puppet 6.22.1 → 6.25.1

data/lib/puppet/environments.rb

@@ -48,6 +48,13 @@ module Puppet::Environments
         root.instance_variable_set(:@rich_data, nil)
       end
     end
+
+    # The base implementation is a noop, because `get` returns a new environment
+    # each time.
+    #
+    # @see Puppet::Environments::Cached#guard
+    def guard(name); end
+    def unguard(name); end
   end
 
   # @!macro [new] loader_search_paths
@@ -188,7 +195,7 @@ module Puppet::Environments
 
     def self.real_path(dir)
       if Puppet::FileSystem.symlink?(dir) && Puppet[:versioned_environment_dirs]
-        dir = Puppet::FileSystem.expand_path(Puppet::FileSystem.readlink(dir))
+        dir = Pathname.new Puppet::FileSystem.expand_path(Puppet::FileSystem.readlink(dir))
       end
       return dir
     end
@@ -241,7 +248,7 @@ module Puppet::Environments
 
     def validated_directory(envdir)
       env_name = Puppet::FileSystem.basename_string(envdir)
-      envdir = Puppet::Environments::Directories.real_path(envdir)
+      envdir = Puppet::Environments::Directories.real_path(envdir).to_s
       if Puppet::FileSystem.directory?(envdir) && Puppet::Node::Environment.valid_name?(env_name)
         envdir
       else
@@ -330,21 +337,13 @@ module Puppet::Environments
     end
 
     def self.cache_expiration_service=(service)
-      @cache_expiration_service = service
+      @cache_expiration_service_singleton = service
     end
 
     def self.cache_expiration_service
-      @cache_expiration_service || DefaultCacheExpirationService.new
-    end
-
-    # Returns the end of time (the next Mesoamerican Long Count cycle-end after 2012 (5125+2012) = 7137
-    def self.end_of_time
-      Time.gm(7137)
+      @cache_expiration_service_singleton || DefaultCacheExpirationService.new
     end
 
-    END_OF_TIME = end_of_time
-    START_OF_TIME = Time.gm(1)
-
     def initialize(loader)
       @loader = loader
       @cache_expiration_service = Puppet::Environments::Cached.cache_expiration_service
@@ -356,6 +355,16 @@ module Puppet::Environments
       # Evict all that have expired, in the same way as `get`
       clear_all_expired
 
+      # Evict all that was removed from disk
+      cached_envs = @cache.keys.map!(&:to_sym)
+      loader_envs = @loader.list.map!(&:name)
+      removed_envs = cached_envs - loader_envs
+
+      removed_envs.each do |env_name|
+        Puppet.debug { "Environment no longer exists '#{env_name}'"}
+        clear(env_name)
+      end
+
       @loader.list.map do |env|
         name = env.name
         old_entry = @cache[name]
@@ -375,27 +384,35 @@ module Puppet::Environments
 
     # @!macro loader_get
     def get(name)
+      entry = get_entry(name)
+      entry ? entry.value : nil
+    end
+
+    # Get a cache entry for an envionment. It returns nil if the
+    # environment doesn't exist.
+    def get_entry(name, check_expired = true)
       # Aggressively evict all that has expired
       # This strategy favors smaller memory footprint over environment
       # retrieval time.
-      clear_all_expired
-      result = @cache[name]
-      if result
-        Puppet.debug {"Found in cache '#{name}' #{result.label}"}
+      clear_all_expired if check_expired
+      name = name.to_sym
+      entry = @cache[name]
+      if entry
+        Puppet.debug {"Found in cache #{name.inspect} #{entry.label}"}
         # found in cache
-        result.touch
-        return result.value
-      elsif (result = @loader.get(name))
+        entry.touch
+      elsif (env = @loader.get(name))
         # environment loaded, cache it
-        cache_entry = entry(result)
-        add_entry(name, cache_entry)
-        result
+        entry = entry(env)
+        add_entry(name, entry)
       end
+      entry
     end
+    private :get_entry
 
     # Adds a cache entry to the cache
     def add_entry(name, cache_entry)
-      Puppet.debug {"Caching environment '#{name}' #{cache_entry.label}"}
+      Puppet.debug {"Caching environment #{name.inspect} #{cache_entry.label}"}
       @cache[name] = cache_entry
       @cache_expiration_service.created(cache_entry.value)
     end
@@ -403,7 +420,7 @@ module Puppet::Environments
 
     def clear_entry(name, entry)
       @cache.delete(name)
-      Puppet.debug {"Evicting cache entry for environment '#{name}'"}
+      Puppet.debug {"Evicting cache entry for environment #{name.inspect}"}
       @cache_expiration_service.evicted(name.to_sym)
       Puppet::GettextConfig.delete_text_domain(name)
       Puppet.settings.clear_environment_settings(name)
@@ -413,6 +430,7 @@ module Puppet::Environments
     # Clears the cache of the environment with the given name.
     # (The intention is that this could be used from a MANUAL cache eviction command (TBD)
     def clear(name)
+      name = name.to_sym
       entry = @cache[name]
       clear_entry(name, entry) if entry
     end
@@ -433,19 +451,21 @@ module Puppet::Environments
     # Clears all environments that have expired, either by exceeding their time to live, or
     # through an explicit eviction determined by the cache expiration service.
     #
-    def clear_all_expired()
+    def clear_all_expired
       t = Time.now
 
       @cache.each_pair do |name, entry|
         clear_if_expired(name, entry, t)
       end
     end
+    private :clear_all_expired
 
     # Clear an environment if it is expired, either by exceeding its time to live, or
     # through an explicit eviction determined by the cache expiration service.
     #
     def clear_if_expired(name, entry, t = Time.now)
       return unless entry
+      return if entry.guarded?
 
       if entry.expired?(t) || @cache_expiration_service.expired?(name.to_sym)
         clear_entry(name, entry)
@@ -462,10 +482,25 @@ module Puppet::Environments
     #
     # @!macro loader_get_conf
     def get_conf(name)
+      name = name.to_sym
       clear_if_expired(name, @cache[name])
       @loader.get_conf(name)
     end
 
+    # Guard an environment so it can't be evicted while it's in use. The method
+    # may be called multiple times, provided it is unguarded the same number of
+    # times. If you call this method, you must call `unguard` in an ensure block.
+    def guard(name)
+      entry = get_entry(name, false)
+      entry.guard if entry
+    end
+
+    # Unguard an environment.
+    def unguard(name)
+      entry = get_entry(name, false)
+      entry.unguard if entry
+    end
+
     # Creates a suitable cache entry given the time to live for one environment
     #
     def entry(env)
@@ -495,6 +530,7 @@ module Puppet::Environments
 
       def initialize(value)
         @value = value
+        @guards = 0
       end
 
       def touch
@@ -507,6 +543,20 @@ module Puppet::Environments
       def label
         ""
       end
+
+      # These are not protected with a lock, because all of the Cached
+      # methods are protected.
+      def guarded?
+        @guards > 0
+      end
+
+      def guard
+        @guards += 1
+      end
+
+      def unguard
+        @guards -= 1
+      end
     end
 
     # Always evicting entry

data/lib/puppet/face/facts.rb

@@ -132,7 +132,7 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
       Puppet.settings.preferred_run_mode = :agent
       Puppet::Node::Facts.indirection.terminus_class = :facter
 
-      if Puppet::Util::Package.versioncmp(Facter.value('facterversion'), '4.0.0') < 0
+      if Puppet::Util::Package.versioncmp(Puppet.runtime[:facter].value('facterversion'), '4.0.0') < 0
         cmd_flags = '--render-as json --show-legacy'
 
         # puppet/ruby are in PATH since it was updated in the wrapper script

data/lib/puppet/face/help/action.erb

@@ -54,6 +54,7 @@ undocumented option
 	end
 	unless action.options.empty?
       action.options.sort.each do |name|
+        next if name == :extra
         option = action.get_option name -%>
 <%= "  " + option.optparse.join(" | ")[0,(optionroom - 1)].ljust(optionroom) + ' - ' -%>
 <%     if !(option.summary) -%>

data/lib/puppet/face/help/face.erb

@@ -49,6 +49,7 @@ undocumented option
 	end
  	unless face.options.empty?
       face.options.sort.each do |name|
+        next if name == :extra
         option = face.get_option name -%>
 <%= "  " + option.optparse.join(" | ")[0,(optionroom - 1)].ljust(optionroom) + ' - ' -%>
 <%     if !(option.summary) -%>

data/lib/puppet/face/node/clean.rb

@@ -47,6 +47,17 @@ Puppet::Face.define(:node, '0.0.1') do
   end
 
   class LoggerIO
+    def debug(message)
+      Puppet.debug(message)
+    end
+
+    # Notice: For Puppet 6.x, the function below does not matter as it
+    # does not have any functionality.  But we decided to keep it here
+    # for the ease of merge up to 7.x and having the same code base.
+    def warn(message)
+      Puppet.warning(message) unless message =~ /cadir is currently configured to be inside/
+    end
+
     def err(message)
       Puppet.err(message) unless message =~ /^\s*Error:\s*/
     end

data/lib/puppet/facter_impl.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+#
+# @api private
+# Default Facter implementation that delegates to Facter API
+#
+
+module Puppet
+  class FacterImpl
+    def initialize
+      require 'facter'
+
+      setup_logging
+    end
+
+    def value(fact_name)
+      ::Facter.value(fact_name)
+    end
+
+    def add(name, &block)
+      ::Facter.add(name, &block)
+    end
+
+    def to_hash
+      ::Facter.to_hash
+    end
+
+    def clear
+      ::Facter.clear
+    end
+
+    def reset
+      ::Facter.reset
+    end
+
+    def resolve(options)
+      ::Facter.resolve(options)
+    end
+
+    def search_external(dirs)
+      ::Facter.search_external(dirs)
+    end
+
+    def search(*dirs)
+      ::Facter.search(*dirs)
+    end
+
+    def trace(value)
+      ::Facter.trace(value) if ::Facter.respond_to? :trace
+    end
+
+    def debugging(value)
+      ::Facter.debugging(value) if ::Facter.respond_to?(:debugging)
+    end
+
+    def load_external?
+      ::Facter.respond_to?(:load_external)
+    end
+
+    def load_external(value)
+      ::Facter.load_external(value) if self.load_external?
+    end
+
+    private
+
+    def setup_logging
+      return unless ::Facter.respond_to? :on_message
+
+      ::Facter.on_message do |level, message|
+        case level
+        when :trace, :debug
+          level = :debug
+        when :info
+          # Same as Puppet
+        when :warn
+          level = :warning
+        when :error
+          level = :err
+        when :fatal
+          level = :crit
+        else
+          next
+        end
+
+        Puppet::Util::Log.create(
+          {
+            :level => level,
+            :source => 'Facter',
+            :message => message
+          }
+        )
+        nil
+      end
+    end
+  end
+end

data/lib/puppet/file_serving/configuration/parser.rb

@@ -104,6 +104,8 @@ class Puppet::FileServing::Configuration::Parser
       mount = Mount::Modules.new(name)
     when "plugins"
       mount = Mount::Plugins.new(name)
+    when "scripts"
+      mount = Mount::Scripts.new(name)
     when "tasks"
       mount = Mount::Tasks.new(name)
     when "locales"

data/lib/puppet/file_serving/configuration.rb

@@ -6,6 +6,7 @@ require 'puppet/file_serving/mount/modules'
 require 'puppet/file_serving/mount/plugins'
 require 'puppet/file_serving/mount/locales'
 require 'puppet/file_serving/mount/pluginfacts'
+require 'puppet/file_serving/mount/scripts'
 require 'puppet/file_serving/mount/tasks'
 
 class Puppet::FileServing::Configuration
@@ -87,6 +88,8 @@ class Puppet::FileServing::Configuration
     @mounts["locales"].allow('*') if @mounts["locales"].empty?
     @mounts["pluginfacts"] ||= Mount::PluginFacts.new("pluginfacts")
     @mounts["pluginfacts"].allow('*') if @mounts["pluginfacts"].empty?
+    @mounts["scripts"] ||= Mount::Scripts.new("scripts")
+    @mounts["scripts"].allow('*') if @mounts["scripts"].empty?
     @mounts["tasks"] ||= Mount::Tasks.new("tasks")
     @mounts["tasks"].allow('*') if @mounts["tasks"].empty?
   end

data/lib/puppet/file_serving/fileset.rb

@@ -5,7 +5,7 @@ require 'puppet/file_serving/metadata'
 # Operate recursively on a path, returning a set of file paths.
 class Puppet::FileServing::Fileset
   attr_reader :path, :ignore, :links
-  attr_accessor :recurse, :recurselimit, :checksum_type
+  attr_accessor :recurse, :recurselimit, :max_files, :checksum_type
 
   # Produce a hash of files, with merged so that earlier files
   # with the same postfix win.  E.g., /dir1/subfile beats /dir2/subfile.
@@ -40,6 +40,7 @@ class Puppet::FileServing::Fileset
     self.links = :manage
     @recurse = false
     @recurselimit = :infinite
+    @max_files = 0
 
     if options.is_a?(Puppet::Indirector::Request)
       initialize_from_request(options)
@@ -58,6 +59,17 @@ class Puppet::FileServing::Fileset
   # level deep, which Find doesn't do.
   def files
     files = perform_recursion
+    soft_max_files = 1000
+
+    # munged_max_files is needed since puppet http handler is keeping negative numbers as strings
+    # https://github.com/puppetlabs/puppet/blob/main/lib/puppet/network/http/handler.rb#L196-L197
+    munged_max_files = max_files == '-1' ? -1 : max_files
+
+    if munged_max_files > 0 && files.size > munged_max_files
+      raise Puppet::Error.new _("The directory '%{path}' contains %{entries} entries, which exceeds the limit of %{munged_max_files} specified by the max_files parameter for this resource. The limit may be increased, but be aware that large number of file resources can result in excessive resource consumption and degraded performance. Consider using an alternate method to manage large directory trees") % { path: path, entries: files.size, munged_max_files: munged_max_files }
+    elsif munged_max_files == 0 && files.size > soft_max_files
+      Puppet.warning _("The directory '%{path}' contains %{entries} entries, which exceeds the default soft limit %{soft_max_files} and may cause excessive resource consumption and degraded performance. To remove this warning set a value for `max_files` parameter or consider using an alternate method to manage large directory trees") % { path: path, entries: files.size, soft_max_files: soft_max_files }
+    end
 
     # Now strip off the leading path, so each file becomes relative, and remove
     # any slashes that might end up at the beginning of the path.
@@ -96,7 +108,7 @@ class Puppet::FileServing::Fileset
   end
 
   def initialize_from_request(request)
-    [:links, :ignore, :recurse, :recurselimit, :checksum_type].each do |param|
+    [:links, :ignore, :recurse, :recurselimit, :max_files, :checksum_type].each do |param|
       if request.options.include?(param) # use 'include?' so the values can be false
         value = request.options[param]
       elsif request.options.include?(param.to_s)

data/lib/puppet/file_serving/mount/file.rb

@@ -3,12 +3,12 @@ require 'puppet/file_serving/mount'
 class Puppet::FileServing::Mount::File < Puppet::FileServing::Mount
   def self.localmap
     @localmap ||= {
-      "h" => Facter.value("hostname"),
+      "h" => Puppet.runtime[:facter].value("hostname"),
       "H" => [
-               Facter.value("hostname"),
-               Facter.value("domain")
+               Puppet.runtime[:facter].value("hostname"),
+               Puppet.runtime[:facter].value("domain")
              ].join("."),
-      "d" => Facter.value("domain")
+      "d" => Puppet.runtime[:facter].value("domain")
     }
   end
 

data/lib/puppet/file_serving/mount/scripts.rb

@@ -0,0 +1,24 @@
+require 'puppet/file_serving/mount'
+
+class Puppet::FileServing::Mount::Scripts < Puppet::FileServing::Mount
+  # Return an instance of the appropriate class.
+  def find(path, request)
+    raise _("No module specified") if path.to_s.empty?
+    module_name, relative_path = path.split("/", 2)
+    mod = request.environment.module(module_name)
+    return nil unless mod
+
+    mod.script(relative_path)
+  end
+
+  def search(path, request)
+    result = find(path, request)
+    if result
+      [result]
+    end
+  end
+
+  def valid?
+    true
+  end
+end

data/lib/puppet/file_system/file_impl.rb

@@ -84,7 +84,9 @@ class Puppet::FileSystem::FileImpl
   end
 
   def read_preserve_line_endings(path)
-    read(path)
+    default_encoding = Encoding.default_external.name
+    encoding = default_encoding.downcase.start_with?('utf-') ? "bom|#{default_encoding}" : default_encoding
+    read(path, encoding: encoding)
   end
 
   def binread(path)

data/lib/puppet/file_system/windows.rb

@@ -109,8 +109,8 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   end
 
   def read_preserve_line_endings(path)
-    contents = path.read( :mode => 'rb', :encoding => Encoding::UTF_8)
-    contents = path.read( :mode => 'rb', :encoding => Encoding::default_external) unless contents.valid_encoding?
+    contents = path.read( :mode => 'rb', :encoding => 'bom|utf-8')
+    contents = path.read( :mode => 'rb', :encoding => "bom|#{Encoding::default_external.name}") unless contents.valid_encoding?
     contents = path.read unless contents.valid_encoding?
 
     contents

data/lib/puppet/forge.rb

@@ -70,7 +70,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
         uri = decode_uri(result['pagination']['next'])
         matches.concat result['results']
       else
-        raise ResponseError.new(:uri => URI.parse(@host).merge(uri), :response => response)
+        raise ResponseError.new(:uri => response.url, :response => response)
       end
     end
 
@@ -105,7 +105,7 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       if response.code == 200
         response = Puppet::Util::Json.load(response.body)
       else
-        raise ResponseError.new(:uri => URI.parse(@host).merge(uri), :response => response)
+        raise ResponseError.new(:uri => response.url, :response => response)
       end
 
       releases.concat(process(response['results']))
@@ -208,12 +208,12 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
       response = @source.make_http_request(uri, destination)
       destination.flush and destination.close
       unless response.code == 200
-        raise Puppet::Forge::Errors::ResponseError.new(:uri => uri, :response => response)
+        raise Puppet::Forge::Errors::ResponseError.new(:uri => response.url, :response => response)
       end
     end
 
     def validate_checksum(file, checksum, digest_class)
-      if Facter.value(:fips_enabled) && digest_class == Digest::MD5
+      if Puppet.runtime[:facter].value(:fips_enabled) && digest_class == Digest::MD5
         raise _("Module install using MD5 is prohibited in FIPS mode.")
       end
 

data/lib/puppet/functions/all.rb

@@ -51,7 +51,7 @@
 # notice $data.all |$key, $value| { $value % 10 == 0  and $key =~ /^abc/ }
 # ```
 #
-# Would notice true.
+# Would notice `true`.
 #
 # For an general examples that demonstrates iteration, see the Puppet
 # [iteration](https://puppet.com/docs/puppet/latest/lang_iteration.html)

data/lib/puppet/functions/camelcase.rb

@@ -3,7 +3,7 @@
 # This function is compatible with the stdlib function with the same name.
 #
 # The function does the following:
-# * For a `String` the conversion replaces all combinations of *_<char>* with an upcased version of the
+# * For a `String` the conversion replaces all combinations of `*_<char>*` with an upcased version of the
 #   character following the _.  This is done using Ruby system locale which handles some, but not all
 #   special international up-casing rules (for example German double-s ß is upcased to "Ss").
 # * For an `Iterable[Variant[String, Numeric]]` (for example an `Array`) each value is capitalized and the conversion is not recursive.

data/lib/puppet/functions/capitalize.rb

@@ -18,14 +18,14 @@
 # 'hello'.capitalize()
 # upcase('hello')
 # ```
-# Would both result in "Hello"
+# Would both result in `"Hello"`
 #
 # @example Capitalizing strings in an Array
 # ```puppet
 # ['abc', 'bcd'].capitalize()
 # capitalize(['abc', 'bcd'])
 # ```
-# Would both result in ['Abc', 'Bcd']
+# Would both result in `['Abc', 'Bcd']`
 #
 Puppet::Functions.create_function(:capitalize) do
 

data/lib/puppet/functions/downcase.rb

@@ -22,14 +22,14 @@
 # 'HELLO'.downcase()
 # downcase('HEllO')
 # ```
-# Would both result in "hello"
+# Would both result in `"hello"`
 #
 # @example Converting an Array to lower case
 # ```puppet
 # ['A', 'B'].downcase()
 # downcase(['A', 'B'])
 # ```
-# Would both result in ['a', 'b']
+# Would both result in `['a', 'b']`
 #
 # @example Converting a Hash to lower case
 # ```puppet

data/lib/puppet/functions/empty.rb

@@ -26,6 +26,10 @@ Puppet::Functions.create_function(:empty) do
     param 'Collection', :coll
   end
 
+  dispatch :sensitive_string_empty do
+    param 'Sensitive[String]', :str
+  end
+
   dispatch :string_empty do
     param 'String', :str
   end
@@ -46,6 +50,10 @@ Puppet::Functions.create_function(:empty) do
     coll.empty?
   end
 
+  def sensitive_string_empty(str)
+    str.unwrap.empty?
+  end
+
   def string_empty(str)
     str.empty?
   end

data/lib/puppet/functions/find_template.rb

@@ -2,11 +2,11 @@
 #
 # This function accepts an argument that is a String as a `<MODULE NAME>/<TEMPLATE>`
 # reference, which searches for `<TEMPLATE>` relative to a module's `templates`
-# directory on the master. (For example, the reference `mymod/secret.conf.epp`
+# directory on the primary server. (For example, the reference `mymod/secret.conf.epp`
 # will search for the file `<MODULES DIRECTORY>/mymod/templates/secret.conf.epp`.)
 #
 # The primary use case is for agent-side template rendering with late-bound variables
-# resolved, such as from secret stores inaccessible to the master, such as
+# resolved, such as from secret stores inaccessible to the primary server, such as
 #
 # ```
 # $variables = {

data/lib/puppet/functions/get.rb

@@ -23,20 +23,20 @@
 # #get($facts, 'os.family')
 # $facts.get('os.family')
 # ```
-# Would both result in the value of $facts['os']['family']
+# Would both result in the value of `$facts['os']['family']`
 #
 # @example Getting the value from an expression
 # ```puppet
 # get([1,2,[{'name' =>'waldo'}]], '2.0.name')
 # ```
-# Would result in 'waldo'
+# Would result in `'waldo'`
 #
 # @example Using a default value
 # ```puppet
 # get([1,2,[{'name' =>'waldo'}]], '2.1.name', 'not waldo')
 #
 # ```
-# Would result in 'not waldo'
+# Would result in `'not waldo'`
 #
 # @example Quoting a key with period
 # ```puppet
@@ -128,8 +128,8 @@ Puppet::Functions.create_function(:get, Puppet::Functions::InternalFunction) do
 
     # Note: split_key always processes the initial segment as a string even if it could be an integer.
     # This since it is designed for lookup keys. For a numeric first segment
-    # like '0.1' the wanted result is [0,1], not ["0", 1]. The workaround here is to
-    # prefix the navigation with "x." thus giving split_key a first segment that is a string.
+    # like '0.1' the wanted result is `[0,1]`, not `["0", 1]`. The workaround here is to
+    # prefix the navigation with `"x."` thus giving split_key a first segment that is a string.
     # The fake segment is then dropped.
     segments = split_key("x." + navigation) {|err| _("Syntax error in dotted-navigation string")}
     segments.shift