puppet 6.25.0-universal-darwin → 6.27.0-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a69790e629afa10ee25ecc00a28e2404f9a74011386ae193c3af640632a4d63
-  data.tar.gz: ab6172abe15adda91b4285964adb04e7d62db5490b68abf81f27adc23b4d6e74
+  metadata.gz: 75ff4ca199a268dc90aa6fe8e32882bf92bf7c35ddd6d0520c9991f1e16e0223
+  data.tar.gz: a41173a9cdee61c24c191c6a719ef33360b613d112a5e1da6e199c1bffe57bc9
 SHA512:
-  metadata.gz: b4d3e9e4c588a512162c065c8e81878f1d163b69ea928625e2cbdf96e7a3c97031292f32b57b9c4fef2f43d9c7b70f6a4e07eaeed10a3749247c46ce51969dc2
-  data.tar.gz: 5952cc4ef392cdbb8be1c53e4a5706793ffa1d8adf9ea55497eccd4f249d6c990fea201f33718d52a6a48869d466bb467a054cee9a1a881eb1cdea60a0810916
+  metadata.gz: 7012be95fad830749e210d5ddec95e0cc92976ed92c2cf65301dbbcd2acf782773755e88bc83ee0bd5ed912582a88c66592a66a69d9c41de391927752b9fc6c6
+  data.tar.gz: 967d852cbf0e1b8c8f2cc154ac7fa8316a8131044314a758295ca2f75a8cfa6537e4f69a3e99f88847b9df4cccc380e44b7b919c1e161954e484403d4b884504

data/CODEOWNERS

@@ -1,5 +1,5 @@
 # defaults
-* @puppetlabs/platform-core @puppetlabs/puppetserver-maintainers @puppetlabs/night-s-watch
+* @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt

data/Gemfile

@@ -3,7 +3,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
 gemspec
 
 def location_for(place, fake_version = nil)
-  if place.is_a?(String) && place =~ /^(git[:@][^#]*)#(.*)/
+  if place.is_a?(String) && place =~ /^((?:git[:@]|https:)[^#]*)#(.*)/
     [fake_version, { git: $1, branch: $2, require: false }].compact
   elsif place.is_a?(String) && place =~ /^file:\/\/(.*)/
     ['>= 0', { path: File.expand_path($1), require: false }]
@@ -29,7 +29,7 @@ group(:features) do
   #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
   gem 'minitar', '~> 0.9', require: false
   gem 'msgpack', '~> 1.2', require: false
-  gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
+  gem 'rdoc', ['~> 6.0', '< 6.4.0'], require: false, platforms: [:ruby]
   # requires native augeas headers/libs
   # gem 'ruby-augeas', require: false, platforms: [:ruby]
   # requires native ldap headers/libs

data/Gemfile.lock

@@ -1,10 +1,11 @@
 GIT
-  remote: git://github.com/puppetlabs/packaging
-  revision: 48564f11abbc1f61a159d9caa44c8236d910575a
+  remote: https://github.com/puppetlabs/packaging
+  revision: 6f7b1ff00ab557f6a47f3f553cc87ec15d718470
   branch: 1.0.x
   specs:
-    packaging (0.99.81)
-      artifactory (~> 2)
+    packaging (0.106.0.27.g6f7b1ff)
+      apt_stage_artifacts
+      artifactory (~> 3)
       csv (= 3.1.5)
       rake (>= 12.3)
       release-metrics
@@ -12,7 +13,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (6.25.0)
+    puppet (6.27.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -30,21 +31,23 @@ GEM
     CFPropertyList (2.3.6)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    artifactory (2.8.2)
+    apt_stage_artifacts (0.10.1)
+      docopt
+    artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     crack (0.4.5)
       rexml
     csv (3.1.5)
-    deep_merge (1.2.1)
-    diff-lcs (1.4.4)
+    deep_merge (1.2.2)
+    diff-lcs (1.5.0)
     docopt (0.6.1)
-    facter (4.2.5)
+    facter (4.2.9)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
-    ffi (1.15.4)
+    ffi (1.15.5)
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
@@ -53,7 +56,7 @@ GEM
       gettext (>= 3.0.2, < 3.3.0)
       locale
     hashdiff (1.0.1)
-    hiera (3.7.0)
+    hiera (3.8.0)
     hiera-eyaml (3.2.2)
       highline
       optimist
@@ -67,11 +70,11 @@ GEM
     memory_profiler (1.0.0)
     method_source (1.0.0)
     minitar (0.9)
-    msgpack (1.4.2)
+    msgpack (1.5.0)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
-    parallel (1.21.0)
+    parallel (1.22.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
     powerpack (0.1.3)
@@ -81,14 +84,14 @@ GEM
     public_suffix (4.0.6)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (1.11.6)
+    puppetserver-ca (1.11.7)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (2.2.2)
       rake
     rake (12.3.3)
     rdiscount (2.2.0.2)
-    rdoc (6.3.2)
+    rdoc (6.3.3)
     release-metrics (1.1.0)
       csv
       docopt
@@ -97,22 +100,22 @@ GEM
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
       rdiscount (>= 1.5.8)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
+      rspec-support (~> 3.11.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.10.2)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
     rubocop (0.49.1)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -124,19 +127,22 @@ GEM
       rubocop (~> 0.49.0)
     ruby-prof (1.4.3)
     ruby-progressbar (1.11.0)
+    scanf (1.0.0)
     semantic_puppet (1.0.4)
     text (1.3.1)
-    thor (1.1.0)
+    thor (1.2.1)
     unicode-display_width (1.8.0)
     vcr (5.1.0)
     webmock (3.14.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.26)
+    webrick (1.7.0)
+    yard (0.9.27)
+      webrick (~> 1.7.0)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
@@ -155,7 +161,7 @@ DEPENDENCIES
   puppetserver-ca (~> 1.1)
   racc (= 1.5.2)
   rake (~> 12.2)
-  rdoc (~> 6.0)
+  rdoc (~> 6.0, < 6.4.0)
   ronn (~> 0.7.3)
   rspec (~> 3.1)
   rspec-expectations (~> 3.9, != 3.9.3)
@@ -163,10 +169,11 @@ DEPENDENCIES
   rubocop (~> 0.49)
   rubocop-i18n (~> 1.2.0)
   ruby-prof (>= 0.16.0)
+  scanf
   semantic_puppet (~> 1.0)
   vcr (~> 5.0)
   webmock (~> 3.0)
   yard
 
 BUNDLED WITH
-   1.17.3
+   2.3.9

data/lib/puppet/application/lookup.rb

@@ -7,6 +7,7 @@ class Puppet::Application::Lookup < Puppet::Application
 
   RUN_HELP = _("Run 'puppet lookup --help' for more details").freeze
   DEEP_MERGE_OPTIONS = '--knock-out-prefix, --sort-merged-arrays, and --merge-hash-arrays'.freeze
+  TRUSTED_INFORMATION_FACTS = ["hostname", "domain", "fqdn", "clientcert"].freeze
 
   run_mode :server
 
@@ -54,11 +55,7 @@ class Puppet::Application::Lookup < Puppet::Application
   end
 
   option('--facts FACT_FILE') do |arg|
-    if %w{.yaml .yml .json}.include?(arg.match(/\.[^.]*$/)[0])
-      options[:fact_file] = arg
-    else
-      raise _("The --fact file only accepts yaml and json files.\n%{run_help}") % { run_help: RUN_HELP }
-    end
+    options[:fact_file] = arg
   end
 
   def app_defaults
@@ -137,7 +134,9 @@ DESCRIPTION
 The lookup command is a CLI for Puppet's 'lookup()' function. It searches your
 Hiera data and returns a value for the requested lookup key, so you can test and
 explore your data. It is a modern replacement for the 'hiera' command.
-
+Lookup uses the setting for global hiera.yaml from puppet's config,
+and the environment to find the environment level hiera.yaml as well as the
+resulting modulepath for the environment (for hiera.yaml files in modules).
 Hiera usually relies on a node's facts to locate the relevant data sources. By
 default, 'puppet lookup' uses facts from the node you run the command on, but
 you can get data for any other node with the '--node <NAME>' option. If
@@ -186,7 +185,8 @@ OPTIONS
 * --environment <ENV>
   Like with most Puppet commands, you can specify an environment on the command
   line. This is important for lookup because different environments can have
-  different Hiera data.
+  different Hiera data. This environment will be always be the one used regardless
+  of any other factors.
 
 * --merge first|unique|hash|deep:
   Specify the merge behavior, overriding any merge behavior from the data's
@@ -237,6 +237,13 @@ EXAMPLE
   To look up 'key_name' using the Puppet Server node's facts:
   $ puppet lookup key_name
 
+  To look up 'key_name' using the Puppet Server node's arbitrary variables from a manifest, and 
+  classify the node if applicable:
+  $ puppet lookup key_name --compile
+
+  To look up 'key_name' using the Puppet Server node's facts, overridden by facts given in a file:
+  $ puppet lookup key_name --facts fact_file.yaml
+
   To look up 'key_name' with agent.local's facts:
   $ puppet lookup --node agent.local key_name
 
@@ -341,31 +348,62 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
       Puppet.settings[:facts_terminus] = 'facter'
     end
 
-    unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
-      ni = Puppet::Node.indirection
-      tc = ni.terminus_class
-      if tc == :plain || options[:compile]
-        node = ni.find(node)
-      else
-        ni.terminus_class = :plain
-        node = ni.find(node)
-        ni.terminus_class = tc
-      end
-    end
-
     fact_file = options[:fact_file]
 
     if fact_file
-      if fact_file.end_with?("json")
-        given_facts = Puppet::Util::Json.load(Puppet::FileSystem.read(fact_file, :encoding => 'utf-8'))
-      else
+      if fact_file.end_with?('.json')
+        given_facts = Puppet::Util::Json.load_file(fact_file)
+      elsif fact_file.end_with?('.yml', '.yaml')
         given_facts = Puppet::Util::Yaml.safe_load_file(fact_file)
+      else
+        given_facts = Puppet::Util::Json.load_file_if_valid(fact_file)
+        given_facts = Puppet::Util::Yaml.safe_load_file_if_valid(fact_file) unless given_facts
       end
 
       unless given_facts.instance_of?(Hash)
-        raise _("Incorrect formatted data in %{fact_file} given via the --facts flag") % { fact_file: fact_file }
+        raise _("Incorrectly formatted data in %{fact_file} given via the --facts flag (only accepts yaml and json files)") % { fact_file: fact_file }
+      end
+
+      if TRUSTED_INFORMATION_FACTS.any? { |key| given_facts.key? key }
+        unless TRUSTED_INFORMATION_FACTS.all? { |key| given_facts.key? key }
+          raise _("When overriding any of the %{trusted_facts_list} facts with %{fact_file} "\
+            "given via the --facts flag, they must all be overridden.") % { fact_file: fact_file ,trusted_facts_list: TRUSTED_INFORMATION_FACTS.join(',')}
+        end
       end
-      node.add_extra_facts(given_facts)
+    end
+
+    unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
+      facts = retrieve_node_facts(node, given_facts)
+      ni = Puppet::Node.indirection
+      tc = ni.terminus_class
+      if options[:compile] && !Puppet.settings.set_by_cli?('environment')
+        if tc == :plain
+          node = ni.find(node, facts: facts)
+        else
+          begin
+            service = Puppet.runtime[:http]
+            session = service.create_session
+            cert = session.route_to(:ca)
+
+            _, x509 = cert.get_certificate(node)
+            cert = OpenSSL::X509::Certificate.new(x509)
+            Puppet::SSL::Oids.register_puppet_oids
+            trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
+            Puppet.override(trusted_information: trusted) do
+              node = ni.find(node, facts: facts)
+            end
+          rescue
+            Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
+            node = ni.find(node, facts: facts)
+          end
+        end
+      else
+        ni.terminus_class = :plain
+        node = ni.find(node, facts: facts, environment: Puppet[:environment])
+        ni.terminus_class = tc
+      end
+    else
+      node.add_extra_facts(given_facts) if given_facts
     end
 
     Puppet[:code] = 'undef' unless options[:compile]
@@ -378,4 +416,16 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
       compiler.compile { |catalog| yield(compiler.topscope); catalog }
     end
   end
+
+  def retrieve_node_facts(node, given_facts)
+    facts = Puppet::Node::Facts.indirection.find(node, :environment => Puppet.lookup(:current_environment))
+
+    facts = Puppet::Node::Facts.new(node, {}) if facts.nil?
+    facts.add_extra_values(given_facts) if given_facts
+
+    if facts.values.empty?
+      raise _("No facts available for target node: %{node}") % { node: node}
+    end
+    facts
+  end
 end

data/lib/puppet/concurrent/thread_local_singleton.rb

@@ -5,10 +5,12 @@ module Puppet
       def singleton
         key = (name + ".singleton").intern
         thread = Thread.current
-        unless thread.thread_variable?(key)
-          thread.thread_variable_set(key, new)
+        value = thread.thread_variable_get(key)
+        if value.nil?
+          value = new
+          thread.thread_variable_set(key, value)
         end
-        thread.thread_variable_get(key)
+        value
       end
     end
   end

data/lib/puppet/configurer.rb

@@ -302,9 +302,16 @@ class Puppet::Configurer
       # We only need to find out the environment to run in if we don't already have a catalog
       unless (cached_catalog || options[:catalog] || Puppet.settings.set_by_cli?(:environment) || Puppet[:strict_environment_mode])
         Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
-        if last_server_specified_environment
-          @environment = last_server_specified_environment
-          report.environment = last_server_specified_environment
+        initial_environment, loaded_last_environment = last_server_specified_environment
+
+        unless Puppet[:use_last_environment] && loaded_last_environment
+          Puppet.debug(_("Requesting environment from the server"))
+          initial_environment = current_server_specified_environment(@environment, configured_environment, options)
+        end
+
+        if initial_environment
+          @environment = initial_environment
+          report.environment = initial_environment
 
           push_current_environment_and_loaders
         else
@@ -323,7 +330,7 @@ class Puppet::Configurer
       temp_value = options[:pluginsync]
 
       # only validate server environment if pluginsync is requested
-      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync]
 
       query_options, facts = get_facts(options) unless query_options
       options[:pluginsync] = temp_value
@@ -436,7 +443,11 @@ class Puppet::Configurer
       true
     rescue Puppet::HTTP::ResponseError => detail
       if detail.response.code == 404
-        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        if Puppet[:strict_environment_mode]
+          raise Puppet::Error.new(_("Environment '%{environment}' not found on server, aborting run.") % { environment: @environment })
+        else
+          Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        end
       else
         Puppet.log_exception(detail, detail.message)
       end
@@ -463,24 +474,67 @@ class Puppet::Configurer
   end
   private :find_functional_server
 
+  #
+  # @api private
+  #
+  # Read the last server-specified environment from the lastrunfile. The
+  # environment is considered to be server-specified if the values of
+  # `initial_environment` and `converged_environment` are different.
+  #
+  # @return [String, Boolean] An array containing a string with the environment
+  #   read from the lastrunfile in case the server is authoritative, and a
+  #   boolean marking whether the last environment was correctly loaded.
   def last_server_specified_environment
-    return @last_server_specified_environment if @last_server_specified_environment
+    return @last_server_specified_environment, @loaded_last_environment if @last_server_specified_environment
+
     if Puppet::FileSystem.exist?(Puppet[:lastrunfile])
       summary = Puppet::Util::Yaml.safe_load_file(Puppet[:lastrunfile])
-      return unless summary.dig('application', 'run_mode') == 'agent'
-      initial_environment = summary.dig('application', 'initial_environment')
-      converged_environment = summary.dig('application', 'converged_environment')
+      return [nil, nil] unless summary['application']['run_mode'] == 'agent'
+      initial_environment = summary['application']['initial_environment']
+      converged_environment = summary['application']['converged_environment']
       @last_server_specified_environment = converged_environment if initial_environment != converged_environment
+      Puppet.debug(_("Successfully loaded last environment from the lastrunfile"))
+      @loaded_last_environment = true
     end
 
     Puppet.debug(_("Found last server-specified environment: %{environment}") % { environment: @last_server_specified_environment }) if @last_server_specified_environment
-    @last_server_specified_environment
+    [@last_server_specified_environment, @loaded_last_environment]
   rescue => detail
     Puppet.debug(_("Could not find last server-specified environment: %{detail}") % { detail: detail })
-    nil
+    [nil, nil]
   end
   private :last_server_specified_environment
 
+  def current_server_specified_environment(current_environment, configured_environment, options)
+    return @server_specified_environment if @server_specified_environment
+
+    begin
+      node_retr_time = thinmark do
+        node = Puppet::Node.indirection.find(Puppet[:node_name_value],
+                                             :environment => Puppet::Node::Environment.remote(current_environment),
+                                             :configured_environment => configured_environment,
+                                             :ignore_cache => true,
+                                             :transaction_uuid => @transaction_uuid,
+                                             :fail_on_404 => true)
+
+        @server_specified_environment = node.environment_name.to_s
+
+        if @server_specified_environment != @environment
+          Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: @server_specified_environment }
+        end
+      end
+
+      options[:report].add_times(:node_retrieval, node_retr_time)
+
+      @server_specified_environment
+    rescue => detail
+      Puppet.warning(_("Unable to fetch my node definition, but the agent run will continue:"))
+      Puppet.warning(detail)
+      nil
+    end
+  end
+  private :current_server_specified_environment
+
   def send_report(report)
     puts report.summary if Puppet[:summarize]
     save_last_run_summary(report)

data/lib/puppet/defaults.rb

@@ -442,6 +442,17 @@ module Puppet
         <https://puppet.com/docs/puppet/latest/environments_about.html>",
       :type    => :path,
     },
+    :use_last_environment => {
+      :type     => :boolean,
+      :default  => true,
+      :desc     => <<-'EOT'
+      Puppet saves both the initial and converged environment in the last_run_summary file.
+      If they differ, and this setting is set to true, we will use the last converged
+      environment and skip the node request.
+
+      When set to false, we will do the node request and ignore the environment data from the last_run_summary file.
+    EOT
+    },
     :always_retry_plugins => {
         :type     => :boolean,
         :default  => true,
@@ -800,6 +811,12 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       :owner    => "service",
       :group    => "service",
       :desc    => "The directory where catalog previews per node are generated."
+    },
+    :location_trusted => {
+      :default => false,
+      :type     => :boolean,
+      :desc    => "This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to.
+        This may or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info and cookies."
     }
   )
 
@@ -2050,7 +2067,8 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Puppet.runtime[:facter].search(*paths)
+        facter = Puppet.runtime[:facter]
+        facter.search(*paths)
       end
     }
   )
@@ -2191,8 +2209,6 @@ EOT
       # Call our hook with the default value, so we always get the libdir set.
       :call_hook => :on_initialize_and_write,
       :hook => proc do |value|
-        require 'puppet/node'
-        require 'puppet/node/facts'
         if value
           Puppet::Resource::Catalog.indirection.set_global_setting(:cache_class, :store_configs)
           settings.override_default(:catalog_cache_terminus, :store_configs)

data/lib/puppet/face/generate.rb

@@ -58,6 +58,8 @@ Puppet::Face.define(:generate, '0.1.0') do
       Puppet::FileSystem::mkpath(outputdir)
 
       generator.generate(inputs, outputdir, options[:force])
+
+      exit(1) if generator.bad_input?
       nil
     end
   end

data/lib/puppet/file_serving/metadata.rb

@@ -118,6 +118,9 @@ class Puppet::FileServing::Metadata < Puppet::FileServing::Base
     when "link"
       @destination = Puppet::FileSystem.readlink(real_path)
       @checksum = ("{#{@checksum_type}}") + send("#{@checksum_type}_file", real_path).to_s rescue nil
+    when "fifo", "socket"
+      @checksum_type = "none"
+      @checksum = ("{#{@checksum_type}}") + send("#{@checksum_type}_file", real_path).to_s
     else
       raise ArgumentError, _("Cannot manage files of type %{file_type}") % { file_type: stat.ftype }
     end

data/lib/puppet/file_system/file_impl.rb

@@ -130,23 +130,23 @@ class Puppet::FileSystem::FileImpl
   end
 
   def symlink?(path)
-    File.symlink?(path)
+    ::File.symlink?(path)
   end
 
   def readlink(path)
-    File.readlink(path)
+    ::File.readlink(path)
   end
 
   def unlink(*paths)
-    File.unlink(*paths)
+    ::File.unlink(*paths)
   end
 
   def stat(path)
-    File.stat(path)
+    ::File.stat(path)
   end
 
   def lstat(path)
-    File.lstat(path)
+    ::File.lstat(path)
   end
 
   def compare_stream(path, stream)
@@ -159,7 +159,7 @@ class Puppet::FileSystem::FileImpl
 
   def replace_file(path, mode = nil)
     begin
-      stat = Puppet::FileSystem.lstat(path)
+      stat = lstat(path)
       gid = stat.gid
       uid = stat.uid
       mode ||= stat.mode & 07777
@@ -180,7 +180,7 @@ class Puppet::FileSystem::FileImpl
       tempfile_path = tempfile.path
       FileUtils.chown(uid, gid, tempfile_path) if uid && gid
       chmod(mode, tempfile_path)
-      File.rename(tempfile_path, Puppet::FileSystem.path_string(path))
+      ::File.rename(tempfile_path, path_string(path))
     ensure
       tempfile.close!
     end

data/lib/puppet/file_system/jruby.rb

@@ -14,7 +14,7 @@ class Puppet::FileSystem::JRuby < Puppet::FileSystem::Posix
   def replace_file(path, mode = nil, &block)
     # MRI Ruby rename checks if destination is a directory and raises, while
     # JRuby removes the directory and replaces the file.
-    if Puppet::FileSystem.directory?(path)
+    if directory?(path)
       raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
     end
 

data/lib/puppet/file_system/windows.rb

@@ -123,7 +123,7 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   LOCK_VIOLATION = 33
 
   def replace_file(path, mode = nil)
-    if Puppet::FileSystem.directory?(path)
+    if directory?(path)
       raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
     end
 
@@ -159,14 +159,14 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
       end
 
       set_dacl(tempfile.path, dacl) if dacl
-      File.rename(tempfile.path, Puppet::FileSystem.path_string(path))
+      ::File.rename(tempfile.path, path_string(path))
     ensure
       tempfile.close!
     end
   rescue Puppet::Util::Windows::Error => e
     case e.code
     when ACCESS_DENIED, SHARING_VIOLATION, LOCK_VIOLATION
-      raise Errno::EACCES.new(Puppet::FileSystem.path_string(path), e)
+      raise Errno::EACCES.new(path_string(path), e)
     else
       raise SystemCallError.new(e.message)
     end
@@ -193,7 +193,7 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   end
 
   def get_dacl_from_file(path)
-    sd = Puppet::Util::Windows::Security.get_security_descriptor(Puppet::FileSystem.path_string(path))
+    sd = Puppet::Util::Windows::Security.get_security_descriptor(path_string(path))
     sd.dacl
   rescue Puppet::Util::Windows::Error => e
     raise e unless e.code == FILE_NOT_FOUND

data/lib/puppet/file_system.rb

@@ -396,7 +396,7 @@ module Puppet::FileSystem
   # @api public
   #
   def self.chmod(mode, path)
-    @impl.chmod(mode, path)
+    @impl.chmod(mode, assert_path(path))
   end
 
   # Replace the contents of a file atomically, creating the file if necessary.