puppet 6.21.1-x64-mingw32 → 7.4.1-x64-mingw32

data/lib/puppet/module_tool/applications.rb

@@ -5,7 +5,6 @@ module Puppet::ModuleTool
     require 'puppet/module_tool/applications/application'
     require 'puppet/module_tool/applications/checksummer'
     require 'puppet/module_tool/applications/installer'
-    require 'puppet/module_tool/applications/searcher'
     require 'puppet/module_tool/applications/unpacker'
     require 'puppet/module_tool/applications/uninstaller'
     require 'puppet/module_tool/applications/upgrader'

data/lib/puppet/network/authconfig.rb

@@ -1,101 +1,7 @@
-require 'puppet/network/rights'
-require 'puppet/network/http'
-
 module Puppet
-  class ConfigurationError < Puppet::Error; end
-  class Network::DefaultAuthProvider
-    attr_accessor :rights
-
-    def self.master_url_prefix
-      Puppet::Network::HTTP::MASTER_URL_PREFIX
-    end
-
-    def self.default_acl
-      [
-      # Master API V3
-      { :acl => "#{master_url_prefix}/v3/environments", :method => :find, :allow => '*', :authenticated => true },
-
-      { :acl => "~ ^#{master_url_prefix}\/v3\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
-      { :acl => "~ ^#{master_url_prefix}\/v3\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
-      { :acl => "~ ^#{master_url_prefix}\/v3\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
-
-      # this one will allow all file access, and thus delegate
-      # to fileserver.conf
-      { :acl => "#{master_url_prefix}/v3/file" },
-
-      { :acl => "#{master_url_prefix}/v3/status", :method => [:find], :authenticated => true },
-      ]
-    end
-
-    # Just proxy the setting methods to our rights stuff
-    [:allow, :deny].each do |method|
-      define_method(method) do |*args|
-        @rights.send(method, *args)
-      end
-    end
-
-    # force regular ACLs to be present
-    def insert_default_acl
-      self.class.default_acl.each do |acl|
-        unless rights[acl[:acl]]
-          Puppet.info _("Inserting default '%{acl}' (auth %{auth}) ACL") % { acl: acl[:acl], auth: acl[:authenticated] }
-          mk_acl(acl)
-        end
-      end
-      # queue an empty (ie deny all) right for every other path
-      # actually this is not strictly necessary as the rights system
-      # denies not explicitly allowed paths
-      unless rights["/"]
-        rights.newright("/").restrict_authenticated(:any)
-      end
-    end
-
-    def mk_acl(acl)
-      right = @rights.newright(acl[:acl])
-      right.allow(acl[:allow] || "*")
-
-      method = acl[:method]
-      if method
-        method = [method] unless method.is_a?(Array)
-        method.each { |m| right.restrict_method(m) }
-      end
-      right.restrict_authenticated(acl[:authenticated]) unless acl[:authenticated].nil?
-    end
-
-    # check whether this request is allowed in our ACL
-    # raise an Puppet::Network::AuthorizedError if the request
-    # is denied.
-    def check_authorization(method, path, params)
-      authorization_failure_exception = @rights.is_request_forbidden_and_why?(method, path, params)
-      if authorization_failure_exception
-        Puppet.warning(_("Denying access: %{authorization_failure_exception}") % { authorization_failure_exception: authorization_failure_exception })
-        raise authorization_failure_exception
-      end
-    end
-
-    def initialize(rights=nil)
-      @rights = rights || Puppet::Network::Rights.new
-      insert_default_acl
-    end
-  end
-
   class Network::AuthConfig
-    @@authprovider_class = nil
-
-    def self.authprovider_class=(klass)
-      @@authprovider_class = klass
-    end
-
-    def self.authprovider_class
-      @@authprovider_class || Puppet::Network::DefaultAuthProvider
-    end
-
-    def initialize(rights=nil)
-      @authprovider = self.class.authprovider_class.new(rights)
-    end
-
-    def check_authorization(method, path, params)
-      @authprovider.check_authorization(method, path, params)
+    def self.authprovider_class=(_)
+      # legacy auth is not supported, ignore
     end
   end
 end

data/lib/puppet/network/authorization.rb

@@ -1,41 +1,19 @@
-require 'puppet/network/client_request'
-require 'puppet/network/authconfig'
-require 'puppet/network/auth_config_parser'
-
 module Puppet::Network
-  class AuthConfigLoader
-    # Create our config object if necessary. If there's no configuration file
-    # we install our defaults
-    def self.authconfig
-      @auth_config_file ||= Puppet::Util::WatchedFile.new(Puppet[:rest_authconfig])
-      if (not @auth_config) or @auth_config_file.changed?
-        begin
-          @auth_config = Puppet::Network::AuthConfigParser.new_from_file(Puppet[:rest_authconfig]).parse
-        rescue Errno::ENOENT, Errno::ENOTDIR
-          @auth_config = Puppet::Network::AuthConfig.new
-        end
-      end
-
-      @auth_config
-    end
-  end
-
   module Authorization
-    @@authconfigloader_class = nil
-
-    def self.authconfigloader_class=(klass)
-      @@authconfigloader_class = klass
-    end
-
-    def authconfig
-      authconfigloader = @@authconfigloader_class || AuthConfigLoader
-      authconfigloader.authconfig
-    end
+    class << self
+      # This method is deprecated and will be removed in a future release.
+      def authconfigloader_class=(klass)
+        @authconfigloader_class = klass
+      end
 
-    # Verify that our client has access.
-    def check_authorization(method, path, params)
-      authconfig.check_authorization(method, path, params)
+      # Verify something external to puppet is authorizing REST requests, so
+      # we don't fail insecurely due to misconfiguration.
+      def check_external_authorization(method, path)
+        if @authconfigloader_class.nil?
+          message = "Forbidden request: #{path} (method #{method})"
+          raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(message, Puppet::Network::HTTP::Issues::FAILED_AUTHORIZATION)
+        end
+      end
     end
   end
 end
-

data/lib/puppet/network/formats.rb

@@ -183,6 +183,73 @@ Puppet::Network::FormatHandler.create(:console,
   end
 end
 
+Puppet::Network::FormatHandler.create(:flat,
+                                      :mime   => 'text/x-flat-text',
+                                      :weight => 0) do
+
+  def flatten_hash(hash)
+    hash.each_with_object({}) do |(k, v), h|
+      if v.is_a? Hash
+        flatten_hash(v).map do |h_k, h_v|
+          h["#{k}.#{h_k}"] = h_v
+        end
+      elsif v.is_a? Array
+        v.each_with_index do |el, i|
+          if el.is_a? Hash
+            flatten_hash(el).map do |el_k, el_v|
+              h["#{k}.#{i}.#{el_k}"] = el_v
+            end
+          else
+            h["#{k}.#{i}"] = el
+          end
+        end
+      else
+        h[k] = v
+      end
+    end
+  end
+
+  def flatten_array(array)
+    a={}
+    array.each_with_index do |el, i|
+      if el.is_a? Hash
+        flatten_hash(el).map do |el_k, el_v|
+          a["#{i}.#{el_k}"] = el_v
+        end
+      else
+        a["#{i}"] = el
+      end
+    end
+    a
+  end
+
+  def construct_output(data)
+    output = ''
+    data.each do |key, value|
+      output << "#{key}=#{value}"
+      output << "\n"
+    end
+    output
+  end
+
+  def render(datum)
+    return datum if datum.is_a?(String) || datum.is_a?(Numeric)
+    # Simple hash
+    if datum.is_a?(Hash)
+      data = flatten_hash(datum)
+      return construct_output(data)
+    elsif datum.is_a?(Array)
+      data = flatten_array(datum)
+      return construct_output(data)
+    end
+    Puppet::Util::Json.dump(datum, :pretty => true, :quirks_mode => true)
+  end
+  def render_multiple(data)
+    data.collect(&:render).join("\n")
+  end
+end
+
+
 Puppet::Network::FormatHandler.create(:rich_data_json, mime: 'application/vnd.puppet.rich+json', charset: Encoding::UTF_8, weight: 30) do
   def intern(klass, text)
     Puppet.override({:rich_data => true}) do

data/lib/puppet/network/http.rb

@@ -1,3 +1,4 @@
+# This module is used to handle puppet REST requests in puppetserver.
 module Puppet::Network::HTTP
   HEADER_ENABLE_PROFILING = "X-Puppet-Profiling"
   HEADER_PUPPET_VERSION = "X-Puppet-Version"
@@ -8,7 +9,9 @@ module Puppet::Network::HTTP
   CA_URL_PREFIX = "/puppet-ca"
   CA_URL_VERSIONS = "v1"
 
+  require 'puppet/network/authconfig'
   require 'puppet/network/authorization'
+
   require 'puppet/network/http/issues'
   require 'puppet/network/http/error'
   require 'puppet/network/http/route'
@@ -19,7 +22,4 @@ module Puppet::Network::HTTP
   require 'puppet/network/http/response'
   require 'puppet/network/http/request'
   require 'puppet/network/http/memory_response'
-  require 'puppet/network/http/compression'
-
-  require 'puppet/http'
 end

data/lib/puppet/network/http/api/indirected_routes.rb

@@ -1,8 +1,6 @@
-require 'puppet/network/authorization'
 require 'puppet/network/http/api/indirection_type'
 
 class Puppet::Network::HTTP::API::IndirectedRoutes
-  include Puppet::Network::Authorization
 
   # How we map http methods and the indirection name in the URI
   # to an indirection method.
@@ -31,7 +29,8 @@ class Puppet::Network::HTTP::API::IndirectedRoutes
     Puppet::Network::HTTP::Route.path(/.*/).any(new)
   end
 
-  # handle an HTTP request
+  # Handle an HTTP request. The request has already been authenticated prior
+  # to calling this method.
   def call(request, response)
     indirection, method, key, params = uri2indirection(request.method, request.path, request.params)
     certificate = request.client_cert
@@ -99,12 +98,6 @@ class Puppet::Network::HTTP::API::IndirectedRoutes
       params[:environment] = configured_environment
     end
 
-    begin
-      check_authorization(method, "#{url_prefix}/#{indirection_name}/#{key}", params)
-    rescue Puppet::Network::AuthorizationError => e
-      raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(e.message)
-    end
-
     if configured_environment.nil?
       raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new(
         _("Could not find environment '%{environment}'") % { environment: environment })
@@ -120,17 +113,6 @@ class Puppet::Network::HTTP::API::IndirectedRoutes
     [indirection, method, key, params]
   end
 
-  def self.request_to_uri(request)
-    uri, body = request_to_uri_and_body(request)
-    "#{uri}?#{body}"
-  end
-
-  def self.request_to_uri_and_body(request)
-    url_prefix = IndirectionType.url_prefix_for(request.indirection_name.to_s)
-    indirection = request.method == :search ? pluralize(request.indirection_name.to_s) : request.indirection_name.to_s
-    ["#{url_prefix}/#{indirection}/#{Puppet::Util.uri_encode(request.key)}", "environment=#{request.environment.name}&#{request.query_string}"]
-  end
-
   private
 
   # Execute our find.

data/lib/puppet/network/http/api/master/v3.rb

@@ -1,28 +1,26 @@
 class Puppet::Network::HTTP::API::Master::V3
-  require 'puppet/network/http/api/master/v3/authorization'
   require 'puppet/network/http/api/master/v3/environments'
-  require 'puppet/network/http/api/master/v3/environment'
   require 'puppet/network/http/api/indirected_routes'
 
-  AUTHZ = Authorization.new
+  def self.wrap(&block)
+    lambda do |request, response|
+      Puppet::Network::Authorization.check_external_authorization(request.method, request.path)
+
+      block.call.call(request, response)
+    end
+  end
 
   INDIRECTED = Puppet::Network::HTTP::Route.
       path(/.*/).
-      any(Puppet::Network::HTTP::API::IndirectedRoutes.new)
+      any(wrap { Puppet::Network::HTTP::API::IndirectedRoutes.new } )
 
   ENVIRONMENTS = Puppet::Network::HTTP::Route.
-      path(%r{^/environments$}).get(AUTHZ.wrap do
-    Environments.new(Puppet.lookup(:environments))
-  end)
-
-  ENVIRONMENT = Puppet::Network::HTTP::Route.
-      path(%r{^/environment/[^/]+$}).get(AUTHZ.wrap do
-    Environment.new
-  end)
+      path(%r{^/environments$}).
+      get(wrap { Environments.new(Puppet.lookup(:environments)) } )
 
   def self.routes
     Puppet::Network::HTTP::Route.path(%r{v3}).
         any.
-        chain(ENVIRONMENTS, ENVIRONMENT, INDIRECTED)
+        chain(ENVIRONMENTS, INDIRECTED)
   end
 end

data/lib/puppet/network/http/connection.rb

@@ -1,355 +1,286 @@
-require 'puppet/ssl/openssl_loader'
-require 'puppet/ssl/host'
-require 'puppet/ssl/validator'
-require 'puppet/network/http'
-require 'uri'
-require 'date'
-require 'time'
-
-module Puppet::Network::HTTP
-
-  # This will be raised if too many redirects happen for a given HTTP request
-  class RedirectionLimitExceededException < Puppet::Error ; end
-
-  # This class provides simple methods for issuing various types of HTTP
-  # requests.  It's interface is intended to mirror Ruby's Net::HTTP
-  # object, but it provides a few important bits of additional
-  # functionality.  Notably:
+require 'puppet/http'
+
+# This will be raised if too many redirects happen for a given HTTP request
+class Puppet::Network::HTTP::RedirectionLimitExceededException < Puppet::Error ; end
+
+# This class provides simple methods for issuing various types of HTTP
+# requests.  It's interface is intended to mirror Ruby's Net::HTTP
+# object, but it provides a few important bits of additional
+# functionality.  Notably:
+#
+# * Any HTTPS requests made using this class will use Puppet's SSL
+#   certificate configuration for their authentication, and
+# * Provides some useful error handling for any SSL errors that occur
+#   during a request.
+#
+# @deprecated Use {Puppet.runtime[:http]}
+# @api public
+class Puppet::Network::HTTP::Connection
+  include Puppet::HTTP::ResponseConverter
+
+  OPTION_DEFAULTS = {
+    :use_ssl => true,
+    :verifier => nil,
+    :redirect_limit => 10,
+  }
+
+  # Creates a new HTTP client connection to `host`:`port`.
+  # @param host [String] the host to which this client will connect to
+  # @param port [Integer] the port to which this client will connect to
+  # @param options [Hash] options influencing the properties of the created
+  #   connection,
+  # @option options [Boolean] :use_ssl true to connect with SSL, false
+  #   otherwise, defaults to true
+  # @option options [Puppet::SSL::Verifier] :verifier An object that will configure
+  #   any verification to do on the connection
+  # @option options [Integer] :redirect_limit the number of allowed
+  #   redirections, defaults to 10 passing any other option in the options
+  #   hash results in a Puppet::Error exception
   #
-  # * Any HTTPS requests made using this class will use Puppet's SSL
-  #   certificate configuration for their authentication, and
-  # * Provides some useful error handling for any SSL errors that occur
-  #   during a request.
-  # @api public
-  class Connection
-
-    OPTION_DEFAULTS = {
-      :use_ssl => true,
-      :verify => nil, # Puppet::SSL::Validator is deprecated
-      :verifier => nil,
-      :redirect_limit => 10,
-    }
-
-    # Creates a new HTTP client connection to `host`:`port`.
-    # @param host [String] the host to which this client will connect to
-    # @param port [Integer] the port to which this client will connect to
-    # @param options [Hash] options influencing the properties of the created
-    #   connection,
-    # @option options [Boolean] :use_ssl true to connect with SSL, false
-    #   otherwise, defaults to true
-    # @option options [#setup_connection] :verify An object that will configure
-    #   any verification to do on the connection
-    # @option options [Integer] :redirect_limit the number of allowed
-    #   redirections, defaults to 10 passing any other option in the options
-    #   hash results in a Puppet::Error exception
-    #
-    # @note the HTTP connection itself happens lazily only when {#request}, or
-    #   one of the {#get}, {#post}, {#delete}, {#head} or {#put} is called
-    # @note The correct way to obtain a connection is to use one of the factory
-    #   methods on {Puppet::Network::HttpPool}
-    # @api private
-    def initialize(host, port, options = {})
-      @host = host
-      @port = port
-
-      unknown_options = options.keys - OPTION_DEFAULTS.keys
-      raise Puppet::Error, _("Unrecognized option(s): %{opts}") % { opts: unknown_options.map(&:inspect).sort.join(', ') } unless unknown_options.empty?
-
-      options = OPTION_DEFAULTS.merge(options)
-      @use_ssl = options[:use_ssl]
-      if @use_ssl
-        if options[:verifier]
-          unless options[:verifier].is_a?(Puppet::SSL::Verifier)
-            raise ArgumentError, _("Expected an instance of Puppet::SSL::Verifier but was passed a %{klass}") % { klass: options[:verifier].class }
-          end
-
-          @verifier = options[:verifier]
-        else
-          @verifier = Puppet::SSL::VerifierAdapter.new(options[:verify])
-        end
+  # @note the HTTP connection itself happens lazily only when {#request}, or
+  #   one of the {#get}, {#post}, {#delete}, {#head} or {#put} is called
+  # @note The correct way to obtain a connection is to use one of the factory
+  #   methods on {Puppet::Network::HttpPool}
+  # @api private
+  def initialize(host, port, options = {})
+    unknown_options = options.keys - OPTION_DEFAULTS.keys
+    raise Puppet::Error, _("Unrecognized option(s): %{opts}") % { opts: unknown_options.map(&:inspect).sort.join(', ') } unless unknown_options.empty?
+
+    options = OPTION_DEFAULTS.merge(options)
+    @use_ssl = options[:use_ssl]
+    if @use_ssl
+      unless options[:verifier].is_a?(Puppet::SSL::Verifier)
+        raise ArgumentError, _("Expected an instance of Puppet::SSL::Verifier but was passed a %{klass}") % { klass: options[:verifier].class }
       end
-      @redirect_limit = options[:redirect_limit]
-      @site = Puppet::Network::HTTP::Site.new(@use_ssl ? 'https' : 'http', host, port)
-      @pool = Puppet.lookup(:http_pool)
-    end
 
-    # @!macro [new] common_options
-    #   @param options [Hash] options influencing the request made. Any
-    #   options not recognized by this class will be ignored - no error will
-    #   be thrown.
-    #   @option options [Hash{Symbol => String}] :basic_auth The basic auth
-    #     :username and :password to use for the request, :metric_id Ignored
-    #     by this class - used by Puppet Server only. The metric id by which
-    #     to track metrics on requests.
-
-    # @param path [String]
-    # @param headers [Hash{String => String}]
-    # @!macro common_options
-    # @api public
-    def get(path, headers = {}, options = {})
-      do_request(Net::HTTP::Get.new(path, headers), options)
+      @verifier = options[:verifier]
     end
+    @redirect_limit = options[:redirect_limit]
+    @site = Puppet::HTTP::Site.new(@use_ssl ? 'https' : 'http', host, port)
+    @client = Puppet.runtime[:http]
+  end
 
-    # @param path [String]
-    # @param data [String]
-    # @param headers [Hash{String => String}]
-    # @!macro common_options
-    # @api public
-    def post(path, data, headers = nil, options = {})
-      request = Net::HTTP::Post.new(path, headers)
-      request.body = data
-      do_request(request, options)
-    end
+  # The address to connect to.
+  def address
+    @site.host
+  end
 
-    # @param path [String]
-    # @param headers [Hash{String => String}]
-    # @!macro common_options
-    # @api public
-    def head(path, headers = {}, options = {})
-      do_request(Net::HTTP::Head.new(path, headers), options)
-    end
+  # The port to connect to.
+  def port
+    @site.port
+  end
 
-    # @param path [String]
-    # @param headers [Hash{String => String}]
-    # @!macro common_options
-    # @api public
-    def delete(path, headers = {'Depth' => 'Infinity'}, options = {})
-      do_request(Net::HTTP::Delete.new(path, headers), options)
-    end
+  # Whether to use ssl
+  def use_ssl?
+    @site.use_ssl?
+  end
 
-    # @param path [String]
-    # @param data [String]
-    # @param headers [Hash{String => String}]
-    # @!macro common_options
-    # @api public
-    def put(path, data, headers = nil, options = {})
-      request = Net::HTTP::Put.new(path, headers)
-      request.body = data
-      do_request(request, options)
-    end
+  # @api private
+  def verifier
+    @verifier
+  end
 
-    def request(method, *args)
-      self.send(method, *args)
-    end
+  # @!macro [new] common_options
+  #   @param options [Hash] options influencing the request made. Any
+  #   options not recognized by this class will be ignored - no error will
+  #   be thrown.
+  #   @option options [Hash{Symbol => String}] :basic_auth The basic auth
+  #     :username and :password to use for the request, :metric_id Ignored
+  #     by this class - used by Puppet Server only. The metric id by which
+  #     to track metrics on requests.
+
+  # @param path [String]
+  # @param headers [Hash{String => String}]
+  # @!macro common_options
+  # @api public
+  def get(path, headers = {}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
 
-    # TODO: These are proxies for the Net::HTTP#request_* methods, which are
-    # almost the same as the "get", "post", etc. methods that we've ported above,
-    # but they are able to accept a code block and will yield to it, which is
-    # necessary to stream responses, e.g. file content.  For now
-    # we're not funneling these proxy implementations through our #request
-    # method above, so they will not inherit the same error handling.  In the
-    # future we may want to refactor these so that they are funneled through
-    # that method and do inherit the error handling.
-    def request_get(*args, &block)
-      with_connection(@site) do |http|
-        resp = http.request_get(*args, &block)
-        Puppet.debug("HTTP GET #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
-        resp
-      end
+    with_error_handling do
+      to_ruby_response(@client.get(to_url(path), headers: headers, options: options))
     end
+  end
 
-    def request_head(*args, &block)
-      with_connection(@site) do |http|
-        resp = http.request_head(*args, &block)
-        Puppet.debug("HTTP HEAD #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
-        resp
-      end
+  # @param path [String]
+  # @param data [String]
+  # @param headers [Hash{String => String}]
+  # @!macro common_options
+  # @api public
+  def post(path, data, headers = nil, options = {})
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    data ||= ''
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      to_ruby_response(@client.post(to_url(path), data, headers: headers, options: options))
     end
+  end
 
-    def request_post(*args, &block)
-      with_connection(@site) do |http|
-        resp = http.request_post(*args, &block)
-        Puppet.debug("HTTP POST #{@site}#{args.first.split('?').first} returned #{resp.code} #{resp.message}")
-        resp
-      end
-    end
-    # end of Net::HTTP#request_* proxies
+  # @param path [String]
+  # @param headers [Hash{String => String}]
+  # @!macro common_options
+  # @api public
+  def head(path, headers = {}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
 
-    # The address to connect to.
-    def address
-      @site.host
+    with_error_handling do
+      to_ruby_response(@client.head(to_url(path), headers: headers, options: options))
     end
+  end
 
-    # The port to connect to.
-    def port
-      @site.port
-    end
+  # @param path [String]
+  # @param headers [Hash{String => String}]
+  # @!macro common_options
+  # @api public
+  def delete(path, headers = {'Depth' => 'Infinity'}, options = {})
+    headers ||= {}
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
 
-    # Whether to use ssl
-    def use_ssl?
-      @site.use_ssl?
+    with_error_handling do
+      to_ruby_response(@client.delete(to_url(path), headers: headers, options: options))
     end
+  end
 
-    # @api private
-    def verifier
-      @verifier
+  # @param path [String]
+  # @param data [String]
+  # @param headers [Hash{String => String}]
+  # @!macro common_options
+  # @api public
+  def put(path, data, headers = nil, options = {})
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    data ||= ''
+    options[:ssl_context] ||= resolve_ssl_context
+    options[:redirect_limit] ||= @redirect_limit
+
+    with_error_handling do
+      to_ruby_response(@client.put(to_url(path), data, headers: headers, options: options))
     end
+  end
 
-    private
-
-    def do_request(request, options)
-      current_request = request
-      current_site = @site
-      response = nil
-
-      0.upto(@redirect_limit) do |redirection|
-        return response if response
-
-        with_connection(current_site) do |connection|
-          apply_options_to(current_request, options)
-
-          current_response = execute_request(connection, current_request)
-
-          case current_response.code.to_i
-          when 301, 302, 307
-            # handle redirection
-            location = URI.parse(current_response['location'])
-            current_site = current_site.move_to(location)
-
-            # update to the current request path
-            current_request = current_request.class.new(location.path)
-            current_request.body = request.body
-            request.each do |header, value|
-              current_request[header] = value
-            end
-          when 429, 503
-            if connection.started?
-              Puppet.debug("Closing connection for #{current_site}")
-              connection.finish
-            end
-            response = handle_retry_after(current_response)
-          else
-            response = current_response
-          end
-        end
-
-        # and try again...
-      end
+  def request_get(*args, &block)
+    path, headers = *args
+    headers ||= {}
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
 
-      raise RedirectionLimitExceededException, _("Too many HTTP redirections for %{host}:%{port}") % { host: @host, port: @port }
+    ruby_response = nil
+    @client.get(to_url(path), headers: headers, options: options) do |response|
+      ruby_response = to_ruby_response(response)
+      yield ruby_response if block_given?
     end
+    ruby_response
+  end
 
-    # Handles the Retry-After header of a HTTPResponse
-    #
-    # This method checks the response for a Retry-After header and handles
-    # it by sleeping for the indicated number of seconds. The response is
-    # returned unmodified if no Retry-After header is present.
-    #
-    # @param response [Net::HTTPResponse] A response received from the
-    #   HTTP client.
-    #
-    # @return [nil] Sleeps and returns nil if the response contained a
-    #   Retry-After header that indicated the request should be retried.
-    # @return [Net::HTTPResponse] Returns the `response` unmodified if
-    #   no Retry-After header was present or the Retry-After header could
-    #   not be parsed as an integer or RFC 2822 date.
-    def handle_retry_after(response)
-      retry_after = response['Retry-After']
-      return response if retry_after.nil?
-
-      retry_sleep = parse_retry_after_header(retry_after)
-      # Recover remote hostname if Net::HTTPResponse was generated by a
-      # method that fills in the uri attribute.
-      #
-      server_hostname = if response.uri.is_a?(URI)
-                          response.uri.host
-                        else
-                          # TRANSLATORS: Used in the phrase:
-                          # "Received a response from the remote server."
-                          _('the remote server')
-                        end
-
-      if retry_sleep.nil?
-        Puppet.err(_('Received a %{status_code} response from %{server_hostname}, but the Retry-After header value of "%{retry_after}" could not be converted to an integer or RFC 2822 date.') %
-                   {status_code: response.code,
-                    server_hostname: server_hostname,
-                    retry_after: retry_after.inspect})
-
-        return response
-      end
-
-      # Cap maximum sleep at the run interval of the Puppet agent.
-      retry_sleep = [retry_sleep, Puppet[:runinterval]].min
+  def request_head(*args, &block)
+    path, headers = *args
+    headers ||= {}
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
 
-      Puppet.warning(_('Received a %{status_code} response from %{server_hostname}. Sleeping for %{retry_sleep} seconds before retrying the request.') %
-                     {status_code: response.code,
-                      server_hostname: server_hostname,
-                      retry_sleep: retry_sleep})
+    response = @client.head(to_url(path), headers: headers, options: options)
+    ruby_response = to_ruby_response(response)
+    yield ruby_response if block_given?
+    ruby_response
+  end
 
-      ::Kernel.sleep(retry_sleep)
+  def request_post(*args, &block)
+    path, data, headers = *args
+    headers ||= {}
+    headers['Content-Type'] ||= "application/x-www-form-urlencoded"
+    options = {
+      ssl_context: resolve_ssl_context,
+      redirect_limit: @redirect_limit
+    }
 
-      return nil
+    ruby_response = nil
+    @client.post(to_url(path), data, headers: headers, options: options) do |response|
+      ruby_response = to_ruby_response(response)
+      yield ruby_response if block_given?
     end
+    ruby_response
+  end
 
-    # Parse the value of a Retry-After header
-    #
-    # Parses a string containing an Integer or RFC 2822 datestamp and returns
-    # an integer number of seconds before a request can be retried.
-    #
-    # @param header_value [String] The value of the Retry-After header.
-    #
-    # @return [Integer] Number of seconds to wait before retrying the
-    #   request. Will be equal to 0 for the case of date that has already
-    #   passed.
-    # @return [nil] Returns `nil` when the `header_value` can't be
-    #   parsed as an Integer or RFC 2822 date.
-    def parse_retry_after_header(header_value)
-      retry_after = begin
-                      Integer(header_value)
-                    rescue TypeError, ArgumentError
-                      begin
-                        DateTime.rfc2822(header_value)
-                      rescue ArgumentError
-                        return nil
-                      end
-                    end
-
-      case retry_after
-      when Integer
-        retry_after
-      when DateTime
-        sleep = (retry_after.to_time - DateTime.now.to_time).to_i
-        (sleep > 0) ? sleep : 0
-      end
+  private
+
+  # Resolve the ssl_context based on the verifier associated with this
+  # connection or load the available set of certs and key on disk.
+  # Don't try to bootstrap the agent, as we only want that to be triggered
+  # when running `puppet ssl` or `puppet agent`.
+  def resolve_ssl_context
+    # don't need an ssl context for http connections
+    return nil unless @site.use_ssl?
+
+    # if our verifier has an ssl_context, use that
+    ctx = @verifier.ssl_context
+    return ctx if ctx
+
+    # load available certs
+    cert = Puppet::X509::CertProvider.new
+    ssl = Puppet::SSL::SSLProvider.new
+    begin
+      password = cert.load_private_key_password
+      ssl.load_context(certname: Puppet[:certname], password: password)
+    rescue Puppet::SSL::SSLError => e
+      Puppet.log_exception(e)
+
+      # if we don't have cacerts, then create a root context that doesn't
+      # trust anything. The old code used to fallback to VERIFY_NONE,
+      # which we don't want to emulate.
+      ssl.create_root_context(cacerts: [])
     end
+  end
 
-    def apply_options_to(request, options)
-      request["User-Agent"] = Puppet[:http_user_agent]
-
-      if options[:basic_auth]
-        request.basic_auth(options[:basic_auth][:user], options[:basic_auth][:password])
-      end
+  def to_url(path)
+    if path =~ /^https?:\/\//
+      # The old Connection class accepts a URL as the request path, and sends
+      # it in "absolute-form" in the request line, e.g. GET https://puppet:8140/.
+      # See https://httpwg.org/specs/rfc7230.html#absolute-form. It just so happens
+      # to work because HTTP 1.1 servers are required to accept absolute-form even
+      # though clients are only supposed to send them to proxies, so the proxy knows
+      # what upstream server to CONNECT to. This method creates a URL using the
+      # scheme/host/port that the connection was created with, and appends the path
+      # and query portions of the absolute-form. The resulting request will use "origin-form"
+      # as it should have done all along.
+      abs_form = URI(path)
+      url = URI("#{@site.addr}/#{normalize_path(abs_form.path)}")
+      url.query = abs_form.query if abs_form.query
+      url
+    else
+      URI("#{@site.addr}/#{normalize_path(path)}")
     end
+  end
 
-    def execute_request(connection, request)
-      start = Time.now
-      resp = connection.request(request)
-      Puppet.debug("HTTP #{request.method.upcase} #{@site}#{request.path.split('?').first} returned #{resp.code} #{resp.message}")
-      resp
-    rescue => exception
-      elapsed = (Time.now - start).to_f.round(3)
-      uri = [@site.addr, request.path.split('?')[0]].join('/')
-
-      case exception
-      when EOFError
-        Puppet.log_exception(exception, _('request %{uri} interrupted after %{elapsed} seconds') % {uri: uri, elapsed: elapsed})
-      when Timeout::Error
-        Puppet.log_exception(exception, _('request %{uri} timed out after %{elapsed} seconds') % {uri: uri, elapsed: elapsed})
-      else
-        Puppet.log_exception(exception, _('request %{uri} failed: %{msg}') % {uri: uri, msg: exception.message})
-      end
-
-      raise exception
+  def normalize_path(path)
+    if path[0] == '/'
+      path[1..-1]
+    else
+      path
     end
+  end
 
-    def with_connection(site, &block)
-      Puppet.deprecation_warning(_('Puppet::Network::HTTP::Connection is deprecated. Please use Puppet::Network::HTTP::ConnectionAdapter instead.'))
-
-      response = nil
-      @pool.with_connection(site, @verifier) do |conn|
-        response = yield conn
-      end
-      response
+  def with_error_handling(&block)
+    yield
+  rescue Puppet::HTTP::TooManyRedirects => e
+    raise Puppet::Network::HTTP::RedirectionLimitExceededException.new(_("Too many HTTP redirections for %{host}:%{port}") % { host: @host, port: @port }, e)
+  rescue Puppet::HTTP::HTTPError => e
+    Puppet.log_exception(e, e.message)
+    case e.cause
+    when Net::OpenTimeout, Net::ReadTimeout, Net::HTTPError, EOFError
+      raise e.cause
+    else
+      raise e
     end
   end
 end