puppet 6.24.0-universal-darwin → 6.25.0-universal-darwin

data/lib/puppet/provider/user/useradd.rb

@@ -7,9 +7,12 @@ require 'puppet/error'
 Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameService::ObjectAdd do
   desc "User management via `useradd` and its ilk.  Note that you will need to
     install Ruby's shadow password library (often known as `ruby-libshadow`)
-    if you wish to manage user passwords."
+    if you wish to manage user passwords.
 
-  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage"
+    To use the `forcelocal` parameter, you need to install the `libuser` package (providing
+    `/usr/sbin/lgroupadd` and `/usr/sbin/luseradd`)."
+
+  commands :add => "useradd", :delete => "userdel", :modify => "usermod", :password => "chage", :chpasswd  => "chpasswd"
 
   options :home, :flag => "-d", :method => :dir
   options :comment, :method => :gecos
@@ -21,13 +24,13 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
   options :expiry, :method => :sp_expire,
     :munge => proc { |value|
       if value == :absent
-        if Facter.value(:operatingsystem)=='SLES' && Facter.value(:operatingsystemmajrelease) == "11"
+        if Puppet.runtime[:facter].value(:operatingsystem)=='SLES' && Puppet.runtime[:facter].value(:operatingsystemmajrelease) == "11"
           -1
         else
           ''
         end
       else
-        case Facter.value(:operatingsystem)
+        case Puppet.runtime[:facter].value(:operatingsystem)
         when 'Solaris'
           # Solaris uses %m/%d/%Y for useradd/usermod
           expiry_year, expiry_month, expiry_day = value.split('-')
@@ -69,6 +72,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
      get(:comment)
   end
 
+  def shell
+    return localshell if @resource.forcelocal?
+    get(:shell)
+  end
+
+  def home
+    return localhome if @resource.forcelocal?
+    get(:home)
+  end
+
   def groups
      return localgroups if @resource.forcelocal?
      super
@@ -120,6 +133,16 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     user[:gecos]
   end
 
+  def localshell
+    user = finduser(:account, resource[:name])
+    user[:shell]
+  end
+
+  def localhome
+    user = finduser(:account, resource[:name])
+    user[:directory]
+  end
+
   def localgroups
     @groups_of ||= {}
     group_file = '/etc/group'
@@ -152,6 +175,38 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     set(:groups, value)
   end
 
+  def password=(value)
+    user = @resource[:name]
+    tempfile = Tempfile.new('puppet', :encoding => Encoding::UTF_8)
+    begin
+      # Puppet execute does not support strings as input, only files.
+      # The password is expected to be in an encrypted format given -e is specified:
+      tempfile << "#{user}:#{value}\n"
+      tempfile.flush
+
+      # Options '-e' use encrypted password
+      # Must receive "user:enc_password" as input
+      # command, arguments = {:failonfail => true, :combine => true}
+      cmd = [command(:chpasswd), '-e']
+      execute_options = {
+        :failonfail => false,
+        :combine => true,
+        :stdinfile => tempfile.path,
+        :sensitive => has_sensitive_data?
+      }
+      output = execute(cmd, execute_options)
+
+    rescue => detail
+      tempfile.close
+      tempfile.delete
+      raise Puppet::Error, "Could not set password on #{@resource.class.name}[#{@resource.name}]: #{detail}", detail.backtrace
+    end
+
+    # chpasswd can return 1, even on success (at least on AIX 6.1); empty output
+    # indicates success
+    raise Puppet::ExecutionFailure, "chpasswd said #{output}" if output != ''
+  end
+
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end
@@ -161,7 +216,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
   end
 
   has_features :manages_homedir, :allows_duplicates, :manages_expiry
-  has_features :system_users unless %w{HP-UX Solaris}.include? Facter.value(:operatingsystem)
+  has_features :system_users unless %w{HP-UX Solaris}.include? Puppet.runtime[:facter].value(:operatingsystem)
 
   has_features :manages_passwords, :manages_password_age if Puppet.features.libshadow?
   has_features :manages_shell
@@ -196,8 +251,8 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       # libuser does not implement the -m flag
       cmd << "-m" unless @resource.forcelocal?
     else
-      osfamily = Facter.value(:osfamily)
-      osversion = Facter.value(:operatingsystemmajrelease).to_i
+      osfamily = Puppet.runtime[:facter].value(:osfamily)
+      osversion = Puppet.runtime[:facter].value(:operatingsystemmajrelease).to_i
       # SLES 11 uses pwdutils instead of shadow, which does not have -M
       # Solaris and OpenBSD use different useradd flavors
       unless osfamily =~ /Solaris|OpenBSD/ || osfamily == 'Suse' && osversion <= 11
@@ -215,13 +270,15 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     end
   end
 
+  # Add properties and flags but skipping password related properties due to
+  # security risks
   def add_properties
     cmd = []
     # validproperties is a list of properties in undefined order
     # sort them to have a predictable command line in tests
     Puppet::Type.type(:user).validproperties.sort.each do |property|
       value = get_value_for_property(property)
-      next if value.nil?
+      next if value.nil? || property == :password
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       cmd << flag(property) << munge(property, value)
@@ -293,7 +350,7 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
       cmd = [command(:delete)]
     end
     # Solaris `userdel -r` will fail if the homedir does not exist.
-    if @resource.managehome? && (('Solaris' != Facter.value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
+    if @resource.managehome? && (('Solaris' != Puppet.runtime[:facter].value(:operatingsystem)) || Dir.exist?(Dir.home(@resource[:name])))
       cmd << '-r'
     end
     cmd << @resource[:name]
@@ -331,13 +388,12 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     if @resource[:shell]
       check_valid_shell
     end
-     super
-     if @resource.forcelocal? && self.groups?
-       set(:groups, @resource[:groups])
-     end
-     if @resource.forcelocal? && @resource[:expiry]
-       set(:expiry, @resource[:expiry])
-     end
+    super
+    if @resource.forcelocal?
+      set(:groups, @resource[:groups]) if self.groups?
+      set(:expiry, @resource[:expiry]) if @resource[:expiry]
+    end
+    set(:password, @resource[:password]) if @resource[:password]
   end
 
   def groups?

data/lib/puppet/provider.rb

@@ -302,7 +302,7 @@ class Puppet::Provider
   #   values. Given one or more Regexp instances, fact is compared via the basic
   #   pattern-matching operator.
   def self.fact_match(fact, values)
-    fact_val = Facter.value(fact).to_s.downcase
+    fact_val = Puppet.runtime[:facter].value(fact).to_s.downcase
     if fact_val.empty?
       return false
     else

data/lib/puppet/reference/providers.rb

@@ -15,7 +15,7 @@ providers = Puppet::Util::Reference.newreference :providers, :title => "Provider
   # Throw some facts in there, so we know where the report is from.
   ["Ruby Version", "Puppet Version", "Operating System", "Operating System Release"].each do |label|
     name = label.gsub(/\s+/, '')
-    value = Facter.value(name)
+    value = Puppet.runtime[:facter].value(name)
     ret << option(label, value)
   end
   ret << "\n"
@@ -61,7 +61,7 @@ providers = Puppet::Util::Reference.newreference :providers, :title => "Provider
               if Puppet.settings.valid?(name)
                 details << _("  - Setting %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Puppet.settings.value(name).inspect, facts: facts.join(", ") }
               else
-                details << _("  - Fact %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Facter.value(name).inspect, facts: facts.join(", ") }
+                details << _("  - Fact %{name} (currently %{value}) not in list %{facts}\n") % { name: name, value: Puppet.runtime[:facter].value(name).inspect, facts: facts.join(", ") }
               end
             end
           when :true

data/lib/puppet/resource/type_collection.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'puppet/parser/type_loader'
 require 'puppet/util/file_watcher'
 require 'puppet/util/warnings'

data/lib/puppet/runtime.rb

@@ -1,4 +1,5 @@
 require 'puppet/http'
+require 'puppet/facter_impl'
 require 'singleton'
 
 # Provides access to runtime implementations.
@@ -17,11 +18,20 @@ class Puppet::Runtime
         else
           Puppet::HTTP::ExternalClient.new(klass)
         end
-      end
+      end,
+      facter: proc { Puppet::FacterImpl.new }
     }
   end
   private :initialize
 
+  # Loads all runtime implementations.
+  #
+  # @return Array[Symbol] the names of loaded implementations
+  # @api private
+  def load_services
+    @runtime_services.keys.each { |key| self[key] }
+  end
+
   # Get a runtime implementation.
   #
   # @param name [Symbol] the name of the implementation

data/lib/puppet/settings.rb

@@ -75,11 +75,11 @@ class Puppet::Settings
   end
 
   def self.hostname_fact()
-    Facter.value :hostname
+    Puppet.runtime[:facter].value :hostname
   end
 
   def self.domain_fact()
-    Facter.value :domain
+    Puppet.runtime[:facter].value :domain
   end
 
   def self.default_config_file_name

data/lib/puppet/test/test_helper.rb

@@ -142,7 +142,9 @@ module Puppet::Test
         },
         "Context for specs")
 
-      Puppet.runtime.clear
+      # trigger `require 'facter'`
+      Puppet.runtime[:facter]
+
       Puppet::Parser::Functions.reset
       Puppet::Application.clear!
       Puppet::Util::Profiler.clear
@@ -169,6 +171,7 @@ module Puppet::Test
 
       Puppet::Util::Storage.clear
       Puppet::Util::ExecutionStub.reset
+      Puppet.runtime.clear
 
       Puppet.clear_deprecation_warnings
 

data/lib/puppet/transaction/persistence.rb

@@ -87,7 +87,17 @@ class Puppet::Transaction::Persistence
 
   # Save data from internal class to persistence store on disk.
   def save
-    Puppet::Util::Yaml.dump(@new_data, Puppet[:transactionstorefile])
+    converted_data = Puppet::Pops::Serialization::ToDataConverter.convert(
+      @new_data, {
+        symbol_as_string: false,
+        local_reference: false,
+        type_by_reference: true,
+        force_symbol: true,
+        silence_warnings: true,
+        message_prefix: to_s
+      }
+    )
+    Puppet::Util::Yaml.dump(converted_data, Puppet[:transactionstorefile])
   end
 
   # Use the catalog and run_mode to determine if persistence should be enabled or not

data/lib/puppet/transaction/report.rb

@@ -77,6 +77,10 @@ class Puppet::Transaction::Report
   # @return [String] the environment name
   attr_accessor :environment
 
+  # The name of the environment the agent initially started in
+  # @return [String] the environment name
+  attr_accessor :initial_environment
+
   # Whether there are changes that we decided not to apply because of noop
   # @return [Boolean]
   #
@@ -377,7 +381,17 @@ class Puppet::Transaction::Report
   # @api public
   #
   def raw_summary
-    report = { "version" => { "config" => configuration_version, "puppet" => Puppet.version  } }
+    report = {
+      "version" => {
+        "config" => configuration_version,
+        "puppet" => Puppet.version
+      },
+      "application" => {
+        "run_mode" => Puppet.run_mode.name.to_s,
+        "initial_environment" => initial_environment,
+        "converged_environment" => environment
+      }
+    }
 
     @metrics.each do |name, metric|
       key = metric.name.to_s

data/lib/puppet/type/exec.rb

@@ -11,7 +11,10 @@ module Puppet
 
       * The command itself is already idempotent. (For example, `apt-get update`.)
       * The exec has an `onlyif`, `unless`, or `creates` attribute, which prevents
-        Puppet from running the command unless some condition is met.
+        Puppet from running the command unless some condition is met. The
+        `onlyif` and `unless` commands of an `exec` are used in the process of
+        determining whether the `exec` is already in sync, therefore they must be run
+        during a noop Puppet run.
       * The exec has `refreshonly => true`, which allows Puppet to run the
         command only when some other resource is changed. (See the notes on refreshing
         below.) 
@@ -198,7 +201,15 @@ module Puppet
         any output is logged at the `err` log level.
 
         Multiple `exec` resources can use the same `command` value; Puppet
-        only uses the resource title to ensure `exec`s are unique."
+        only uses the resource title to ensure `exec`s are unique.
+
+        On *nix platforms, the command can be specified as an array of
+        strings and Puppet will invoke it using the more secure method of
+        parameterized system calls. For example, rather than executing the
+        malicious injected code, this command will echo it out:
+
+            command => ['/bin/echo', 'hello world; rm -rf /']
+      "
 
       validate do |command|
         unless command.is_a?(String) || command.is_a?(Array)
@@ -456,6 +467,9 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             unless => ['test -f /tmp/file1', 'test -f /tmp/file2'],
@@ -516,6 +530,9 @@ module Puppet
         `user`, `cwd`, and `group` as the main command. If the `path` isn't set, you
         must fully qualify the command's name.
 
+        Since this command is used in the process of determining whether the
+        `exec` is already in sync, it must be run during a noop Puppet run.
+
         This parameter can also take an array of commands. For example:
 
             onlyif => ['test -f /tmp/file1', 'test -f /tmp/file2'],

data/lib/puppet/type/file.rb

@@ -93,23 +93,23 @@ Puppet::Type.newtype(:file) do
 
       Backing up to a local filebucket isn't particularly useful. If you want
       to make organized use of backups, you will generally want to use the
-      puppet master server's filebucket service. This requires declaring a
+      primary Puppet server's filebucket service. This requires declaring a
       filebucket resource and a resource default for the `backup` attribute
       in site.pp:
 
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary Puppet server.
           }
 
           File { backup => main, }
 
-      If you are using multiple puppet master servers, you will want to
+      If you are using multiple primary servers, you will want to
       centralize the contents of the filebucket. Either configure your load
-      balancer to direct all filebucket traffic to a single master, or use
+      balancer to direct all filebucket traffic to a single primary server, or use
       something like an out-of-band rsync task to synchronize the content on all
-      masters.
+      primary servers.
 
       > **Note**: Enabling and using the backup option, and by extension the 
         filebucket resource, requires appropriate planning and management to ensure 
@@ -361,7 +361,7 @@ Puppet::Type.newtype(:file) do
       This command must have a fully qualified path, and should contain a
       percent (`%`) token where it would expect an input file. It must exit `0`
       if the syntax is correct, and non-zero otherwise. The command will be
-      run on the target system while applying the catalog, not on the puppet master.
+      run on the target system while applying the catalog, not on the primary Puppet server.
 
       Example:
 

data/lib/puppet/type/filebucket.rb

@@ -4,8 +4,8 @@ module Puppet
   Type.newtype(:filebucket) do
     @doc = <<-EOT
       A repository for storing and retrieving file content by MD5 checksum. Can
-      be local to each agent node, or centralized on a puppet master server. All
-      puppet masters provide a filebucket service that agent nodes can access
+      be local to each agent node, or centralized on a primary Puppet server. All
+      puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents
       will do so.
 
@@ -25,7 +25,7 @@ module Puppet
           # /etc/puppetlabs/puppet/manifests/site.pp
           filebucket { 'main':
             path   => false,                # This is required for remote filebuckets.
-            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+            server => 'puppet.example.com', # Optional; defaults to the configured primary server.
           }
 
           File { backup => main, }

data/lib/puppet/type/group.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require 'puppet/property/keyvalue'
 require 'puppet/parameter/boolean'
 

data/lib/puppet/type/resources.rb

@@ -175,7 +175,7 @@ Puppet::Type.newtype(:resources) do
     end
 
     # Otherwise, use a sensible default based on the OS family
-    @system_users_max_uid ||= case Facter.value(:osfamily)
+    @system_users_max_uid ||= case Puppet.runtime[:facter].value(:osfamily)
       when 'OpenBSD', 'FreeBSD'
         999
       else

data/lib/puppet/type/service.rb

@@ -272,9 +272,14 @@ module Puppet
 
     newparam(:timeout, :required_features => :configurable_timeout) do
       desc "Specify an optional minimum timeout (in seconds) for puppet to wait when syncing service properties"
-      defaultto { provider.class.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
-      validate do |value|
-        if (not value.is_a? Integer) || value < 1
+      defaultto { provider.respond_to?(:default_timeout) ? provider.default_timeout : 10 }
+
+      munge do |value|
+        begin
+          value = value.to_i
+          raise if value < 1
+          value
+        rescue
           raise Puppet::Error.new(_("\"%{value}\" is not a positive integer: the timeout parameter must be specified as a positive integer") % { value: value })
         end
       end

data/lib/puppet/type/user.rb

@@ -1,5 +1,4 @@
 require 'etc'
-require 'facter'
 require 'puppet/parameter/boolean'
 require 'puppet/property/list'
 require 'puppet/property/ordered_list'

data/lib/puppet/type.rb

@@ -1295,7 +1295,7 @@ class Type
       like it does when running normally. However, if a resource attribute is not in
       the desired state (as declared in the catalog), Puppet will take no
       action, and will instead report the changes it _would_ have made. These
-      simulated changes will appear in the report sent to the puppet master, or
+      simulated changes will appear in the report sent to the primary Puppet server, or
       be shown on the console if running puppet agent or puppet apply in the
       foreground. The simulated changes will not send refresh events to any
       subscribing or notified resources, although Puppet will log that a refresh

data/lib/puppet/util/command_line.rb

@@ -135,7 +135,7 @@ module Puppet
 
               # Puppet requires Facter, which initializes its lookup paths. Reset Facter to
               # pickup the new $LOAD_PATH.
-              Facter.reset
+              Puppet.runtime[:facter].reset
             end
           end
 

data/lib/puppet/util/filetype.rb

@@ -215,7 +215,7 @@ class Puppet::Util::FileType
     # Remove a specific @path's cron tab.
     def remove
       cmd = "#{cmdbase} -r"
-      if %w{Darwin FreeBSD DragonFly}.include?(Facter.value("operatingsystem"))
+      if %w{Darwin FreeBSD DragonFly}.include?(Puppet.runtime[:facter].value("operatingsystem"))
         cmd = "/bin/echo yes | #{cmd}"
       end
 
@@ -244,7 +244,7 @@ class Puppet::Util::FileType
     # Only add the -u flag when the @path is different.  Fedora apparently
     # does not think I should be allowed to set the @path to my own user name
     def cmdbase
-      if @uid == Puppet::Util::SUIDManager.uid || Facter.value(:operatingsystem) == "HP-UX"
+      if @uid == Puppet::Util::SUIDManager.uid || Puppet.runtime[:facter].value(:operatingsystem) == "HP-UX"
         return "crontab"
       else
         return "crontab -u #{@path}"

data/lib/puppet/util/json.rb

@@ -60,6 +60,9 @@ module Puppet::Util
     def self.dump(object, options = {})
       if defined? MultiJson
         MultiJson.dump(object, options)
+      elsif options.is_a?(JSON::State)
+        # we're being called recursively
+        object.to_json(options)
       else
         options.merge!(::JSON::PRETTY_STATE_PROTOTYPE.to_h) if options.delete(:pretty)
         object.to_json(options)

data/lib/puppet/util/log.rb

@@ -2,7 +2,6 @@ require 'puppet/util/tagging'
 require 'puppet/util/classgen'
 require 'puppet/util/psych_support'
 require 'puppet/network/format_support'
-require 'facter'
 
 # Pass feedback to the user.  Log levels are modeled after syslog's, and it is
 # expected that that will be the most common log destination.  Supports
@@ -111,7 +110,7 @@ class Puppet::Util::Log
     @loglevel = @levels.index(level)
 
     # Enable or disable Facter debugging
-    Facter.debugging(level == :debug) if Facter.respond_to? :debugging
+    Puppet.runtime[:facter].debugging(level == :debug)
   end
 
   def Log.levels

data/lib/puppet/util/logging.rb

@@ -2,8 +2,6 @@
 require 'puppet/util/log'
 require 'puppet/error'
 
-require 'facter'
-
 module Puppet::Util
 module Logging
 
@@ -254,29 +252,7 @@ module Logging
   # Sets up Facter logging.
   # This method causes Facter output to be forwarded to Puppet.
   def self.setup_facter_logging!
-    # Only recent versions of Facter support this feature
-    return false unless Facter.respond_to? :on_message
-
-    # The current Facter log levels are: :trace, :debug, :info, :warn, :error, and :fatal.
-    # Convert to the corresponding levels in Puppet
-    Facter.on_message do |level, message|
-      case level
-      when :trace, :debug
-        level = :debug
-      when :info
-        # Same as Puppet
-      when :warn
-        level = :warning
-      when :error
-        level = :err
-      when :fatal
-        level = :crit
-      else
-        next
-      end
-      Puppet::Util::Log.create({:level => level, :source => 'Facter', :message => message})
-      nil
-    end
+    Puppet.runtime[:facter]
     true
   end
 

data/lib/puppet/util/pidlock.rb

@@ -46,7 +46,7 @@ class Puppet::Util::Pidlock
   private
 
   def ps_argument_for_current_kernel
-    case Facter.value(:kernel)
+    case Puppet.runtime[:facter].value(:kernel)
       when "Linux"
         "-eq"
       when "AIX"

data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb

@@ -154,7 +154,7 @@ module RDoc::PuppetParserCore
         # fetch comments
         if line =~ /^[ \t]*# ?(.*)$/
           comments += $1 + "\n"
-        elsif line =~ /^[ \t]*Facter.add\(['"](.*?)['"]\)/
+        elsif line =~ /^[ \t]*(Facter.add|Puppet\.runtime\[:facter\].add)\(['"](.*?)['"]\)/
           current_fact = RDoc::Fact.new($1,{})
           look_for_directives_in(container, comments) unless comments.empty?
           current_fact.comment = comments

data/lib/puppet/util/suidmanager.rb

@@ -1,4 +1,3 @@
-require 'facter'
 require 'puppet/util/warnings'
 require 'forwardable'
 require 'etc'
@@ -18,7 +17,7 @@ module Puppet::Util::SUIDManager
 
   def osx_maj_ver
     return @osx_maj_ver unless @osx_maj_ver.nil?
-    @osx_maj_ver = Facter.value('macosx_productversion_major') || false
+    @osx_maj_ver = Puppet.runtime[:facter].value('macosx_productversion_major') || false
   end
   module_function :osx_maj_ver
 

data/lib/puppet/util/tagging.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'puppet/util/tag_set'
 
 module Puppet::Util::Tagging

data/lib/puppet/util/windows/user.rb

@@ -1,6 +1,4 @@
 require 'puppet/util/windows'
-
-require 'facter'
 require 'ffi'
 
 module Puppet::Util::Windows::User

data/lib/puppet/util.rb

@@ -763,12 +763,13 @@ module Util
   # Executes a block of code, wrapped around Facter.load_external(false) and
   # Facter.load_external(true) which will cause Facter to not evaluate external facts.
   def skip_external_facts
-    return yield unless Facter.respond_to? :load_external
+    return yield unless Puppet.runtime[:facter].load_external?
+
     begin
-      Facter.load_external(false)
+      Puppet.runtime[:facter].load_external(false)
       yield
     ensure
-      Facter.load_external(true)
+      Puppet.runtime[:facter].load_external(true)
     end
   end
   module_function :skip_external_facts

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.24.0'
+  PUPPETVERSION = '6.25.0'
 
   ##
   # version is a public API method intended to always provide a fast and