puppet 6.19.1-x64-mingw32 → 6.23.0-x64-mingw32

data/lib/puppet/configurer.rb

@@ -112,7 +112,7 @@ class Puppet::Configurer
     catalog_conversion_time = thinmark do
       # Will mutate the result and replace all Deferred values with resolved values
       if facts
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result)
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment))
       end
 
       catalog = result.to_ral
@@ -223,26 +223,23 @@ class Puppet::Configurer
         # mode. We shouldn't try to do any failover in that case.
         if options[:catalog].nil? && do_failover
           server, port = find_functional_server
-          begin
-            if server.nil?
-              raise Puppet::Error, _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
-            else
-              #TRANSLATORS 'server_list' is the name of a setting and should not be translated
-              Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
-              report.server_used = "#{server}:#{port}"
-            end
-          rescue Puppet::Error => detail
+          if server.nil?
+            detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
             if Puppet[:usecacheonfailure]
               options[:pluginsync] = false
               @running_failure = true
-              if server.nil?
-                server = Puppet[:server_list].first[0]
-                port = Puppet[:server_list].first[1] || Puppet[:serverport]
-              end
-              Puppet.log_exception(detail)
+
+              server = Puppet[:server_list].first[0]
+              port = Puppet[:server_list].first[1] || Puppet[:serverport]
+
+              Puppet.err(detail)
             else
-              raise detail
+              raise Puppet::Error, detail
             end
+          else
+            #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+            Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
+            report.server_used = "#{server}:#{port}"
           end
           Puppet.override(server: server, serverport: port) do
             completed = run_internal(options)
@@ -400,16 +397,29 @@ class Puppet::Configurer
       if !cached_catalog && options[:catalog]
         ral_catalog = options[:catalog]
       else
+        # Ordering here matters. We have to resolve deferred resources in the
+        # resource catalog, convert the resource catalog to a RAL catalog (which
+        # triggers type/provider validation), and only if that is successful,
+        # should we cache the *original* resource catalog. However, deferred
+        # evaluation mutates the resource catalog, so we need to make a copy of
+        # it here. If PUP-9323 is ever implemented so that we resolve deferred
+        # resources in the RAL catalog as they are needed, then we could eliminate
+        # this step.
+        catalog_to_cache = Puppet.override(:rich_data => Puppet[:rich_data]) do
+          Puppet::Resource::Catalog.from_data_hash(catalog.to_data_hash)
+        end
+
         # REMIND @duration is the time spent loading the last catalog, and doesn't
         # account for things like we failed to download and fell back to the cache
         ral_catalog = convert_catalog(catalog, @duration, facts, options)
 
-        # If not noop, commit the cached resource catalog (not ral catalog). Ideally
+        # Validation succeeded, so commit the `catalog_to_cache` for non-noop runs. Don't
+        # commit `catalog` since it contains the result of deferred evaluation. Ideally
         # we'd just copy the downloaded response body, instead of serializing the
         # in-memory catalog, but that's hard due to the indirector.
         indirection = Puppet::Resource::Catalog.indirection
         if !Puppet[:noop] && indirection.cache?
-          request = indirection.request(:save, nil, catalog, environment: Puppet::Node::Environment.remote(catalog.environment))
+          request = indirection.request(:save, nil, catalog_to_cache, environment: Puppet::Node::Environment.remote(catalog_to_cache.environment))
           Puppet.info("Caching catalog for #{request.key}")
           indirection.cache.save(request)
         end

data/lib/puppet/configurer/downloader.rb

@@ -73,7 +73,8 @@ class Puppet::Configurer::Downloader
       :purge => true,
       :force => true,
       :backup => false,
-      :noop => false
+      :noop => false,
+      :max_files => -1
     }
     if !Puppet::Util::Platform.windows?
       defargs[:owner] = Process.uid

data/lib/puppet/defaults.rb

@@ -58,6 +58,18 @@ module Puppet
     end
   end
 
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = '/etc/puppetlabs/puppetserver/ca'
+
+    if File.exist?("#{new_ca_dir}/ca_crt.pem")
+      new_ca_dir
+    else
+      old_ca_dir
+    end
+  end
+
   ############################################################################################
   # NOTE: For information about the available values for the ":type" property of settings,
   #   see the docs for Settings.define_settings
@@ -77,7 +89,8 @@ module Puppet
           the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
           This setting is still experimental.',
         :hook    => proc do |value|
-          if value
+          value = munge(value)
+          if value && Puppet::Util::Package.versioncmp(Facter.value('facterversion'), '4.0.0') < 0
             begin
               original_facter = Object.const_get(:Facter)
               Object.send(:remove_const, :Facter)
@@ -632,7 +645,7 @@ module Puppet
     :http_proxy_password =>{
       :default    => "none",
       :hook       => proc do |value|
-        if settings[:http_proxy_password] =~ /[@!# \/]/
+        if value =~ /[@!# \/]/
           raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}"
         end
       end,
@@ -841,7 +854,10 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
           **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
 
         Defaults to the node's fully qualified domain name.",
-      :hook => proc { |value| raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase }},
+      :call_hook => :on_initialize_and_write,
+      :hook => proc { |value|
+        raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase
+      }},
     :dns_alt_names => {
       :default => '',
       :desc    => <<EOT,
@@ -862,8 +878,8 @@ names.
 **Note:** The list of alternate names is locked in when the server's
 certificate is signed. If you need to change the list later, you can't just
 change this setting; you also need to regenerate the certificate. For more
-information on that process, see the [cert regen docs]
-(https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
+information on that process, see the 
+[cert regen docs](https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
 
 To see all the alternate names your servers are using, log into your CA server
 and run `puppetserver ca list --all`, then check the output for `(alt names: ...)`.
@@ -1081,6 +1097,14 @@ EOT
           certificate revocation checking and does not attempt to download the CRL.
         EOT
     },
+    :ciphers => {
+      :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
+      :type => :string,
+      :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
+                default value is chosen to support TLS 1.0 and up, but can be made
+                more restrictive if needed. The ciphersuites must be specified in OpenSSL
+                format, not IANA."
+    },
     :key_type => {
       :default => 'rsa',
       :type    => :enum,
@@ -1124,7 +1148,7 @@ EOT
       :type      => :string,
       :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
       service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
-      file."
+      file. Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
       # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
       # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
       # settings are initialized as they test what gets logged during settings initialization.
@@ -1138,7 +1162,7 @@ EOT
       :desc    => "The name to use the Certificate Authority certificate.",
     },
     :cadir => {
-      :default => "$ssldir/ca",
+      :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
     },
@@ -1367,23 +1391,15 @@ EOT
       by `puppet`, and should only be set if you're writing your own Puppet
       executable.",
     },
-    :serverport => {
-      :default    => 8140,
-      :desc       => "The default port puppet subcommands use to communicate
-      with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
-      overridden by more specific settings (see `ca_port`, `report_port`).",
-      :hook       => proc do |value|
-        Puppet[:masterport] = value unless Puppet.settings.set_by_config?(:masterport)
-      end
-    },
     :masterport => {
       :default    => 8140,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
-      :hook => proc do |value|
-        Puppet[:serverport] = value unless Puppet.settings.set_by_config?(:serverport)
-      end
+    },
+    :serverport => {
+      :type => :alias,
+      :alias_for => :masterport
     },
     :node_name => {
       :default    => 'cert',
@@ -1501,7 +1517,9 @@ EOT
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)",
+        `puppet/reports/NAME.rb`.)
+
+        To turn off reports entirely, set this to `none`",
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1764,7 +1782,7 @@ EOT
     },
     :agent_disabled_lockfile => {
         :default    => "$statedir/agent_disabled.lock",
-        :type       => :file,
+        :type       => :string,
         :desc       => "A lock file to indicate that puppet agent runs have been administratively
           disabled.  File contains a JSON object with state information.",
     },
@@ -1874,7 +1892,11 @@ EOT
       :default  => "$statedir/last_run_report.yaml",
       :type     => :file,
       :mode     => "0640",
-      :desc     => "Where puppet agent stores the last run report in yaml format."
+      :desc     => "Where Puppet Agent stores the last run report, by default, in yaml format.
+        The format of the report can be changed by setting the `cache` key of the `report` terminus
+        in the [routes.yaml](https://puppet.com/docs/puppet/latest/config_file_routes.html) file.
+        To avoid mismatches between content and file extension, this setting needs to be
+        manually updated to reflect the terminus changes."
     },
     :graph => {
       :default  => false,
@@ -2218,12 +2240,18 @@ EOT
    :func3x_check => {
      :default => true,
      :type => :boolean,
-     :desc => <<-'EOT'
+     :desc => <<-'EOT',
        Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
        could cause harm or that simply does not work. This flag is on by default. This flag is made available
        so that the validation can be turned off in case the method of validation is faulty - if encountered, please
        file a bug report.
      EOT
+     :call_hook => :on_initialize_and_write,
+     :hook => proc do |value|
+       unless value
+         Puppet.deprecation_warning(_("The 'func3x_check' setting is deprecated and will be removed in a future release."))
+       end
+     end
      },
   :tasks => {
     :default => false,

data/lib/puppet/environments.rb

@@ -225,6 +225,9 @@ module Puppet::Environments
     private
 
     def create_environment(name)
+      # interpolated modulepaths may be cached from prior environment instances
+      Puppet.settings.clear_environment_settings(name)
+
       env_symbol = name.intern
       setting_values = Puppet.settings.values(env_symbol, Puppet.settings.preferred_run_mode)
       env = Puppet::Node::Environment.create(
@@ -346,17 +349,23 @@ module Puppet::Environments
       @loader = loader
       @cache_expiration_service = Puppet::Environments::Cached.cache_expiration_service
       @cache = {}
-
-      # Holds expiration times in sorted order - next to expire is first
-      @expirations = SortedSet.new
-
-      # Infinity since it there are no entries, this is a cache of the first to expire time
-      @next_expiration = END_OF_TIME
     end
 
     # @!macro loader_list
     def list
-      @loader.list
+      # Evict all that have expired, in the same way as `get`
+      clear_all_expired
+
+      @loader.list.map do |env|
+        name = env.name
+        old_entry = @cache[name]
+        if old_entry
+          old_entry.value
+        else
+          add_entry(name, entry(env))
+          env
+        end
+      end
     end
 
     # @!macro loader_search_paths
@@ -379,7 +388,6 @@ module Puppet::Environments
       elsif (result = @loader.get(name))
         # environment loaded, cache it
         cache_entry = entry(result)
-        @cache_expiration_service.created(result)
         add_entry(name, cache_entry)
         result
       end
@@ -389,28 +397,36 @@ module Puppet::Environments
     def add_entry(name, cache_entry)
       Puppet.debug {"Caching environment '#{name}' #{cache_entry.label}"}
       @cache[name] = cache_entry
-      expires = cache_entry.expires
-      @expirations.add(expires)
-      if @next_expiration > expires
-        @next_expiration = expires
-      end
+      @cache_expiration_service.created(cache_entry.value)
     end
     private :add_entry
 
+    def clear_entry(name, entry)
+      @cache.delete(name)
+      Puppet.debug {"Evicting cache entry for environment '#{name}'"}
+      @cache_expiration_service.evicted(name.to_sym)
+      Puppet::GettextConfig.delete_text_domain(name)
+      Puppet.settings.clear_environment_settings(name)
+    end
+    private :clear_entry
+
     # Clears the cache of the environment with the given name.
     # (The intention is that this could be used from a MANUAL cache eviction command (TBD)
     def clear(name)
-      @cache.delete(name)
-      Puppet::GettextConfig.delete_text_domain(name)
+      entry = @cache[name]
+      clear_entry(name, entry) if entry
     end
 
     # Clears all cached environments.
     # (The intention is that this could be used from a MANUAL cache eviction command (TBD)
-    def clear_all()
+    def clear_all
       super
+
+      @cache.each_pair do |name, entry|
+        clear_entry(name, entry)
+      end
+
       @cache = {}
-      @expirations.clear
-      @next_expiration = END_OF_TIME
       Puppet::GettextConfig.delete_environment_text_domains
     end
 
@@ -419,18 +435,24 @@ module Puppet::Environments
     #
     def clear_all_expired()
       t = Time.now
-      return if t < @next_expiration && ! @cache.any? {|name, _| @cache_expiration_service.expired?(name.to_sym) }
-      to_expire = @cache.select { |name, entry| entry.expires < t || @cache_expiration_service.expired?(name.to_sym) }
-      to_expire.each do |name, entry|
-        Puppet.debug {"Evicting cache entry for environment '#{name}'"}
-        @cache_expiration_service.evicted(name.to_sym)
-        clear(name)
-        @expirations.delete(entry.expires)
-        Puppet.settings.clear_environment_settings(name)
+
+      @cache.each_pair do |name, entry|
+        clear_if_expired(name, entry, t)
       end
-      @next_expiration = @expirations.first || END_OF_TIME
     end
 
+    # Clear an environment if it is expired, either by exceeding its time to live, or
+    # through an explicit eviction determined by the cache expiration service.
+    #
+    def clear_if_expired(name, entry, t = Time.now)
+      return unless entry
+
+      if entry.expired?(t) || @cache_expiration_service.expired?(name.to_sym)
+        clear_entry(name, entry)
+      end
+    end
+    private :clear_if_expired
+
     # This implementation evicts the cache, and always gets the current
     # configuration of the environment
     #
@@ -440,7 +462,7 @@ module Puppet::Environments
     #
     # @!macro loader_get_conf
     def get_conf(name)
-      evict_if_expired(name)
+      clear_if_expired(name, @cache[name])
       @loader.get_conf(name)
     end
 
@@ -467,17 +489,6 @@ module Puppet::Environments
       end
     end
 
-    # Evicts the entry if it has expired
-    # Also clears caches in Settings that may prevent the entry from being updated
-    def evict_if_expired(name)
-      if (result = @cache[name]) && (result.expired? || @cache_expiration_service.expired?(name.to_sym))
-        Puppet.debug {"Evicting cache entry for environment '#{name}'"}
-        @cache_expiration_service.evicted(name.to_sym)
-        clear(name)
-        Puppet.settings.clear_environment_settings(name)
-      end
-    end
-
     # Never evicting entry
     class Entry
       attr_reader :value
@@ -489,32 +500,24 @@ module Puppet::Environments
       def touch
       end
 
-      def expired?
+      def expired?(now)
         false
       end
 
       def label
         ""
       end
-
-      def expires
-        END_OF_TIME
-      end
     end
 
     # Always evicting entry
     class NotCachedEntry < Entry
-      def expired?
+      def expired?(now)
         true
       end
 
       def label
         "(ttl = 0 sec)"
       end
-
-      def expires
-        START_OF_TIME
-      end
     end
 
     # Policy that expires in ttl_seconds from when it was created
@@ -525,17 +528,13 @@ module Puppet::Environments
         @ttl_seconds = ttl_seconds
       end
 
-      def expired?
-        Time.now > @ttl
+      def expired?(now)
+        now > @ttl
       end
 
       def label
         "(ttl = #{@ttl_seconds} sec)"
       end
-
-      def expires
-        @ttl
-      end
     end
 
     # Policy that expires if it hasn't been touched within ttl_seconds