puppet 6.23.0 → 7.0.0

data/lib/puppet/settings/environment_conf.rb

@@ -29,7 +29,6 @@ class Puppet::Settings::EnvironmentConf
       section = config.sections[:main]
     rescue Errno::ENOENT
       # environment.conf is an optional file
-      Puppet.debug { "Path to #{path_to_env} does not exist, using default environment.conf" }
     end
 
     new(path_to_env, section, global_module_path)

data/lib/puppet/settings/integer_setting.rb

@@ -0,0 +1,17 @@
+class Puppet::Settings::IntegerSetting < Puppet::Settings::BaseSetting
+  def munge(value)
+    return value if Integer === value
+
+    begin
+      value = Integer(value)
+    rescue ArgumentError, TypeError
+      raise Puppet::Settings::ValidationError, _("Cannot convert '%{value}' to an integer for parameter: %{name}") % { value: value.inspect, name: @name }
+    end
+
+    value
+  end
+
+  def type
+    :integer
+  end
+end

data/lib/puppet/settings/port_setting.rb

@@ -0,0 +1,15 @@
+class Puppet::Settings::PortSetting < Puppet::Settings::IntegerSetting
+  def munge(value)
+    value = super
+
+    if value < 0 || value > 65535
+      raise Puppet::Settings::ValidationError, _("Value '%{value}' is not a valid port number for parameter: %{name}") % { value: value.inspect, name: @name }
+    end
+
+    value
+  end
+
+  def type
+    :port
+  end
+end

data/lib/puppet/settings/priority_setting.rb

@@ -6,11 +6,12 @@ class Puppet::Settings::PrioritySetting < Puppet::Settings::BaseSetting
   PRIORITY_MAP =
     if Puppet::Util::Platform.windows?
       require 'puppet/util/windows/process'
+      require 'puppet/ffi/windows/constants'
       {
-        :high    => Puppet::Util::Windows::Process::HIGH_PRIORITY_CLASS,
-        :normal  => Puppet::Util::Windows::Process::NORMAL_PRIORITY_CLASS,
-        :low     => Puppet::Util::Windows::Process::BELOW_NORMAL_PRIORITY_CLASS,
-        :idle    => Puppet::Util::Windows::Process::IDLE_PRIORITY_CLASS
+        :high    => Puppet::FFI::Windows::Constants::HIGH_PRIORITY_CLASS,
+        :normal  => Puppet::FFI::Windows::Constants::NORMAL_PRIORITY_CLASS,
+        :low     => Puppet::FFI::Windows::Constants::BELOW_NORMAL_PRIORITY_CLASS,
+        :idle    => Puppet::FFI::Windows::Constants::IDLE_PRIORITY_CLASS
       }
     else
       {

data/lib/puppet/ssl.rb

@@ -2,18 +2,22 @@
 require 'puppet'
 require 'puppet/ssl/openssl_loader'
 
+# Responsible for bootstrapping an agent's certificate and private key, generating
+# SSLContexts for use in making HTTPS connections, and handling CSR attributes and
+# certificate extensions.
+#
+# @see Puppet::SSL::SSLProvider
 # @api private
-module Puppet::SSL # :nodoc:
+module Puppet::SSL
   CA_NAME = "ca".freeze
-  require 'puppet/ssl/host'
+
   require 'puppet/ssl/oids'
-  require 'puppet/ssl/validator'
-  require 'puppet/ssl/validator/no_validator'
-  require 'puppet/ssl/validator/default_validator'
   require 'puppet/ssl/error'
   require 'puppet/ssl/ssl_context'
   require 'puppet/ssl/verifier'
-  require 'puppet/ssl/verifier_adapter'
   require 'puppet/ssl/ssl_provider'
   require 'puppet/ssl/state_machine'
+  require 'puppet/ssl/certificate'
+  require 'puppet/ssl/certificate_request'
+  require 'puppet/ssl/certificate_request_attributes'
 end

data/lib/puppet/ssl/base.rb

@@ -1,7 +1,6 @@
 require 'puppet/ssl/openssl_loader'
 require 'puppet/ssl'
 require 'puppet/ssl/digest'
-require 'puppet/util/ssl'
 
 # The base class for wrapping SSL instances.
 class Puppet::SSL::Base
@@ -54,7 +53,9 @@ class Puppet::SSL::Base
   #
   # @return [String] the name (CN) extracted from the subject.
   def self.name_from_subject(subject)
-    Puppet::Util::SSL.cn_from_subject(subject)
+    if subject.respond_to? :to_a
+      (subject.to_a.assoc('CN') || [])[1]
+    end
   end
 
   # Create an instance of our Puppet::SSL::* class using a given instance of the wrapped class
@@ -82,15 +83,12 @@ class Puppet::SSL::Base
   # Read content from disk appropriately.
   def read(path)
     # applies to Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest
-    # Puppet::SSL::Key uses this, but also provides its own override
     # nothing derives from Puppet::SSL::Certificate, but it is called by a number of other SSL Indirectors:
     # Puppet::Indirector::CertificateStatus::File (.indirection.find)
     # Puppet::Network::HTTP::WEBrick (.indirection.find)
     # Puppet::Network::HTTP::RackREST (.from_instance)
     # Puppet::Network::HTTP::WEBrickREST (.from_instance)
-    # Puppet::SSL::Host (.indirection.find)
     # Puppet::SSL::Inventory (.indirection.search, implements its own add / rebuild / serials with encoding UTF8)
-    # Puppet::SSL::Validator::DefaultValidator (.from_instance) / Puppet::SSL::Validator::NoValidator does nothing
     @content = wrapped_class.new(Puppet::FileSystem.read(path, :encoding => Encoding::ASCII))
   end
 

data/lib/puppet/ssl/certificate.rb

@@ -11,12 +11,6 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
   # This is defined from the base class
   wraps OpenSSL::X509::Certificate
 
-  extend Puppet::Indirector
-  indirects :certificate, :terminus_class => :file, :doc => <<DOC
-    This indirection wraps an `OpenSSL::X509::Certificate` object, representing a certificate (signed public key).
-    The indirection key is the certificate CN (generally a hostname).
-DOC
-
   # Because of how the format handler class is included, this
   # can't be in the base class.
   def self.supported_formats

data/lib/puppet/ssl/certificate_request.rb

@@ -28,13 +28,6 @@ require 'puppet/ssl/certificate_signer'
 class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
   wraps OpenSSL::X509::Request
 
-  extend Puppet::Indirector
-
-  indirects :certificate_request, :terminus_class => :file, :doc => <<DOC
-    This indirection wraps an `OpenSSL::X509::Request` object, representing a certificate signing request (CSR).
-    The indirection key is the certificate CN (generally a hostname).
-DOC
-
   # Because of how the format handler class is included, this
   # can't be in the base class.
   def self.supported_formats
@@ -47,8 +40,7 @@ DOC
 
   # Create a certificate request with our system settings.
   #
-  # @param key [OpenSSL::X509::Key, Puppet::SSL::Key] The key pair associated
-  #   with this CSR.
+  # @param key [OpenSSL::X509::Key] The private key associated with this CSR.
   # @param options [Hash]
   # @option options [String] :dns_alt_names A comma separated list of
   #   Subject Alternative Names to include in the CSR extension request.
@@ -64,9 +56,6 @@ DOC
   def generate(key, options = {})
     Puppet.info _("Creating a new SSL certificate request for %{name}") % { name: name }
 
-    # Support either an actual SSL key, or a Puppet key.
-    key = key.content if key.is_a?(Puppet::SSL::Key)
-
     # If we're a CSR for the CA, then use the real ca_name, rather than the
     # fake 'ca' name.  This is mostly for backward compatibility with 0.24.x,
     # but it's also just a good idea.

data/lib/puppet/ssl/certificate_signer.rb

@@ -27,6 +27,12 @@ class Puppet::SSL::CertificateSigner
     @digest
   end
 
+  # Sign a certificate signing request (CSR) with a private key.
+  #
+  # @param [OpenSSL::X509::Request] content The CSR to sign
+  # @param [OpenSSL::X509::PKey] key The private key to sign with
+  #
+  # @api private
   def sign(content, key)
     content.sign(key, @digest.new)
   end

data/lib/puppet/ssl/oids.rb

@@ -2,10 +2,11 @@ require 'puppet/ssl'
 
 # This module defines OIDs for use within Puppet.
 #
-# == ASN.1 Definition
+# # ASN.1 Definition
 #
 # The following is the formal definition of OIDs specified in this file.
 #
+# ```
 # puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
 #    dod(6) internet(1) private(4) enterprise(1) 34380 1}
 #
@@ -22,6 +23,7 @@ require 'puppet/ssl'
 # pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 }
 # pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 }
 # pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 }
+# ```
 #
 # @api private
 module Puppet::SSL::Oids

data/lib/puppet/ssl/ssl_provider.rb

@@ -3,6 +3,23 @@ require 'puppet/ssl'
 # SSL Provider creates `SSLContext` objects that can be used to create
 # secure connections.
 #
+# @example To load an SSLContext from an existing private key and related certs/crls:
+#   ssl_context = provider.load_context
+#
+# @example To load an SSLContext from an existing password-protected private key and related certs/crls:
+#   ssl_context = provider.load_context(password: 'opensesame')
+#
+# @example To create an SSLContext from in-memory certs and keys:
+#   cacerts = [<OpenSSL::X509::Certificate>]
+#   crls = [<OpenSSL::X509::CRL>]
+#   key = <OpenSSL::X509::PKey>
+#   cert = <OpenSSL::X509::Certificate>
+#   ssl_context = provider.create_context(cacerts: cacerts, crls: crls, private_key: key, client_cert: cert)
+#
+# @example To create an SSLContext to connect to non-puppet HTTPS servers:
+#   cacerts = [<OpenSSL::X509::Certificate>]
+#   ssl_context = provider.create_root_context(cacerts: cacerts)
+#
 # @api private
 class Puppet::SSL::SSLProvider
   # Create an insecure `SSLContext`. Connections made from the returned context

data/lib/puppet/ssl/state_machine.rb

@@ -10,7 +10,7 @@ require 'puppet/util/pidlock'
 # certs. This way we're sure about which SSLContext is being used during any
 # phase of the bootstrapping process.
 #
-# @private
+# @api private
 class Puppet::SSL::StateMachine
   class SSLState
     attr_reader :ssl_context
@@ -405,6 +405,7 @@ class Puppet::SSL::StateMachine
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
+  # @api private
   def ensure_ca_certificates
     final_state = run_machine(NeedLock.new(self), NeedKey)
     final_state.ssl_context
@@ -414,6 +415,7 @@ class Puppet::SSL::StateMachine
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
+  # @api private
   def ensure_client_certificate
     final_state = run_machine(NeedLock.new(self), Done)
     ssl_context = final_state.ssl_context

data/lib/puppet/ssl/verifier.rb

@@ -14,6 +14,7 @@ class Puppet::SSL::Verifier
   # @param hostname [String] FQDN of the server we're attempting to connect to
   # @param ssl_context [Puppet::SSL::SSLContext] ssl_context containing CA certs,
   #   CRLs, etc needed to verify the server's certificate chain
+  # @api private
   def initialize(hostname, ssl_context)
     @hostname = hostname
     @ssl_context = ssl_context
@@ -25,6 +26,7 @@ class Puppet::SSL::Verifier
   #
   # @param verifier [Puppet::SSL::Verifier] the verifier to compare against
   # @return [Boolean] return true if a cached connection can be used, false otherwise
+  # @api private
   def reusable?(verifier)
     verifier.instance_of?(self.class) &&
       verifier.ssl_context.object_id == @ssl_context.object_id

data/lib/puppet/test/test_helper.rb

@@ -147,9 +147,6 @@ module Puppet::Test
       Puppet::Application.clear!
       Puppet::Util::Profiler.clear
 
-      Puppet::SSL::Host.reset
-      Puppet::Rest::Routes.clear
-
       Puppet::Node::Facts.indirection.terminus_class = :memory
       facts = Puppet::Node::Facts.new(Puppet[:node_name_value])
       Puppet::Node::Facts.indirection.save(facts)
@@ -223,6 +220,7 @@ module Puppet::Test
       {
           :logdir     => "/dev/null",
           :confdir    => "/dev/null",
+          :publicdir  => "/dev/null",
           :codedir    => "/dev/null",
           :vardir     => "/dev/null",
           :rundir     => "/dev/null",

data/lib/puppet/transaction.rb

@@ -376,16 +376,10 @@ class Puppet::Transaction
     Puppet.debug { "Prefetching #{provider_class.name} resources for #{type_name}" }
     begin
       provider_class.prefetch(resources)
-    rescue LoadError, Puppet::MissingCommand => detail
+    rescue LoadError, StandardError => detail
       #TRANSLATORS `prefetch` is a function name and should not be translated
       message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
       Puppet.log_exception(detail, message)
-    rescue StandardError => detail
-      message = _("Could not prefetch %{type_name} provider '%{name}': %{detail}") % { type_name: type_name, name: provider_class.name, detail: detail }
-      Puppet.log_exception(detail, message)
-
-      raise unless Puppet.settings[:future_features]
-
       @prefetch_failed_providers[type_name][provider_class.name] = true
     end
     @prefetched_providers[type_name][provider_class.name] = true

data/lib/puppet/transaction/additional_resource_generator.rb

@@ -137,7 +137,7 @@ class Puppet::Transaction::AdditionalResourceGenerator
       else
         @catalog.add_resource_after(parent_resource, res)
       end
-      @catalog.add_edge(@catalog.container_of(parent_resource), res) if @catalog.container_of(parent_resource)
+      @catalog.add_edge(@catalog.container_of(parent_resource), res)
       if @relationship_graph && priority
         # If we have a relationship_graph we should add the resource
         # to it (this is an eval_generate). If we don't, then the

data/lib/puppet/transaction/report.rb

@@ -66,8 +66,6 @@ class Puppet::Transaction::Report
   # Contains the name and port of the server that was successfully contacted
   # @return [String] a string of the format 'servername:port'
   attr_accessor :server_used
-  alias :master_used :server_used
-  alias :master_used= :server_used=
 
   # The host name for which the report is generated
   # @return [String] the host name
@@ -226,7 +224,7 @@ class Puppet::Transaction::Report
     @external_times ||= {}
     @host = Puppet[:node_name_value]
     @time = start_time
-    @report_format = 11
+    @report_format = 12
     @puppet_version = Puppet.version
     @configuration_version = configuration_version
     @transaction_uuid = transaction_uuid
@@ -326,7 +324,7 @@ class Puppet::Transaction::Report
     }
 
     # The following is include only when set
-    hash['master_used'] = hash['server_used'] = @server_used unless @server_used.nil?
+    hash['server_used'] = @server_used unless @server_used.nil?
     hash['catalog_uuid'] = @catalog_uuid unless @catalog_uuid.nil?
     hash['code_id'] = @code_id unless @code_id.nil?
     hash['job_id'] = @job_id unless @job_id.nil?

data/lib/puppet/type.rb

@@ -114,29 +114,6 @@ class Type
     attr_reader :properties
   end
 
-  # Allow declaring that a type is actually a capability
-  class << self
-    # @deprecated application orchestration will be removed in puppet 7
-    attr_accessor :is_capability
-
-    # @deprecated application orchestration will be removed in puppet 7
-    def is_capability?
-      c = is_capability
-      c.nil? ? false : c
-    end
-  end
-
-  # Returns whether this type represents an application instance; since
-  # only defined types, i.e., instances of Puppet::Resource::Type can
-  # represent application instances, this implementation always returns
-  # +false+. Having this method though makes code checking whether a
-  # resource is an application instance simpler
-  #
-  # @deprecated application orchestration will be removed in puppet 7
-  def self.application?
-      false
-  end
-
   # Returns all the attribute names of the type in the appropriate order.
   # The {key_attributes} come first, then the {provider}, then the {properties}, and finally
   # the {parameters} and {metaparams},
@@ -1720,59 +1697,6 @@ class Type
     }
   end
 
-  # @deprecated application orchestration will be removed in puppet 7
-  newmetaparam(:export, :parent => RelationshipMetaparam, :attributes => {:direction => :out, :events => :NONE}) do
-          desc <<EOS
-Export a capability resource.
-
-The value of this parameter must be a reference to a capability resource,
-or an array of such references. Each capability resource referenced here
-will be instantiated in the node catalog and exported to consumers of this
-resource. The title of the capability resource will be the title given in
-the reference, and all other attributes of the resource will be filled
-according to the corresponding produces statement.
-
-It is an error if this metaparameter references resources whose type is not
-a capability type, or of there is no produces clause for the type of the
-current resource and the capability resource mentioned in this parameter.
-
-For example:
-
-define web(..) { .. }
-Web produces Http { .. }
-web { server:
-  export => Http[main_server]
-}
-EOS
-  end
-
-  # @deprecated application orchestration will be removed in puppet 7
-  newmetaparam(:consume, :parent => RelationshipMetaparam, :attributes => {:direction => :in, :events => :NONE}) do
-          desc <<EOS
-Consume a capability resource.
-
-The value of this parameter must be a reference to a capability resource,
-or an array of such references. Each capability resource referenced here
-must have been exported by another resource in the same environment.
-
-The referenced capability resources will be looked up, added to the
-current node catalog, and processed following the underlying consumes
-clause.
-
-It is an error if this metaparameter references resources whose type is not
-a capability type, or of there is no consumes clause for the type of the
-current resource and the capability resource mentioned in this parameter.
-
-For example:
-
-define web(..) { .. }
-Web consumes Sql { .. }
-web { server:
-  consume => Sql[my_db]
-}
-EOS
-end
-
   ###############################
   # All of the provider plumbing for the resource types.
   require 'puppet/provider'

data/lib/puppet/type/file.rb

@@ -83,13 +83,11 @@ Puppet::Type.newtype(:file) do
         use copy the file in the same directory with that value as the extension
         of the backup. (A value of `true` is a synonym for `.puppet-bak`.)
       * If set to any other string, Puppet will try to back up to a filebucket
-        with that title. See the `filebucket` resource type for more details.
-        (This is the preferred method for backup, since it can be centralized
-        and queried.)
+        with that title. Puppet automatically creates a **local** filebucket
+        named `puppet` if one doesn't already exist. See the `filebucket` resource
+        type for more details.
 
-      Default value: `puppet`, which backs up to a filebucket of the same name.
-      (Puppet automatically creates a **local** filebucket named `puppet` if one
-      doesn't already exist.)
+      Default value: `false`
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
@@ -125,7 +123,7 @@ Puppet::Type.newtype(:file) do
         - Restrict the directory to a maximum size after which the oldest items are removed.
     EOT
 
-    defaultto "puppet"
+    defaultto false
 
     munge do |value|
       # I don't really know how this is happening.
@@ -220,23 +218,6 @@ Puppet::Type.newtype(:file) do
     end
   end
 
-  newparam(:max_files) do
-    desc "In case the resource is a directory and the recursion is enabled, puppet will
-      generate a new resource for each file file found, possible leading to
-      an excessive number of resources generated without any control.
-
-      Setting `max_files` will check the number of file resources that
-      will eventually be created and will raise a resource argument error if the
-      limit will be exceeded.
-
-      Use value `0` to log a warning instead of raising an error.
-
-      Use value `-1` to disable errors and warnings due to max files."
-
-    defaultto 0
-    newvalues(/^[0-9]+$/, /^-1$/)
-  end
-
   newparam(:replace, :boolean => true, :parent => Puppet::Parameter::Boolean) do
     desc "Whether to replace a file or symlink that already exists on the local system but
       whose content doesn't match what the `source` or `content` attribute
@@ -593,7 +574,7 @@ Puppet::Type.newtype(:file) do
     options = @original_parameters.merge(:path => full_path).reject { |param, value| value.nil? }
 
     # These should never be passed to our children.
-    [:parent, :ensure, :recurse, :recurselimit, :max_files, :target, :alias, :source].each do |param|
+    [:parent, :ensure, :recurse, :recurselimit, :target, :alias, :source].each do |param|
       options.delete(param) if options.include?(param)
     end
 
@@ -770,7 +751,6 @@ Puppet::Type.newtype(:file) do
       :links => self[:links],
       :recurse => (self[:recurse] == :remote ? true : self[:recurse]),
       :recurselimit => self[:recurselimit],
-      :max_files => self[:max_files],
       :source_permissions => self[:source_permissions],
       :ignore => self[:ignore],
       :checksum_type => (self[:source] || self[:content]) ? self[:checksum] : :none,