puppet 6.22.1-x64-mingw32 → 6.25.1-x64-mingw32

data/lib/puppet/http/resolver/server_list.rb

@@ -54,7 +54,7 @@ class Puppet::HTTP::Resolver::ServerList < Puppet::HTTP::Resolver
     end
 
     # Return the first simple service status endpoint we can connect to
-    @server_list_setting.value.each do |server|
+    @server_list_setting.value.each_with_index do |server, index|
       host = server[0]
       port = server[1] || @default_port
 
@@ -64,10 +64,21 @@ class Puppet::HTTP::Resolver::ServerList < Puppet::HTTP::Resolver
         @resolved_url = service.url
         return Puppet::HTTP::Service.create_service(@client, session, name, @resolved_url.host, @resolved_url.port)
       rescue Puppet::HTTP::ResponseError => detail
-        Puppet.log_exception(detail, _("Puppet server %{host}:%{port} is unavailable: %{code} %{reason}") %
-                             { host: service.url.host, port: service.url.port, code: detail.response.code, reason: detail.response.reason })
+        if index < @server_list_setting.value.length - 1
+          Puppet.warning(_("Puppet server %{host}:%{port} is unavailable: %{code} %{reason}") %
+                              { host: service.url.host, port: service.url.port, code: detail.response.code, reason: detail.response.reason } +
+                              ' ' + _("Trying with next server from server_list."))
+        else
+          Puppet.log_exception(detail, _("Puppet server %{host}:%{port} is unavailable: %{code} %{reason}") %
+                               { host: service.url.host, port: service.url.port, code: detail.response.code, reason: detail.response.reason })
+        end
       rescue Puppet::HTTP::HTTPError => detail
-        Puppet.log_exception(detail, _("Unable to connect to server from server_list setting: %{detail}") % {detail: detail})
+        if index < @server_list_setting.value.length - 1
+          Puppet.warning(_("Unable to connect to server from server_list setting: %{detail}") % {detail: detail} +
+                             ' ' + _("Trying with next server from server_list."))
+        else
+          Puppet.log_exception(detail, _("Unable to connect to server from server_list setting: %{detail}") % {detail: detail})
+        end
       end
     end
 

data/lib/puppet/http/service/compiler.rb

@@ -69,6 +69,10 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
   # @param [String] environment The name of the environment we are operating in
   # @param [String] configured_environment Optional, the name of the configured
   #   environment. If unset, `environment` is used.
+  # @param [Boolean] check_environment If true, request that the server check if
+  #   our `environment` matches the server-specified environment. If they do not
+  #   match, then the server may return an empty catalog in the server-specified
+  #   environment.
   # @param [String] transaction_uuid An agent generated transaction uuid, used
   #   for connecting catalogs and reports.
   # @param [String] job_uuid A unique job identifier defined when the orchestrator
@@ -85,7 +89,7 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
   #   containing the request response and the deserialized catalog returned by
   #   the server
   #
-  def post_catalog(name, facts:, environment:, configured_environment: nil, transaction_uuid: nil, job_uuid: nil, static_catalog: true, checksum_type: Puppet[:supported_checksum_types])
+  def post_catalog(name, facts:, environment:, configured_environment: nil, check_environment: false, transaction_uuid: nil, job_uuid: nil, static_catalog: true, checksum_type: Puppet[:supported_checksum_types])
     if Puppet[:preferred_serialization_format] == "pson"
       formatter = Puppet::Network::FormatHandler.format_for(:pson)
       # must use 'pson' instead of 'text/pson'
@@ -103,6 +107,7 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
       facts: Puppet::Util.uri_query_encode(facts_as_string),
       environment: environment,
       configured_environment: configured_environment || environment,
+      check_environment: !!check_environment,
       transaction_uuid: transaction_uuid,
       job_uuid: job_uuid,
       static_catalog: static_catalog,
@@ -129,6 +134,75 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
     [response, deserialize(response, Puppet::Resource::Catalog)]
   end
 
+  #
+  # @api private
+  #
+  # Submit a POST request to request a catalog to the server using v4 endpoint
+  #
+  # @param [String] certname The name of the node for which to compile the catalog.
+  # @param [Hash] persistent A hash containing two required keys, facts and catalog,
+  #   which when set to true will cause the facts and reports to be stored in
+  #   PuppetDB, or discarded if set to false.
+  # @param [String] environment The name of the environment for which to compile the catalog.
+  # @param [Hash] facts A hash with a required values key, containing a hash of all the
+  #    facts for the node. If not provided, Puppet will attempt to fetch facts for the node
+  #    from PuppetDB.
+  # @param [Hash] trusted_facts A hash with a required values key containing a hash of
+  #    the trusted facts for a node
+  # @param [String] transaction_uuid The id for tracking the catalog compilation and
+  #    report submission.
+  # @param [String] job_id The id of the orchestrator job that triggered this run.
+  # @param [Hash] options A hash of options beyond direct input to catalogs. Options:
+  #    - prefer_requested_environment Whether to always override a node's classified 
+  #      environment with the one supplied in the request. If this is true and no environment
+  #      is supplied, fall back to the classified environment, or finally, 'production'.
+  #    - capture_logs Whether to return the errors and warnings that occurred during
+  #      compilation alongside the catalog in the response body.
+  #    - log_level The logging level to use during the compile when capture_logs is true.
+  #      Options are 'err', 'warning', 'info', and 'debug'.
+  #
+  # @return [Array<Puppet::HTTP::Response, Puppet::Resource::Catalog, Array<String>>] An array
+  #   containing the request response, the deserialized catalog returned by
+  #   the server and array containing logs (log array will be empty if capture_logs is false)
+  #
+  def post_catalog4(certname, persistence:, environment:, facts: nil, trusted_facts: nil, transaction_uuid: nil, job_id: nil, options: nil)
+    unless persistence.is_a?(Hash) && (missing = [:facts, :catalog] - persistence.keys.map(&:to_sym)).empty?
+      raise ArgumentError.new("The 'persistence' hash is missing the keys: #{missing.join(', ')}")
+    end
+    raise ArgumentError.new("Facts must be a Hash not a #{facts.class}") unless facts.nil? || facts.is_a?(Hash)
+    body = {
+      certname: certname,
+      persistence: persistence,
+      environment: environment,
+      transaction_uuid: transaction_uuid,
+      job_id: job_id,
+      options: options
+    }
+    body[:facts] = { values: facts } unless facts.nil?
+    body[:trusted_facts] = { values: trusted_facts } unless trusted_facts.nil?
+    headers = add_puppet_headers(
+      'Accept' => get_mime_types(Puppet::Resource::Catalog).join(', '),
+      'Content-Type' => 'application/json'
+    )
+
+    url = URI::HTTPS.build(host: @url.host, port: @url.port, path: Puppet::Util.uri_encode("/puppet/v4/catalog"))
+    response = @client.post(
+      url,
+      body.to_json,
+      headers: headers
+    )
+    process_response(response)
+    begin
+      response_body = JSON.parse(response.body)
+      catalog = Puppet::Resource::Catalog.from_data_hash(response_body['catalog'])
+    rescue => err
+      raise Puppet::HTTP::SerializationError.new("Failed to deserialize catalog from puppetserver response: #{err.message}", err)
+    end
+    
+    logs = response_body['logs'] || []
+    [response, catalog, logs]
+  end
+
   #
   # @api private
   #

data/lib/puppet/http/service/file_server.rb

@@ -106,7 +106,7 @@ class Puppet::HTTP::Service::FileServer < Puppet::HTTP::Service
   #   An array with the request response and an array of the deserialized
   #   metadata for each file returned from the server
   #
-  def get_file_metadatas(path: nil, environment:, recurse: :false, recurselimit: nil, ignore: nil, links: :manage, checksum_type: Puppet[:digest_algorithm], source_permissions: :ignore)
+  def get_file_metadatas(path: nil, environment:, recurse: :false, recurselimit: nil, max_files: nil, ignore: nil, links: :manage, checksum_type: Puppet[:digest_algorithm], source_permissions: :ignore)
     validate_path(path)
 
     headers = add_puppet_headers('Accept' => get_mime_types(Puppet::FileServing::Metadata).join(', '))
@@ -117,6 +117,7 @@ class Puppet::HTTP::Service::FileServer < Puppet::HTTP::Service
       params: {
         recurse: recurse,
         recurselimit: recurselimit,
+        max_files: max_files,
         ignore: ignore,
         links: links,
         checksum_type: checksum_type,

data/lib/puppet/indirector/catalog/compiler.rb

@@ -53,8 +53,22 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     node.trusted_data = Puppet.lookup(:trusted_information) { Puppet::Context::TrustedInformation.local(node) }.to_h
 
     if node.environment
+      # If the requested environment doesn't match the server specified environment,
+      # as determined by the node terminus, and the request wants us to check for an
+      # environment mismatch, then return an empty catalog with the server-specified
+      # enviroment.
+      if request.remote? && request.options[:check_environment] && node.environment != request.environment
+        return Puppet::Resource::Catalog.new(node.name, node.environment)
+      end
+
       node.environment.with_text_domain do
-        compile(node, request.options)
+        envs = Puppet.lookup(:environments)
+        envs.guard(node.environment.name)
+        begin
+          compile(node, request.options)
+        ensure
+          envs.unguard(node.environment.name)
+        end
       end
     else
       compile(node, request.options)
@@ -78,6 +92,10 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     Puppet.run_mode.server?
   end
 
+  def require_environment?
+    false
+  end
+
   private
 
   # @param facts [String] facts in a wire format for decoding
@@ -154,7 +172,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     location = Puppet::Module::FILETYPES['files']
 
     !!(source_as_uri.path =~ /^\/modules\// &&
-       metadata.full_path =~ /#{environment_path}[^\/]+\/[^\/]+\/#{location}\/.+/)
+       metadata.full_path =~ /#{environment_path}\/[^\/]+\/[^\/]+\/#{location}\/.+/)
   end
 
   # Helper method to log file resources that could not be inlined because they
@@ -173,7 +191,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   # Inline file metadata for static catalogs
   # Initially restricted to files sourced from codedir via puppet:/// uri.
   def inline_metadata(catalog, checksum_type)
-    environment_path = Pathname.new File.join(Puppet[:environmentpath], catalog.environment, "")
+    environment_path = Pathname.new File.join(Puppet[:environmentpath], catalog.environment)
     environment_path = Puppet::Environments::Directories.real_path(environment_path)
     list_of_resources = catalog.resources.find_all { |res| res.type == "File" }
 
@@ -194,6 +212,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
           :source_permissions => resource[:source_permissions] ? resource[:source_permissions].to_sym : :ignore,
           :recurse            => true,
           :recurselimit       => resource[:recurselimit],
+          :max_files          => resource[:max_files],
           :ignore             => resource[:ignore],
         }
 
@@ -414,17 +433,17 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
       "serverip"  => "ipaddress",
       "serverip6" => "ipaddress6"
     }.each do |var, fact|
-      value = Facter.value(fact)
+      value = Puppet.runtime[:facter].value(fact)
       if !value.nil?
         @server_facts[var] = value
       end
     end
 
     if @server_facts["servername"].nil?
-      host = Facter.value(:hostname)
+      host = Puppet.runtime[:facter].value(:hostname)
       if host.nil?
         Puppet.warning _("Could not retrieve fact servername")
-      elsif domain = Facter.value(:domain) #rubocop:disable Lint/AssignmentInCondition
+      elsif domain = Puppet.runtime[:facter].value(:domain) #rubocop:disable Lint/AssignmentInCondition
         @server_facts["servername"] = [host, domain].join(".")
       else
         @server_facts["servername"] = host

data/lib/puppet/indirector/catalog/rest.rb

@@ -20,6 +20,7 @@ class Puppet::Resource::Catalog::Rest < Puppet::Indirector::REST
       facts: request.options[:facts_for_catalog],
       environment: request.environment.to_s,
       configured_environment: request.options[:configured_environment],
+      check_environment: request.options[:check_environment],
       transaction_uuid: request.options[:transaction_uuid],
       job_uuid: request.options[:job_id],
       static_catalog: request.options[:static_catalog],

data/lib/puppet/indirector/facts/facter.rb

@@ -20,10 +20,10 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
 
   # Lookup a host's facts up in Facter.
   def find(request)
-    Facter.reset
+    Puppet.runtime[:facter].reset
 
     # Note: we need to setup puppet's external search paths before adding the puppetversion
-    # fact. This is because in Facter 2.x, the first `Facter.add` causes Facter to create
+    # fact. This is because in Facter 2.x, the first `Puppet.runtime[:facter].add` causes Facter to create
     # its directory loaders which cannot be changed, meaning other external facts won't
     # be resolved. (PUP-4607)
     self.class.setup_external_search_paths(request)
@@ -36,7 +36,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
                raise(Puppet::Error, _("puppet facts show requires version 4.0.40 or greater of Facter.")) unless Facter.respond_to?(:resolve)
                find_with_options(request)
              else
-               Puppet::Node::Facts.new(request.key, Facter.to_hash)
+               Puppet::Node::Facts.new(request.key, Puppet.runtime[:facter].to_hash)
              end
 
     result.add_local_facts unless request.options[:resolve_options]
@@ -68,7 +68,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
       true
     end
     dirs << request.options[:custom_dir] if request.options[:custom_dir]
-    Facter.search(*dirs)
+    Puppet.runtime[:facter].search(*dirs)
   end
 
   def self.setup_external_search_paths(request)
@@ -90,7 +90,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
     end
 
     dirs << request.options[:external_dir] if request.options[:external_dir]
-    Facter.search_external dirs
+    Puppet.runtime[:facter].search_external dirs
   end
 
   private
@@ -104,6 +104,6 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
     options_for_facter += " --no-block" if options[:no_block] == false
     options_for_facter += " --no-cache" if options[:no_cache] == false
 
-    Puppet::Node::Facts.new(request.key, Facter.resolve(options_for_facter))
+    Puppet::Node::Facts.new(request.key, Puppet.runtime[:facter].resolve(options_for_facter))
   end
 end

data/lib/puppet/indirector/file_metadata/rest.rb

@@ -46,6 +46,7 @@ class Puppet::Indirector::FileMetadata::Rest < Puppet::Indirector::REST
       environment: request.environment.to_s,
       recurse: request.options[:recurse],
       recurselimit: request.options[:recurselimit],
+      max_files: request.options[:max_files],
       ignore: request.options[:ignore],
       links: request.options[:links],
       checksum_type: request.options[:checksum_type],

data/lib/puppet/indirector/indirection.rb

@@ -313,7 +313,7 @@ class Puppet::Indirector::Indirection
     request = request(:save, key, instance, options)
     terminus = prepare(request)
 
-    result = terminus.save(request)
+    result = terminus.save(request) if !request.ignore_terminus?
 
     # If caching is enabled, save our document there
     cache.save(request) if cache? && !request.ignore_cache_save?

data/lib/puppet/indirector/resource/ral.rb

@@ -24,7 +24,12 @@ class Puppet::Resource::Ral < Puppet::Indirector::Code
     type(request).instances.map do |res|
       res.to_resource
     end.find_all do |res|
-      conditions.all? {|property, value| res.to_resource[property].to_s == value.to_s}
+      conditions.all? do |property, value|
+        # even though `res` is an instance of Puppet::Resource, calling
+        # `res[:name]` on it returns nil, and for some reason it is necessary
+        # to invoke the Puppet::Resource#copy_as_resource copy constructor...
+        res.copy_as_resource[property].to_s == value.to_s
+      end
     end.sort_by(&:title)
   end
 

data/lib/puppet/indirector/terminus.rb

@@ -143,6 +143,10 @@ class Puppet::Indirector::Terminus
     self.class.name
   end
 
+  def require_environment?
+    true
+  end
+
   def allow_remote_requests?
     true
   end

data/lib/puppet/interface/documentation.rb

@@ -76,6 +76,7 @@ class Puppet::Interface
         s.text(" ")
 
         options.each do |option|
+          next if option == :extra
           option = get_option(option)
           wrap = option.required? ? %w{ < > } : %w{ [ ] }
 

data/lib/puppet/module/plan.rb

@@ -50,7 +50,6 @@ class Puppet::Module
     RESERVED_DATA_TYPES = %w{any array boolean catalogentry class collection
         callable data default enum float hash integer numeric optional pattern
         resource runtime scalar string struct tuple type undef variant}
-    MOUNTS = %w[lib files plans]
 
     def self.is_plan_name?(name)
       return true if name =~ /^[a-z][a-z0-9_]*$/

data/lib/puppet/module/task.rb

@@ -45,7 +45,7 @@ class Puppet::Module
     end
 
     FORBIDDEN_EXTENSIONS = %w{.conf .md}
-    MOUNTS = %w[lib files tasks]
+    MOUNTS = %w[files lib scripts tasks]
 
     def self.is_task_name?(name)
       return true if name =~ /^[a-z][a-z0-9_]*$/

data/lib/puppet/module.rb

@@ -25,6 +25,7 @@ class Puppet::Module
     "plugins" => "lib",
     "pluginfacts" => "facts.d",
     "locales" => "locales",
+    "scripts" => "scripts",
   }
 
   # Find and return the +module+ that +path+ belongs to. If +path+ is

data/lib/puppet/module_tool/applications/installer.rb

@@ -59,6 +59,10 @@ module Puppet::ModuleTool
         results = { :action => :install, :module_name => name, :module_version => version }
 
         begin
+          if !@local_tarball && name !~ /-/
+            raise InvalidModuleNameError.new(module_name: @name, suggestion: "puppetlabs-#{@name}", action: :install)
+          end
+
           installed_module = installed_modules[name]
           if installed_module
             unless forced?
@@ -134,7 +138,7 @@ module Puppet::ModuleTool
           rescue SemanticPuppet::Dependency::UnsatisfiableGraph => e
             unsatisfied = nil
 
-            if e.respond_to?(:unsatisfied)
+            if e.respond_to?(:unsatisfied) && e.unsatisfied
               constraints = {}
               # If the module we're installing satisfies all its
               # dependencies, but would break an already installed
@@ -160,8 +164,12 @@ module Puppet::ModuleTool
               # If the module fails to satisfy one of its
               # dependencies, show the unsatisfiable module
               else
-                unsatisfied_range = graph.dependencies[name].max.constraints[e.unsatisfied].first[1]
-                constraints[e.unsatisfied] = unsatisfied_range
+                dep_constraints = graph.dependencies[name].max.constraints
+
+                if dep_constraints.key?(e.unsatisfied)
+                  unsatisfied_range = dep_constraints[e.unsatisfied].first[1]
+                  constraints[e.unsatisfied] = unsatisfied_range
+                end
               end
 
               installed_module = @environment.module_by_forge_name(e.unsatisfied.tr('-', '/'))
@@ -171,7 +179,7 @@ module Puppet::ModuleTool
                 :name => e.unsatisfied,
                 :constraints => constraints,
                 :current_version => current_version
-              }
+              } if constraints.any?
             end
 
             raise NoVersionsSatisfyError, results.merge(

data/lib/puppet/module_tool/applications/uninstaller.rb

@@ -89,7 +89,7 @@ module Puppet::ModuleTool
         mod = @installed.first
 
         unless @ignore_changes
-          raise _("Either the `--ignore_changes` or `--force` argument must be specified to uninstall modules when running in FIPS mode.") if Facter.value(:fips_enabled)
+          raise _("Either the `--ignore_changes` or `--force` argument must be specified to uninstall modules when running in FIPS mode.") if Puppet.runtime[:facter].value(:fips_enabled)
 
           changes = begin
             Puppet::ModuleTool::Applications::Checksummer.run(mod.path)

data/lib/puppet/module_tool/applications/upgrader.rb

@@ -27,7 +27,7 @@ module Puppet::ModuleTool
 
       def run
         # Disallow anything that invokes md5 to avoid un-friendly termination due to FIPS
-        raise _("Module upgrade is prohibited in FIPS mode.") if Facter.value(:fips_enabled)
+        raise _("Module upgrade is prohibited in FIPS mode.") if Puppet.runtime[:facter].value(:fips_enabled)
 
         name = @name.tr('/', '-')
         version = options[:version] || '>= 0.0.0'

data/lib/puppet/module_tool/errors/shared.rb

@@ -127,6 +127,23 @@ module Puppet::ModuleTool::Errors
     end
   end
 
+  class InvalidModuleNameError < ModuleToolError
+    def initialize(options)
+      @module_name = options[:module_name]
+      @suggestion = options[:suggestion]
+      @action = options[:action]
+      super _("Could not %{action} '%{module_name}', did you mean '%{suggestion}'?") % { action: @action, module_name: @module_name, suggestion: @suggestion }
+    end
+
+    def multiline
+      message = []
+      message << _("Could not %{action} module '%{module_name}'") % { action: @action, module_name: @module_name }
+      message << _("  The name '%{module_name}' is invalid") % { module_name: @module_name }
+      message << _("    Did you mean `puppet module %{action} %{suggestion}`?") % { action: @action, suggestion: @suggestion }
+      message.join("\n")
+    end
+  end
+
   class NotInstalledError < ModuleToolError
     def initialize(options)
       @module_name = options[:module_name]

data/lib/puppet/network/http/api/indirected_routes.rb

@@ -105,7 +105,7 @@ class Puppet::Network::HTTP::API::IndirectedRoutes
       raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(e.message)
     end
 
-    if configured_environment.nil?
+    if configured_environment.nil? && indirection.terminus.require_environment?
       raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new(
         _("Could not find environment '%{environment}'") % { environment: environment })
     end

data/lib/puppet/node/environment.rb

@@ -305,7 +305,9 @@ class Puppet::Node::Environment
                        {}
                      end
       modulepath.each do |path|
-        Dir.entries(path).each do |name|
+        Puppet::FileSystem.children(path).map do |p|
+          Puppet::FileSystem.basename_string(p)
+        end.each do |name|
           next unless Puppet::Module.is_module_directory?(name, path)
           warn_about_mistaken_path(path, name)
           if not seen_modules[name]
@@ -350,9 +352,6 @@ class Puppet::Node::Environment
 
   # Modules broken out by directory in the modulepath
   #
-  # @note This method _changes_ the current working directory while enumerating
-  #   the modules. This seems rather dangerous.
-  #
   # @api public
   #
   # @return [Hash<String, Array<Puppet::Module>>] A hash whose keys are file
@@ -361,13 +360,13 @@ class Puppet::Node::Environment
     modules_by_path = {}
     modulepath.each do |path|
       if Puppet::FileSystem.exist?(path)
-        Dir.chdir(path) do
-          module_names = Dir.entries(path).select do |name|
-            Puppet::Module.is_module_directory?(name, path)
-          end
-          modules_by_path[path] = module_names.sort.map do |name|
-            Puppet::Module.new(name, File.join(path, name), self)
-          end
+        module_names = Puppet::FileSystem.children(path).map do |p|
+          Puppet::FileSystem.basename_string(p)
+        end.select do |name|
+          Puppet::Module.is_module_directory?(name, path)
+        end
+        modules_by_path[path] = module_names.sort.map do |name|
+          Puppet::Module.new(name, File.join(path, name), self)
         end
       else
         modules_by_path[path] = []

data/lib/puppet/pal/pal_impl.rb

@@ -413,7 +413,7 @@ module Pal
 
     # Puppet requires Facter, which initializes its lookup paths. Reset Facter to
     # pickup the new $LOAD_PATH.
-    Facter.reset
+    Puppet.runtime[:facter].reset
 
     node = Puppet.lookup(:pal_current_node)
     pal_facts = Puppet.lookup(:pal_facts)

data/lib/puppet/parser/functions/fqdn_rand.rb

@@ -2,13 +2,16 @@ require 'digest/md5'
 require 'digest/sha2'
 
 Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalue, :doc =>
-  "Usage: `fqdn_rand(MAX, [SEED])`. MAX is required and must be a positive
-  integer; SEED is optional and may be any number or string.
+  "Usage: `fqdn_rand(MAX, [SEED], [DOWNCASE])`. MAX is required and must be a positive
+  integer; SEED is optional and may be any number or string; DOWNCASE is optional
+  and should be a boolean true or false.
 
   Generates a random Integer number greater than or equal to 0 and less than MAX,
   combining the `$fqdn` fact and the value of SEED for repeatable randomness.
   (That is, each node will get a different random number from this function, but
-  a given node's result will be the same every time unless its hostname changes.)
+  a given node's result will be the same every time unless its hostname changes.) If
+  DOWNCASE is true, then the `fqdn` fact will be downcased when computing the value
+  so that the result is not sensitive to the case of the `fqdn` fact.
 
   This function is usually used for spacing out runs of resource-intensive cron
   tasks that run on many nodes, which could cause a thundering herd or degrade
@@ -17,7 +20,12 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
   node. (For example, `fqdn_rand(30)`, `fqdn_rand(30, 'expensive job 1')`, and
   `fqdn_rand(30, 'expensive job 2')` will produce totally different numbers.)") do |args|
     max = args.shift.to_i
- 
+    initial_seed = args.shift
+    downcase = !!args.shift
+
+    fqdn = self['::fqdn']
+    fqdn = fqdn.downcase if downcase
+
     # Puppet 5.4's fqdn_rand function produces a different value than earlier versions
     # for the same set of inputs.
     # This causes problems because the values are often written into service configuration files.
@@ -27,9 +35,9 @@ Puppet::Parser::Functions::newfunction(:fqdn_rand, :arity => -2, :type => :rvalu
     # when running on a non-FIPS enabled platform and only using SHA256 on FIPS enabled
     # platforms.
     if Puppet::Util::Platform.fips_enabled?
-      seed = Digest::SHA256.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::SHA256.hexdigest([fqdn,max,initial_seed].join(':')).hex
     else
-      seed = Digest::MD5.hexdigest([self['::fqdn'],max,args].join(':')).hex
+      seed = Digest::MD5.hexdigest([fqdn,max,initial_seed].join(':')).hex
     end
 
     Puppet::Util.deterministic_rand_int(seed,max)

data/lib/puppet/parser/resource.rb

@@ -13,7 +13,7 @@ class Puppet::Parser::Resource < Puppet::Resource
 
   attr_accessor :source, :scope, :collector_id
   attr_accessor :virtual, :override, :translated, :catalog, :evaluated
-  attr_accessor :file, :line
+  attr_accessor :file, :line, :kind
 
   attr_reader :exported, :parameters
 

data/lib/puppet/parser/scope.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # The scope class, which handles storing and retrieving variables and types and
 # such.
 require 'forwardable'

data/lib/puppet/parser/templatewrapper.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'puppet/parser/files'
 require 'erb'
 require 'puppet/file_system'

data/lib/puppet/pops/evaluator/closure.rb

@@ -219,16 +219,15 @@ class Closure < CallableSignature
   def call_with_scope(scope, args)
     variable_bindings = combine_values_with_parameters(scope, args)
 
-    tc = Types::TypeCalculator.singleton
-    final_args = tc.infer_set(parameters.reduce([]) do |tmp_args, param|
+    final_args = parameters.reduce([]) do |tmp_args, param|
       if param.captures_rest
         tmp_args.concat(variable_bindings[param.name])
       else
         tmp_args << variable_bindings[param.name]
       end
-    end)
+    end
 
-    if type.callable?(final_args)
+    if type.callable_with?(final_args, block_type)
       result = catch(:next) do
         @evaluator.evaluate_block_with_bindings(scope, variable_bindings, @model.body)
       end
@@ -236,7 +235,9 @@ class Closure < CallableSignature
         "value returned from #{closure_name}"
       end
     else
-      raise ArgumentError, Types::TypeMismatchDescriber.describe_signatures(closure_name, [self], final_args)
+      tc = Types::TypeCalculator.singleton
+      args_type = tc.infer_set(final_args)
+      raise ArgumentError, Types::TypeMismatchDescriber.describe_signatures(closure_name, [self], args_type)
     end
   end
 
@@ -309,6 +310,7 @@ class Closure < CallableSignature
       to += param_range[1]
     end
     param_types = Types::PTupleType.new(types, Types::PIntegerType.new(from, to))
+    # The block_type for a Closure is always nil for now, see comment in block_name above
     Types::PCallableType.new(param_types, nil, return_type)
   end
 

data/lib/puppet/pops/evaluator/runtime3_resource_support.rb

@@ -40,6 +40,7 @@ module Runtime3ResourceSupport
           :parameters => evaluated_parameters,
           :file => file,
           :line => line,
+          :kind => Puppet::Resource.to_kind(resolved_type),
           :exported => exported,
           :virtual => virtual,
           # WTF is this? Which source is this? The file? The name of the context ?