puppet 6.23.0 → 7.0.0

data/lib/puppet/application/agent.rb

@@ -133,12 +133,9 @@ Some flags are meant specifically for interactive use --- in particular,
 'test', 'tags' and 'fingerprint' are useful.
 
 '--test' runs once in the foreground with verbose logging, then exits.
-It also exits if it can't get a valid catalog. `--test` includes the 
-'--detailed-exitcodes' option by default and exits with one of the following 
-exit codes:
+It also exits if it can't get a valid catalog. `--test` includes the '--detailed-exitcodes' option by default and exits with one of the following exit codes:
 
-* 0: The run succeeded with no changes or failures; the system was already in 
-     the desired state.
+* 0: The run succeeded with no changes or failures; the system was already in the desired state.
 * 1: The run failed, or wasn't attempted due to another run already in progress.
 * 2: The run succeeded, and some resources were changed.
 * 4: The run succeeded, and some resources failed.
@@ -249,9 +246,7 @@ generated by running puppet agent with '--genconfig'.
   'puppet agent' exits after executing this.
   
 *  --evaltrace:
-  Logs each resource as it is being evaluated. This allows you to interactively
-  see exactly what is being done. (This is a Puppet setting, and can go in
-  puppet.conf. Note the special 'no-' prefix for boolean settings on the command line.)
+  Logs each resource as it is being evaluated. This allows you to interactively see exactly what is being done. (This is a Puppet setting, and can go in puppet.conf. Note the special 'no-' prefix for boolean settings on the command line.)
 
 * --fingerprint:
   Display the current certificate or certificate signing request
@@ -272,8 +267,6 @@ generated by running puppet agent with '--genconfig'.
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. If debugging or verbosity is enabled, this defaults to 'console'.
   Otherwise, it defaults to 'syslog' on POSIX systems and 'eventlog' on Windows.
-  Multiple destinations can be set using a comma separated list 
-  (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the
@@ -316,8 +309,7 @@ generated by running puppet agent with '--genconfig'.
   'no-splay', and 'show_diff'.
   
 * --trace
-  Prints stack traces on some errors. (This is a Puppet setting, and can go in
-  puppet.conf. Note the special 'no-' prefix for boolean settings on the command line.)
+  Prints stack traces on some errors. (This is a Puppet setting, and can go in puppet.conf. Note the special 'no-' prefix for boolean settings on the command line.)
 
 * --verbose:
   Turn on verbose reporting.

data/lib/puppet/application/apply.rb

@@ -113,8 +113,6 @@ configuration options by running puppet with
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. Defaults to 'console'.
-  Multiple destinations can be set using a comma separated list
-  (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the
@@ -238,7 +236,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         end
 
         # Resolve all deferred values and replace them / mutate the catalog
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment)
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog)
 
         # Translate it to a RAL catalog
         catalog = catalog.to_ral
@@ -332,7 +330,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         raise Puppet::Error, _("Could not deserialize catalog from %{format}: %{detail}") % { format: format, detail: detail }, detail.backtrace
       end
       # Resolve all deferred values and replace them / mutate the catalog
-      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment)
+      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog)
 
       catalog.to_ral
     end

data/lib/puppet/application/device.rb

@@ -155,8 +155,6 @@ you can specify '--server <servername>' as an argument.
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'console', or the path to a log file. If debugging or verbosity is
   enabled, this defaults to 'console'. Otherwise, it defaults to 'syslog'.
-  Multiple destinations can be set using a comma separated list
-  (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the
@@ -261,119 +259,115 @@ Licensed under the Apache 2.0 License
         end
       end
       devices.collect do |devicename,device|
-        pool = Puppet.runtime[:http].pool
-        Puppet.override(:http_pool => pool) do
-          # TODO when we drop support for ruby < 2.5 we can remove the extra block here
-          begin
-            device_url = URI.parse(device.url)
-            # Handle nil scheme & port
-            scheme = "#{device_url.scheme}://" if device_url.scheme
-            port = ":#{device_url.port}" if device_url.port
-
-            # override local $vardir and $certname
-            Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
-            Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
-            Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
-            Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
-            Puppet[:certname] = device.name
-            ssl_context = nil
-
-            # create device directory under $deviceconfdir
-            Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
-
-            # this will reload and recompute default settings and create device-specific sub vardir
-            Puppet.settings.use :main, :agent, :ssl
-
-            # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
-            optssldir = File.join(Puppet[:confdir], 'ssl')
-            Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
-
-            unless options[:resource] || options[:facts] || options[:apply]
-              # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
-              # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
-              # This has to happen after `settings.use` above, so the directory is created and before `setup_host` below, where the SSL
-              # routines would fail with access errors
-              if Puppet.features.root? && !Puppet::Util::Platform.windows?
-                user = Puppet::Type.type(:user).new(name: Puppet[:user]).exists? ? Puppet[:user] : nil
-                group = Puppet::Type.type(:group).new(name: Puppet[:group]).exists? ? Puppet[:group] : nil
-                Puppet.debug("Fixing perms for #{user}:#{group} on #{Puppet[:confdir]}")
-                FileUtils.chown(user, group, Puppet[:confdir]) if user || group
-              end
+        # TODO when we drop support for ruby < 2.5 we can remove the extra block here
+        begin
+          device_url = URI.parse(device.url)
+          # Handle nil scheme & port
+          scheme = "#{device_url.scheme}://" if device_url.scheme
+          port = ":#{device_url.port}" if device_url.port
+
+          # override local $vardir and $certname
+          Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
+          Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
+          Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
+          Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
+          Puppet[:certname] = device.name
+          ssl_context = nil
+
+          # create device directory under $deviceconfdir
+          Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
+
+          # this will reload and recompute default settings and create device-specific sub vardir
+          Puppet.settings.use :main, :agent, :ssl
+
+          # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
+          optssldir = File.join(Puppet[:confdir], 'ssl')
+          Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
+
+          unless options[:resource] || options[:facts] || options[:apply]
+            # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
+            # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
+            # This has to happen after `settings.use` above, so the directory is created and before `setup_host` below, where the SSL
+            # routines would fail with access errors
+            if Puppet.features.root? && !Puppet::Util::Platform.windows?
+              user = Puppet::Type.type(:user).new(name: Puppet[:user]).exists? ? Puppet[:user] : nil
+              group = Puppet::Type.type(:group).new(name: Puppet[:group]).exists? ? Puppet[:group] : nil
+              Puppet.debug("Fixing perms for #{user}:#{group} on #{Puppet[:confdir]}")
+              FileUtils.chown(user, group, Puppet[:confdir]) if user || group
+            end
 
-              ssl_context = setup_context
+            ssl_context = setup_context
 
-              unless options[:libdir]
-                Puppet.override(ssl_context: ssl_context) do
-                  Puppet::Configurer::PluginHandler.new.download_plugins(env) if Puppet::Configurer.should_pluginsync?
-                end
+            unless options[:libdir]
+              Puppet.override(ssl_context: ssl_context) do
+                Puppet::Configurer::PluginHandler.new.download_plugins(env) if Puppet::Configurer.should_pluginsync?
               end
             end
+          end
 
-            # this inits the device singleton, so that the facts terminus
-            # and the various network_device provider can use it
-            Puppet::Util::NetworkDevice.init(device)
-
-            if options[:resource]
-              type, name = parse_args(command_line.args)
-              Puppet.info _("retrieving resource: %{resource} from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-              resources = find_resources(type, name)
-              if options[:to_yaml]
-                data = resources.map do |resource|
-                  resource.prune_parameters(:parameters_to_include => @extra_params).to_hiera_hash
-                end.inject(:merge!)
-                text = YAML.dump(type.downcase => data)
-              else
-                text = resources.map do |resource|
-                  resource.prune_parameters(:parameters_to_include => @extra_params).to_manifest.force_encoding(Encoding.default_external)
-                end.join("\n")
-              end
-              (puts text)
-              0
-            elsif options[:facts]
-              Puppet.info _("retrieving facts from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-              remote_facts = Puppet::Node::Facts.indirection.find(name, :environment => env)
-              # Give a proper name to the facts
-              remote_facts.name = remote_facts.values['clientcert']
-              renderer = Puppet::Network::FormatHandler.format(:console)
-              puts renderer.render(remote_facts)
-              0
-            elsif options[:apply]
-              # avoid reporting to server
-              Puppet::Transaction::Report.indirection.terminus_class = :yaml
-              Puppet::Resource::Catalog.indirection.cache_class = nil
-
-              require 'puppet/application/apply'
-              begin
-                Puppet[:node_terminus] = :plain
-                Puppet[:catalog_terminus] = :compiler
-                Puppet[:catalog_cache_terminus] = nil
-                Puppet[:facts_terminus] = :network_device
-                Puppet.override(:network_device => true) do
-                  Puppet::Application::Apply.new(Puppet::Util::CommandLine.new('puppet', ["apply", options[:apply]])).run_command
-                end
-              end
+          # this inits the device singleton, so that the facts terminus
+          # and the various network_device provider can use it
+          Puppet::Util::NetworkDevice.init(device)
+
+          if options[:resource]
+            type, name = parse_args(command_line.args)
+            Puppet.info _("retrieving resource: %{resource} from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+            resources = find_resources(type, name)
+            if options[:to_yaml]
+              data = resources.map do |resource|
+                resource.prune_parameters(:parameters_to_include => @extra_params).to_hiera_hash
+              end.inject(:merge!)
+              text = YAML.dump(type.downcase => data)
             else
-              Puppet.info _("starting applying configuration to %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-
-              overrides = {}
-              overrides[:ssl_context] = ssl_context if ssl_context
-              Puppet.override(overrides) do
-                configurer = Puppet::Configurer.new
-                configurer.run(:network_device => true, :pluginsync => false)
+              text = resources.map do |resource|
+                resource.prune_parameters(:parameters_to_include => @extra_params).to_manifest.force_encoding(Encoding.default_external)
+              end.join("\n")
+            end
+            (puts text)
+            0
+          elsif options[:facts]
+            Puppet.info _("retrieving facts from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+            remote_facts = Puppet::Node::Facts.indirection.find(name, :environment => env)
+            # Give a proper name to the facts
+            remote_facts.name = remote_facts.values['clientcert']
+            renderer = Puppet::Network::FormatHandler.format(:console)
+            puts renderer.render(remote_facts)
+            0
+          elsif options[:apply]
+            # avoid reporting to server
+            Puppet::Transaction::Report.indirection.terminus_class = :yaml
+            Puppet::Resource::Catalog.indirection.cache_class = nil
+
+            require 'puppet/application/apply'
+            begin
+              Puppet[:node_terminus] = :plain
+              Puppet[:catalog_terminus] = :compiler
+              Puppet[:catalog_cache_terminus] = nil
+              Puppet[:facts_terminus] = :network_device
+              Puppet.override(:network_device => true) do
+                Puppet::Application::Apply.new(Puppet::Util::CommandLine.new('puppet', ["apply", options[:apply]])).run_command
               end
             end
-          rescue => detail
-            Puppet.log_exception(detail)
-            # If we rescued an error, then we return 1 as the exit code
-            1
-          ensure
-            pool.close
-            Puppet[:libdir] = libdir
-            Puppet[:vardir] = vardir
-            Puppet[:confdir] = confdir
-            Puppet[:ssldir] = ssldir
-            Puppet[:certname] = certname
+          else
+            Puppet.info _("starting applying configuration to %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+
+            overrides = {}
+            overrides[:ssl_context] = ssl_context if ssl_context
+            Puppet.override(overrides) do
+              configurer = Puppet::Configurer.new
+              configurer.run(:network_device => true, :pluginsync => false)
+            end
           end
+        rescue => detail
+          Puppet.log_exception(detail)
+          # If we rescued an error, then we return 1 as the exit code
+          1
+        ensure
+          Puppet[:libdir] = libdir
+          Puppet[:vardir] = vardir
+          Puppet[:confdir] = confdir
+          Puppet[:ssldir] = ssldir
+          Puppet[:certname] = certname
         end
       end
     end

data/lib/puppet/application/filebucket.rb

@@ -16,6 +16,10 @@ class Puppet::Application::Filebucket < Puppet::Application
     _("Store and retrieve files in a filebucket")
   end
 
+  def digest_algorithm
+    Puppet.default_digest_algorithm
+  end
+
   def help
     <<-HELP
 
@@ -38,14 +42,14 @@ Puppet filebucket can operate in three modes, with only one mode per call:
 
 backup:
   Send one or more files to the specified file bucket. Each sent file is
-  printed with its resulting md5 sum.
+  printed with its resulting #{digest_algorithm} sum.
 
 get:
-  Return the text associated with an md5 sum. The text is printed to
+  Return the text associated with an #{digest_algorithm} sum. The text is printed to
   stdout, and only one file can be retrieved at a time.
 
 restore:
-  Given a file path and an md5 sum, store the content associated with
+  Given a file path and an #{digest_algorithm} sum, store the content associated with
   the sum into the specified file path. You can specify an entirely new
   path to this argument; you are not restricted to restoring the content
   to its original location.
@@ -212,8 +216,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def get
-    md5 = args.shift
-    out = @client.getfile(md5)
+    digest = args.shift
+    out = @client.getfile(digest)
     print out
   end
 
@@ -229,8 +233,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         $stderr.puts _("%{file}: cannot read file") % { file: file }
         next
       end
-      md5 = @client.backup(file)
-      puts "#{file}: #{md5}"
+      digest = @client.backup(file)
+      puts "#{file}: #{digest}"
     end
   end
 
@@ -243,8 +247,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
   def restore
     file = args.shift
-    md5 = args.shift
-    @client.restore(file, md5)
+    digest = args.shift
+    @client.restore(file, digest)
   end
 
   def diff

data/lib/puppet/application/resource.rb

@@ -101,8 +101,7 @@ configuration options can also be generated by running puppet with
   Print extra information.
 
 * --to_yaml:
-  Output found resources in yaml format, suitable to use with Hiera and
-  create_resources.
+  Output found resources in yaml format, suitable to use with Hiera and create_resources.
 
 EXAMPLE
 -------

data/lib/puppet/application/script.rb

@@ -71,8 +71,6 @@ configuration options can also be generated by running puppet with
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. Defaults to 'console'.
-  Multiple destinations can be set using a comma separated list
-  (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the

data/lib/puppet/application/ssl.rb

@@ -74,9 +74,6 @@ ACTIONS
   `--localca` is specified, then also remove this host's local copy of the
   CA certificate(s) and CRL bundle. if `--target CERTNAME` is specified, then
   remove the files for the specified device on this host instead of this host.
-
- * show:
-  Print the full-text version of this host's certificate.
 HELP
   end
 
@@ -145,19 +142,11 @@ HELP
       end
       @machine.ensure_client_certificate
       Puppet.notice(_("Completed SSL initialization"))
-    when 'show'
-      show(certname)
     else
       raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
     end
   end
 
-  def show(certname)
-    password = @cert_provider.load_private_key_password
-    ssl_context = @ssl_provider.load_context(certname: certname, password: password)
-    puts ssl_context.client_cert.to_text
-  end
-
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
@@ -259,7 +248,7 @@ END
     paths = {
       'private key' => Puppet[:hostprivkey],
       'public key'  => Puppet[:hostpubkey],
-      'certificate request' => File.join(Puppet[:requestdir], "#{Puppet[:certname]}.pem"),
+      'certificate request' => Puppet[:hostcsr],
       'certificate' => Puppet[:hostcert],
       'private key password file' => Puppet[:passfile]
     }

data/lib/puppet/application_support.rb

@@ -53,13 +53,6 @@ module Puppet
       route_file = Puppet[:route_file]
       if Puppet::FileSystem.exist?(route_file)
         routes = Puppet::Util::Yaml.safe_load_file(route_file, [Symbol])
-        if routes["server"] && routes["master"]
-          Puppet.warning("Route file #{route_file} contains both server and master route settings.")
-        elsif routes["server"] && !routes["master"]
-          routes["master"] = routes["server"]
-        elsif routes["master"] && !routes["server"]
-          routes["server"] = routes["master"]
-        end
         application_routes = routes[application_name]
         Puppet::Indirector.configure_routes(application_routes) if application_routes
       end

data/lib/puppet/configurer.rb

@@ -112,7 +112,7 @@ class Puppet::Configurer
     catalog_conversion_time = thinmark do
       # Will mutate the result and replace all Deferred values with resolved values
       if facts
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment))
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result)
       end
 
       catalog = result.to_ral
@@ -202,7 +202,6 @@ class Puppet::Configurer
   # This just passes any options on to the catalog,
   # which accepts :tags and :ignoreschedules.
   def run(options = {})
-    pool = Puppet.runtime[:http].pool
     # We create the report pre-populated with default settings for
     # environment and transaction_uuid very early, this is to ensure
     # they are sent regardless of any catalog compilation failures or
@@ -215,41 +214,40 @@ class Puppet::Configurer
 
     completed = nil
     begin
-      Puppet.override(:http_pool => pool) do
-        # Skip failover logic if the server_list setting is empty
-        do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
-
-        # When we are passed a catalog, that means we're in apply
-        # mode. We shouldn't try to do any failover in that case.
-        if options[:catalog].nil? && do_failover
-          server, port = find_functional_server
-          if server.nil?
-            detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
-            if Puppet[:usecacheonfailure]
-              options[:pluginsync] = false
-              @running_failure = true
-
-              server = Puppet[:server_list].first[0]
-              port = Puppet[:server_list].first[1] || Puppet[:serverport]
-
-              Puppet.err(detail)
-            else
-              raise Puppet::Error, detail
-            end
+      # Skip failover logic if the server_list setting is empty
+      do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
+
+      # When we are passed a catalog, that means we're in apply
+      # mode. We shouldn't try to do any failover in that case.
+      if options[:catalog].nil? && do_failover
+        server, port = find_functional_server
+        if server.nil?
+          detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
+          if Puppet[:usecacheonfailure]
+            options[:pluginsync] = false
+            @running_failure = true
+
+            server = Puppet[:server_list].first[0]
+            port = Puppet[:server_list].first[1] || Puppet[:serverport]
+
+            Puppet.err(detail)
           else
-            #TRANSLATORS 'server_list' is the name of a setting and should not be translated
-            Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
-            report.server_used = "#{server}:#{port}"
-          end
-          Puppet.override(server: server, serverport: port) do
-            completed = run_internal(options)
+            raise Puppet::Error, detail
           end
         else
+          #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+          Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
+          report.server_used = "#{server}:#{port}"
+        end
+        Puppet.override(server: server, serverport: port) do
           completed = run_internal(options)
         end
+      else
+        completed = run_internal(options)
       end
     ensure
-      pool.close
+      # we may sleep for awhile, close connections now
+      Puppet.runtime[:http].close
     end
 
     completed ? report.exit_status : nil
@@ -397,29 +395,16 @@ class Puppet::Configurer
       if !cached_catalog && options[:catalog]
         ral_catalog = options[:catalog]
       else
-        # Ordering here matters. We have to resolve deferred resources in the
-        # resource catalog, convert the resource catalog to a RAL catalog (which
-        # triggers type/provider validation), and only if that is successful,
-        # should we cache the *original* resource catalog. However, deferred
-        # evaluation mutates the resource catalog, so we need to make a copy of
-        # it here. If PUP-9323 is ever implemented so that we resolve deferred
-        # resources in the RAL catalog as they are needed, then we could eliminate
-        # this step.
-        catalog_to_cache = Puppet.override(:rich_data => Puppet[:rich_data]) do
-          Puppet::Resource::Catalog.from_data_hash(catalog.to_data_hash)
-        end
-
         # REMIND @duration is the time spent loading the last catalog, and doesn't
         # account for things like we failed to download and fell back to the cache
         ral_catalog = convert_catalog(catalog, @duration, facts, options)
 
-        # Validation succeeded, so commit the `catalog_to_cache` for non-noop runs. Don't
-        # commit `catalog` since it contains the result of deferred evaluation. Ideally
+        # If not noop, commit the cached resource catalog (not ral catalog). Ideally
         # we'd just copy the downloaded response body, instead of serializing the
         # in-memory catalog, but that's hard due to the indirector.
         indirection = Puppet::Resource::Catalog.indirection
         if !Puppet[:noop] && indirection.cache?
-          request = indirection.request(:save, nil, catalog_to_cache, environment: Puppet::Node::Environment.remote(catalog_to_cache.environment))
+          request = indirection.request(:save, nil, catalog, environment: Puppet::Node::Environment.remote(catalog.environment))
           Puppet.info("Caching catalog for #{request.key}")
           indirection.cache.save(request)
         end