compiler_class}_compiler") do
           compiler.compile do | compiler_yield |
+            # In case the varaibles passed to the compiler are PCore types defined in modules, they
+            # need to be deserialized and added from within the this scope, so that loaders are
+            # available during deserizlization.
+            add_variables(compiler.topscope, Puppet::Pops::Serialization::FromDataConverter.convert(pal_variables))
             # wrap the internal compiler to prevent it from leaking in the PAL API
             if block_given?
               yield(pal_compiler)

data/lib/puppet/parser/compiler.rb

@@ -348,6 +348,34 @@ class Puppet::Parser::Compiler
     end
   end
 
+
+  # If ast nodes are enabled, then see if we can find and evaluate one.
+  #
+  # @api private
+  def evaluate_ast_node
+    krt = environment.known_resource_types
+    return unless krt.nodes? #ast_nodes?
+
+    # Now see if we can find the node.
+    astnode = nil
+    @node.names.each do |name|
+      astnode = krt.node(name.to_s.downcase)
+      break if astnode
+    end
+
+    unless (astnode ||= krt.node("default"))
+      raise Puppet::ParseError, _("Could not find node statement with name 'default' or '%{names}'") % { names: node.names.join(", ") }
+    end
+
+    # Create a resource to model this node, and then add it to the list
+    # of resources.
+    resource = astnode.ensure_in_catalog(topscope)
+
+    resource.evaluate
+
+    @node_scope = topscope.class_scope(astnode)
+  end
+
   # Evaluates each specified class in turn. If there are any classes that
   # can't be found, an error is raised. This method really just creates resource objects
   # that point back to the classes, and then the resources are themselves
@@ -486,31 +514,6 @@ class Puppet::Parser::Compiler
     krt.capability_mappings.clear # No longer needed
   end
 
-  # If ast nodes are enabled, then see if we can find and evaluate one.
-  def evaluate_ast_node
-    krt = environment.known_resource_types
-    return unless krt.nodes? #ast_nodes?
-
-    # Now see if we can find the node.
-    astnode = nil
-    @node.names.each do |name|
-      astnode = krt.node(name.to_s.downcase)
-      break if astnode
-    end
-
-    unless (astnode ||= krt.node("default"))
-      raise Puppet::ParseError, _("Could not find node statement with name 'default' or '%{names}'") % { names: node.names.join(", ") }
-    end
-
-    # Create a resource to model this node, and then add it to the list
-    # of resources.
-    resource = astnode.ensure_in_catalog(topscope)
-
-    resource.evaluate
-
-    @node_scope = topscope.class_scope(astnode)
-  end
-
   # Evaluate our collections and return true if anything returned an object.
   # The 'true' is used to continue a loop, so it's important.
   def evaluate_collections

data/lib/puppet/parser/functions/filter.rb

@@ -43,6 +43,7 @@ as an array in the form `[key, value]` and returns a hash containing the results
 $data = { "orange" => 0, "blueberry" => 1, "raspberry" => 2 }
 $filtered_data = $data.filter |$items| { $items[0] =~ /berry$/ }
 # $filtered_data = {blueberry => 1, raspberry => 2}
+~~~
 
 When the first argument is an array and the lambda has two parameters, Puppet passes the
 array's indexes (enumerated from 0) in the first parameter and its values in the second

data/lib/puppet/provider/package/aix.rb

@@ -29,6 +29,15 @@ Puppet::Type.type(:package).provide :aix, :parent => Puppet::Provider::Package d
 
   attr_accessor   :latest_info
 
+  STATE_CODE = {
+    'A' => :applied,
+    'B' => :broken,
+    'C' => :committed,
+    'E' => :efix_locked,
+    'O' => :obsolete,
+    '?' => :inconsistent,
+  }.freeze
+
   def self.srclistcmd(source)
     [ command(:installp), "-L", "-d", source ]
   end
@@ -97,6 +106,11 @@ Puppet::Type.type(:package).provide :aix, :parent => Puppet::Provider::Package d
     if output =~ /^#{Regexp.escape(@resource[:name])}\s+.*\s+Already superseded by.*$/
       self.fail _("aix package provider is unable to downgrade packages")
     end
+
+    pkg_info = query
+    if pkg_info && [:broken, :inconsistent].include?(pkg_info[:status])
+      self.fail _("Package '%{name}' is in a %{status} state and requires manual intervention") % { name: @resource[:name], status: pkg_info[:status] }
+    end
   end
 
   def self.pkglist(hash = {})
@@ -108,8 +122,9 @@ Puppet::Type.type(:package).provide :aix, :parent => Puppet::Provider::Package d
     end
 
     begin
-      list = execute(cmd).scan(/^[^#][^:]*:([^:]*):([^:]*)/).collect { |n,e|
-        { :name => n, :ensure => e, :provider => self.name }
+      list = execute(cmd).scan(/^[^#][^:]*:([^:]*):([^:]*):[^:]*:[^:]*:([^:])/).collect { |n,e,s|
+        e = :absent if [:broken, :inconsistent].include?(STATE_CODE[s])
+        { :name => n, :ensure => e, :status => STATE_CODE[s], :provider => self.name }
       }
     rescue Puppet::ExecutionFailure => detail
       if hash[:pkgname]

data/lib/puppet/provider/package/apt.rb

@@ -77,7 +77,10 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     if should.is_a?(String)
       begin
         should_range = VersionRange.parse(should, DebianVersion)
-        should = best_version(should_range)
+
+        unless should_range.is_a?(VersionRange::Eq)
+          should = best_version(should_range)
+        end
       rescue VersionRange::ValidationFailure, DebianVersion::ValidationFailure
         Puppet.debug("Cannot parse #{should} as a debian version range, falling through")
       end

data/lib/puppet/provider/package/dnfmodule.rb

@@ -12,7 +12,7 @@ require 'puppet/provider/package'
 
 Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
 
-  has_feature :installable, :uninstallable, :versionable, :supports_flavors
+  has_feature :installable, :uninstallable, :versionable, :supports_flavors, :disableable
   #has_feature :upgradeable
   # it's not (yet) feasible to make this upgradeable since module streams don't
   # always have matching version types (i.e. idm has streams DL1 and client,
@@ -34,10 +34,10 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
 
   def self.instances
     packages = []
-    cmd = "#{command(:dnf)} module list --enabled -d 0 -e #{error_level}"
+    cmd = "#{command(:dnf)} module list -d 0 -e #{error_level}"
     execute(cmd).each_line do |line|
       # select only lines with actual packages since DNF clutters the output
-      next unless line =~ /\[[ei]\][, ]/
+      next unless line =~ /\[[eix]\][, ]/
       line.gsub!(/\[d\]/, '')  # we don't care about the default flag
 
       flavor = if line.include?('[i]')
@@ -48,7 +48,11 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
 
       packages << new(
         name: line.split[0],
-        ensure: line.split[1],
+        ensure: if line.include?('[x]')
+                  :disabled
+                else
+                  line.split[1]
+                end,
         flavor: flavor,
         provider: name
       )
@@ -98,6 +102,18 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
     end
   end
 
+  # should only get here when @resource[ensure] is :disabled
+  def insync?(is)
+    if resource[:ensure] == :disabled
+      # in sync only if package is already disabled
+      pkg = self.class.instances.find do |package|
+        @resource[:name] == package.name && package.properties[:ensure] == :disabled
+      end
+      return true if pkg
+    end
+    return false
+  end
+
   def enable(args = @resource[:name])
     execute([command(:dnf), 'module', 'enable', '-d', '0', '-e', self.class.error_level, '-y', args])
   end
@@ -107,6 +123,10 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
     reset  # reset module to the default stream
   end
 
+  def disable(args = @resource[:name])
+    execute([command(:dnf), 'module', 'disable', '-d', '0', '-e', self.class.error_level, '-y', args])
+  end
+
   def reset
     execute([command(:dnf), 'module', 'reset', '-d', '0', '-e', self.class.error_level, '-y', @resource[:name]])
   end

data/lib/puppet/provider/package/pip.rb

@@ -79,7 +79,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
       command_options << '--all'
     end
 
-    execpipe [command, command_options] do |process|
+    execpipe [quote(command), command_options] do |process|
       process.collect do |line|
         pkg = parse(line)
         next unless pkg
@@ -158,7 +158,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     command = resource_or_provider_command
     self.class.validate_command(command)
 
-    command_and_options = [command, 'install', "#{@resource[:name]}==versionplease"]
+    command_and_options = [self.class.quote(command), 'install', "#{@resource[:name]}==versionplease"]
     command_and_options << install_options if @resource[:install_options]
     execpipe command_and_options do |process|
       process.collect do |line|
@@ -179,7 +179,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     self.class.validate_command(command)
 
     Dir.mktmpdir("puppet_pip") do |dir|
-      command_and_options = [command, 'install', "#{@resource[:name]}", '-d', "#{dir}", '-v']
+      command_and_options = [self.class.quote(command), 'install', "#{@resource[:name]}", '-d', "#{dir}", '-v']
       command_and_options << install_options if @resource[:install_options]
       execpipe command_and_options do |process|
         process.collect do |line|
@@ -211,51 +211,73 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     should_range
   end
 
-  # Install a package.  The ensure parameter may specify installed,
-  # latest, a version number, or, in conjunction with the source
-  # parameter, an SCM revision.  In that case, the source parameter
-  # gives the fully-qualified URL to the repository.
-  def install
-    command = resource_or_provider_command
-    self.class.validate_command(command)
-
+  def get_install_command_options()
     should = @resource[:ensure]
     command_options = %w{install -q}
-    command_options +=  install_options if @resource[:install_options]
+    command_options += install_options if @resource[:install_options]
+
     if @resource[:source]
       if String === should
         command_options << "#{@resource[:source]}@#{should}#egg=#{@resource[:name]}"
       else
         command_options << "#{@resource[:source]}#egg=#{@resource[:name]}"
       end
-    else
-      case should
-      when :latest
-        command_options << "--upgrade" << @resource[:name]
-      when String
-        begin
-          should_range = PIP_VERSION_RANGE.parse(should, PIP_VERSION)
-          should = best_version(should_range)
-
-          unless should == should_range
-            command_options << "#{@resource[:name]}==#{should}"
-          else
-            # when no suitable version for the given range was found, let pip handle
-            if should.is_a?(PIP_VERSION_RANGE::MinMax)
-              command_options << "#{@resource[:name]} #{should.split.join(',')}"
-            else
-              command_options << "#{@resource[:name]} #{should}"
-            end
-          end
-        rescue PIP_VERSION_RANGE::ValidationFailure, PIP_VERSION::ValidationFailure
-          Puppet.debug("Cannot parse #{should} as a pip version range, falling through.")
-          command_options << "#{@resource[:name]}==#{should}"
-        end
+
+      return command_options
+    end
+
+    if should == :latest
+      command_options << "--upgrade" << @resource[:name]
+
+      return command_options
+    end
+
+    unless String === should
+      command_options << @resource[:name]
+
+      return command_options
+    end
+
+    begin
+      should_range = PIP_VERSION_RANGE.parse(should, PIP_VERSION)
+    rescue PIP_VERSION_RANGE::ValidationFailure, PIP_VERSION::ValidationFailure
+      Puppet.debug("Cannot parse #{should} as a pip version range, falling through.")
+      command_options << "#{@resource[:name]}==#{should}"
+
+      return command_options
+    end
+
+    if should_range.is_a?(PIP_VERSION_RANGE::Eq)
+      command_options << "#{@resource[:name]}==#{should}"
+
+      return command_options
+    end
+
+    should = best_version(should_range)
+
+    if should == should_range
+      # when no suitable version for the given range was found, let pip handle
+      if should.is_a?(PIP_VERSION_RANGE::MinMax)
+        command_options << "#{@resource[:name]} #{should.split.join(',')}"
       else
-        command_options << @resource[:name]
+        command_options << "#{@resource[:name]} #{should}"
       end
+    else
+      command_options << "#{@resource[:name]}==#{should}"
     end
 
+    command_options
+  end
+
+  # Install a package.  The ensure parameter may specify installed,
+  # latest, a version number, or, in conjunction with the source
+  # parameter, an SCM revision.  In that case, the source parameter
+  # gives the fully-qualified URL to the repository.
+  def install
+    command = resource_or_provider_command
+    self.class.validate_command(command)
+
+    command_options = get_install_command_options
     execute([command, command_options])
   end
 
@@ -298,6 +320,8 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     should_range.include?(is_version)
   end
 
+  # Quoting is required if the path to the pip command contains spaces.
+  # Required for execpipe() but not execute(), as execute() already does this.
   def self.quote(path)
     if path.include?(" ")
       "\"#{path}\""
@@ -305,5 +329,4 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
       path
     end
   end
-  private_class_method :quote
 end