puppet 6.25.0 → 6.27.0

data/lib/puppet/pops/serialization/to_data_converter.rb

@@ -14,8 +14,6 @@ module Serialization
     # @option options [Boolean] :local_reference use local references instead of duplicating complex entries
     # @option options [Boolean] :type_by_reference `true` if Object types are converted to references rather than embedded.
     # @option options [Boolean] :symbol_as_string `true` if Symbols should be converted to strings (with type loss)
-    # @option options [Boolean] :force_symbol `false` if Symbols should not be converted (rich_data and symbol_as_string must be false)
-    # @option options [Boolean] :silence_warnings `false` if warnings should be silenced
     # @option options [String] :message_prefix String to prepend to in warnings and errors
     # @return [Data] the processed result. An object assignable to `Data`.
     #
@@ -43,12 +41,6 @@ module Serialization
       @symbol_as_string = options[:symbol_as_string]
       @symbol_as_string = false if @symbol_as_string.nil?
 
-      @force_symbol = options[:force_symbol]
-      @force_symbol = false if @force_symbol.nil?
-
-      @silence_warnings = options[:silence_warnings]
-      @silence_warnings = false if @silence_warnings.nil?
-
       @rich_data = options[:rich_data]
       @rich_data = false if @rich_data.nil?
 
@@ -100,11 +92,7 @@ module Serialization
         elsif @rich_data
           { PCORE_TYPE_KEY => PCORE_TYPE_SYMBOL, PCORE_VALUE_KEY => value.to_s }
         else
-          if @force_symbol
-            value
-          else
-            @silence_warnings ? unknown_to_string(value) : unknown_to_string_with_warning(value)
-          end
+          unknown_to_string_with_warning(value)
         end
       elsif value.instance_of?(Array)
         process(value) do
@@ -129,11 +117,7 @@ module Serialization
           { PCORE_TYPE_KEY => PCORE_TYPE_SENSITIVE, PCORE_VALUE_KEY => to_data(value.unwrap) }
         end
       else
-        if @rich_data
-          value_to_data_hash(value)
-        else
-          @silence_warnings ? unknown_to_string(value) : unknown_to_string_with_warning(value)
-        end
+        unknown_to_data(value)
       end
     end
 
@@ -207,6 +191,10 @@ module Serialization
       v
     end
 
+    def unknown_to_data(value)
+      @rich_data ? value_to_data_hash(value) : unknown_to_string_with_warning(value)
+    end
+
     def unknown_key_to_string_with_warning(value)
       str = unknown_to_string(value)
       serialization_issue(Issues::SERIALIZATION_UNKNOWN_KEY_CONVERTED_TO_STRING, :path => path_to_s, :klass => value.class, :value => str)

data/lib/puppet/provider/service/init.rb

@@ -84,7 +84,7 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
     defpath = [defpath] unless defpath.is_a? Array
     instances = []
     defpath.each do |path|
-      unless FileTest.directory?(path)
+      unless Puppet::FileSystem.directory?(path)
         Puppet.debug "Service path #{path} does not exist"
         next
       end
@@ -97,8 +97,9 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
         fullpath = File.join(path, name)
         next if name =~ /^\./
         next if exclude.include? name
-        next if not FileTest.executable?(fullpath)
-        next if not is_init?(fullpath)
+        next if Puppet::FileSystem.directory?(fullpath)
+        next unless Puppet::FileSystem.executable?(fullpath)
+        next unless is_init?(fullpath)
         instances << new(:name => name, :path => path, :hasstatus => true)
       end
     end
@@ -122,7 +123,7 @@ Puppet::Type.type(:service).provide :init, :parent => :base do
 
   def paths
     @paths ||= @resource[:path].find_all do |path|
-      if File.directory?(path)
+      if Puppet::FileSystem.directory?(path)
         true
       else
         if Puppet::FileSystem.exist?(path)

data/lib/puppet/resource/catalog.rb

@@ -315,7 +315,7 @@ class Puppet::Resource::Catalog < Puppet::Graph::SimpleGraph
     super()
     @name = name
     @catalog_uuid = SecureRandom.uuid
-    @catalog_format = 1
+    @catalog_format = 2
     @metadata = {}
     @recursive_metadata = {}
     @classes = []

data/lib/puppet/resource.rb

@@ -11,7 +11,7 @@ class Puppet::Resource
   include Puppet::Util::PsychSupport
 
   include Enumerable
-  attr_accessor :file, :line, :catalog, :exported, :virtual, :strict
+  attr_accessor :file, :line, :catalog, :exported, :virtual, :strict, :kind
   attr_reader :type, :title, :parameters
 
   # @!attribute [rw] sensitive_parameters
@@ -29,11 +29,16 @@ class Puppet::Resource
   EMPTY_ARRAY = [].freeze
   EMPTY_HASH = {}.freeze
 
-  ATTRIBUTES = [:file, :line, :exported].freeze
+  ATTRIBUTES = [:file, :line, :exported, :kind].freeze
   TYPE_CLASS = 'Class'.freeze
   TYPE_NODE  = 'Node'.freeze
   TYPE_SITE  = 'Site'.freeze
 
+  CLASS_STRING = 'class'.freeze
+  DEFINED_TYPE_STRING = 'defined_type'.freeze
+  COMPILABLE_TYPE_STRING = 'compilable_type'.freeze
+  UNKNOWN_TYPE_STRING  = 'unknown'.freeze
+
   PCORE_TYPE_KEY = '__ptype'.freeze
   VALUE_KEY = 'value'.freeze
 
@@ -194,6 +199,18 @@ class Puppet::Resource
     resource_type.is_a?(Puppet::CompilableResourceType)
   end
 
+  def self.to_kind(resource_type)
+    if resource_type == CLASS_STRING
+      CLASS_STRING
+    elsif resource_type.is_a?(Puppet::Resource::Type) && resource_type.type == :definition
+      DEFINED_TYPE_STRING
+    elsif resource_type.is_a?(Puppet::CompilableResourceType)
+      COMPILABLE_TYPE_STRING
+    else
+      UNKNOWN_TYPE_STRING
+    end
+  end
+
   # Iterate over each param/value pair, as required for Enumerable.
   def each
     parameters.each { |p,v| yield p, v }
@@ -248,6 +265,7 @@ class Puppet::Resource
       src = type
       self.file = src.file
       self.line = src.line
+      self.kind = src.kind
       self.exported = src.exported
       self.virtual = src.virtual
       self.set_tags(src)
@@ -310,6 +328,7 @@ class Puppet::Resource
 
       rt = resource_type
 
+      self.kind = self.class.to_kind(rt) unless kind
       if strict? && rt.nil?
         if self.class?
           raise ArgumentError, _("Could not find declared class %{title}") % { title: title }
@@ -493,10 +512,24 @@ class Puppet::Resource
     ref
   end
 
-  # Convert our resource to a RAL resource instance.  Creates component
-  # instances for resource types that don't exist.
+  # Convert our resource to a RAL resource instance. Creates component
+  # instances for resource types that are not of a compilable_type kind. In case
+  # the resource doesn’t exist and it’s compilable_type kind, raise an error.
+  # There are certain cases where a resource won't be in a catalog, such as 
+  # when we create a resource directly by using Puppet::Resource.new(...), so we 
+  # must check its kind before deciding whether the catalog format is of an older
+  # version or not.
   def to_ral
-    typeklass = Puppet::Type.type(self.type) || Puppet::Type.type(:component)
+    if self.kind == COMPILABLE_TYPE_STRING
+      typeklass = Puppet::Type.type(self.type)
+    elsif self.catalog && self.catalog.catalog_format >= 2
+      typeklass = Puppet::Type.type(:component)
+    else
+      typeklass =  Puppet::Type.type(self.type) || Puppet::Type.type(:component)
+    end
+
+    raise(Puppet::Error, "Resource type '#{self.type}' was not found") unless typeklass
+
     typeklass.new(self)
   end
 

data/lib/puppet/ssl/ssl_provider.rb

@@ -51,8 +51,7 @@ class Puppet::SSL::SSLProvider
   # @raise (see #create_context)
   # @api private
   def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
-    store = create_x509_store(cacerts, [], false)
-    store.set_default_paths
+    store = create_x509_store(cacerts, [], false, include_system_store: true)
 
     if path
       stat = Puppet::FileSystem.stat(path)
@@ -94,19 +93,20 @@ class Puppet::SSL::SSLProvider
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::SSL::SSLError] There was an issue with the
   #   `private_key`.
   # @api private
-  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
+  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
     raise ArgumentError, _("CA certs are missing") unless cacerts
     raise ArgumentError, _("CRLs are missing") unless crls
     raise ArgumentError, _("Private key is missing") unless private_key
     raise ArgumentError, _("Client cert is missing") unless client_cert
 
-    store = create_x509_store(cacerts, crls, revocation)
+    store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
     client_chain = verify_cert_with_store(store, client_cert)
 
     if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
@@ -134,12 +134,13 @@ class Puppet::SSL::SSLProvider
   # @param password [String, nil] If the private key is encrypted, decrypt
   #   it using the password. If the key is encrypted, but a password is
   #   not specified, then the key cannot be loaded.
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::Error] There was an issue with one of the required components.
   # @api private
-  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
     cert = Puppet::X509::CertProvider.new
     cacerts = cert.load_cacerts(required: true)
     crls = case revocation
@@ -151,7 +152,7 @@ class Puppet::SSL::SSLProvider
     private_key = cert.load_private_key(certname, required: true, password: password)
     client_cert = cert.load_client_cert(certname, required: true)
 
-    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
   rescue OpenSSL::PKey::PKeyError => e
     raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
   end
@@ -186,7 +187,7 @@ class Puppet::SSL::SSLProvider
     end
   end
 
-  def create_x509_store(roots, crls, revocation)
+  def create_x509_store(roots, crls, revocation, include_system_store: false)
     store = OpenSSL::X509::Store.new
     store.purpose = OpenSSL::X509::PURPOSE_ANY
     store.flags = default_flags | revocation_mode(revocation)
@@ -194,6 +195,8 @@ class Puppet::SSL::SSLProvider
     roots.each { |cert| store.add_cert(cert) }
     crls.each { |crl| store.add_crl(crl) }
 
+    store.set_default_paths if include_system_store
+
     store
   end
 

data/lib/puppet/ssl/verifier.rb

@@ -115,6 +115,12 @@ class Puppet::SSL::Verifier
         return false
       end
 
+    # ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
+    # store_context error when the cert is mismatched
+    when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
+      @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+      return false
+
     when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
       crl = store_context.current_crl
       if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS

data/lib/puppet/transaction/persistence.rb

@@ -6,6 +6,26 @@ require 'puppet/util/yaml'
 # as calculating corrective_change).
 # @api private
 class Puppet::Transaction::Persistence
+
+  def self.allowed_classes
+    @allowed_classes ||= [
+      Symbol,
+      Time,
+      Regexp,
+      # URI is excluded, because it serializes all instance variables including the
+      # URI parser. Better to serialize the URL encoded representation.
+      SemanticPuppet::Version,
+      # SemanticPuppet::VersionRange has many nested classes and is unlikely to be
+      # used directly, so ignore it
+      Puppet::Pops::Time::Timestamp,
+      Puppet::Pops::Time::TimeData,
+      Puppet::Pops::Time::Timespan,
+      Puppet::Pops::Types::PBinaryType::Binary,
+      # Puppet::Pops::Types::PSensitiveType::Sensitive values are excluded from
+      # the persistence store, ignore it.
+    ].freeze
+  end
+
   def initialize
     @old_data = {}
     @new_data = {"resources" => {}}
@@ -62,7 +82,7 @@ class Puppet::Transaction::Persistence
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
+        result = Puppet::Util::Yaml.safe_load_file(filename, self.class.allowed_classes)
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 
@@ -87,17 +107,7 @@ class Puppet::Transaction::Persistence
 
   # Save data from internal class to persistence store on disk.
   def save
-    converted_data = Puppet::Pops::Serialization::ToDataConverter.convert(
-      @new_data, {
-        symbol_as_string: false,
-        local_reference: false,
-        type_by_reference: true,
-        force_symbol: true,
-        silence_warnings: true,
-        message_prefix: to_s
-      }
-    )
-    Puppet::Util::Yaml.dump(converted_data, Puppet[:transactionstorefile])
+    Puppet::Util::Yaml.dump(@new_data, Puppet[:transactionstorefile])
   end
 
   # Use the catalog and run_mode to determine if persistence should be enabled or not

data/lib/puppet/type/exec.rb

@@ -457,7 +457,7 @@ module Puppet
 
             exec { '/bin/echo root >> /usr/lib/cron/cron.allow':
               path   => '/usr/bin:/usr/sbin:/bin',
-              unless => 'grep root /usr/lib/cron/cron.allow 2>/dev/null',
+              unless => 'grep ^root$ /usr/lib/cron/cron.allow 2>/dev/null',
             }
 
         This would add `root` to the cron.allow file (on Solaris) unless

data/lib/puppet/type/file/data_sync.rb

@@ -79,7 +79,7 @@ module Puppet
       return :absent unless stat
       ftype = stat.ftype
       # Don't even try to manage the content on directories or links
-      return nil if ["directory","link"].include?(ftype)
+      return nil if ['directory', 'link', 'fifo', 'socket'].include?(ftype)
 
       begin
         resource.parameter(:checksum).sum_file(resource[:path])

data/lib/puppet/type/user.rb

@@ -66,7 +66,6 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
-        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -695,7 +694,6 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
-        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -744,6 +742,45 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
+
+      munge do |value|
+        # Resolve string, boolean and symbol forms of true and false to a
+        # single representation.
+        case value
+        when :false, false, "false"
+          []
+        when :true, true, "true"
+          home = homedir
+          home ? [ "#{home}/.ssh/authorized_keys" ] : []
+        else
+          # value can be a string or array - munge each value
+          [ value ].flatten.map do |entry|
+            authorized_keys_path(entry)
+          end.compact
+        end
+      end
+
+      private
+
+      def homedir
+        resource[:home] || Dir.home(resource[:name])
+      rescue ArgumentError
+        Puppet.debug("User '#{resource[:name]}' does not exist")
+        nil
+      end
+
+      def authorized_keys_path(entry)
+        return entry unless entry.match?(%r{^(?:~|%h)/})
+
+        # if user doesn't exist (yet), ignore nonexistent homedir
+        home = homedir
+        return nil unless home
+
+        # compiler freezes "value" so duplicate using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(%r{^~/}, "#{home}/")
+        entry.gsub!(%r{^%h/}, "#{home}/")
+        entry
+      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -765,7 +802,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      munged_unmanaged_keys.
+      self[:purge_ssh_keys].
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -777,41 +814,6 @@ module Puppet
         end
     end
 
-    def munged_unmanaged_keys
-      value = self[:purge_ssh_keys]
-
-      # Resolve string, boolean and symbol forms of true and false to a
-      # single representation.
-      test_sym = value.to_s.intern
-      value = test_sym if [:true, :false].include? test_sym
-
-      return [] if value == :false
-
-      home = self[:home]
-      begin
-        home ||= provider.home
-      rescue
-        Puppet.debug("User '#{self[:name]}' does not exist")
-      end
-
-      if home.to_s.empty? || !Dir.exist?(home.to_s)
-        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
-          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
-          return []
-        end
-      end
-
-      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-
-      # value is an array - munge each value
-      [ value ].flatten.map do |entry|
-        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-        entry = entry.gsub(/^~\//, "#{home}/")
-        entry.gsub!(/^%h\//, "#{home}/")
-        entry
-      end
-    end
-
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.

data/lib/puppet/util/json.rb

@@ -26,6 +26,23 @@ module Puppet::Util
       require 'json'
     end
 
+    # Load the content from a file as JSON if
+    # contents are in valid format. This method does not
+    # raise error but returns `nil` when invalid file is
+    # given.
+    def self.load_file_if_valid(filename, options = {})
+      load_file(filename, options)
+    rescue Puppet::Util::Json::ParseError, ArgumentError, Errno::ENOENT => detail
+      Puppet.debug("Could not retrieve JSON content from '#{filename}': #{detail.message}")
+      nil
+    end
+
+    # Load the content from a file as JSON.
+    def self.load_file(filename, options = {})
+      json = Puppet::FileSystem.read(filename, :encoding => 'utf-8')
+      load(json, options)
+    end
+
     # These methods do similar processing to the fallback implemented by MultiJson
     # when using the built-in JSON backend, to ensure consistent behavior
     # whether or not MultiJson can be loaded.

data/lib/puppet/util/log.rb

@@ -105,9 +105,14 @@ class Puppet::Util::Log
   def Log.level=(level)
     level = level.intern unless level.is_a?(Symbol)
 
-    raise Puppet::DevError, _("Invalid loglevel %{level}") % { level: level } unless @levels.include?(level)
+    # loglevel is a 0-based index
+    loglevel = @levels.index(level)
+    raise Puppet::DevError, _("Invalid loglevel %{level}") % { level: level } unless loglevel
 
-    @loglevel = @levels.index(level)
+    return if @loglevel == loglevel
+
+    # loglevel changed
+    @loglevel = loglevel
 
     # Enable or disable Facter debugging
     Puppet.runtime[:facter].debugging(level == :debug)

data/lib/puppet/util/monkey_patches.rb

@@ -39,6 +39,12 @@ unless Puppet::Util::Platform.jruby_fips?
     end
   end
 
+  unless defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH)
+    module OpenSSL::X509
+      OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH = 0x3E
+    end
+  end
+
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
       DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
@@ -64,8 +70,6 @@ unless Puppet::Util::Platform.jruby_fips?
 end
 
 if Puppet::Util::Platform.windows?
-  require 'puppet/util/windows'
-
   class OpenSSL::X509::Store
     @puppet_certs_loaded = false
     alias __original_set_default_paths set_default_paths

data/lib/puppet/util/package.rb

@@ -1,6 +1,13 @@
+# frozen_string_literal: true
 module Puppet::Util::Package
-  def versioncmp(version_a, version_b)
+  def versioncmp(version_a, version_b, ignore_trailing_zeroes = false)
     vre = /[-.]|\d+|[^-.\d]+/
+
+    if ignore_trailing_zeroes
+      version_a = normalize(version_a)
+      version_b = normalize(version_b)
+    end
+
     ax = version_a.scan(vre)
     bx = version_b.scan(vre)
 
@@ -8,24 +15,26 @@ module Puppet::Util::Package
       a = ax.shift
       b = bx.shift
 
-      if( a == b )                 then next
-      elsif (a == '-' && b == '-') then next
-      elsif (a == '-')             then return -1
-      elsif (b == '-')             then return 1
-      elsif (a == '.' && b == '.') then next
-      elsif (a == '.' )            then return -1
-      elsif (b == '.' )            then return 1
-      elsif (a =~ /^\d+$/ && b =~ /^\d+$/) then
-        if( a =~ /^0/ or b =~ /^0/ ) then
-          return a.to_s.upcase <=> b.to_s.upcase
-        end
+      next      if a == b
+      return -1 if a == '-'
+      return 1  if b == '-'
+      return -1 if a == '.'
+      return 1  if b == '.'
+      if a =~ /^\d+$/ && b =~ /^\d+$/
+        return a.to_s.upcase <=> b.to_s.upcase if a =~ /^0/ || b =~ /^0/
         return a.to_i <=> b.to_i
-      else
-        return a.upcase <=> b.upcase
       end
+      return a.upcase <=> b.upcase
     end
-    version_a <=> version_b;
+    version_a <=> version_b
   end
-
   module_function :versioncmp
+
+  def self.normalize(version)
+    version = version.split('-')
+    version.first.sub!(/([\.0]+)$/, '')
+
+    version.join('-')
+  end
+  private_class_method :normalize
 end

data/lib/puppet/util/windows/service.rb

@@ -13,11 +13,6 @@ module Puppet::Util::Windows
 
     FILE = Puppet::Util::Windows::File
 
-    # integer value of the floor for timeouts when waiting for service pending states.
-    # puppet will wait the length of dwWaitHint if it is longer than this value, but
-    # no shorter
-    DEFAULT_TIMEOUT = 30
-
     # Service error codes
     # https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes--1000-1299-
     ERROR_SERVICE_DOES_NOT_EXIST = 0x00000424

data/lib/puppet/util/windows.rb

@@ -9,6 +9,9 @@ module Puppet::Util::Windows
   module File; end
   module Registry
   end
+  module Service
+    DEFAULT_TIMEOUT = 30
+  end
   module SID
     class Principal; end
   end

data/lib/puppet/util/yaml.rb

@@ -24,7 +24,11 @@ module Puppet::Util::Yaml
   # @raise [YamlLoadException] If deserialization fails.
   # @return The parsed YAML, which can be Hash, Array or scalar types.
   def self.safe_load(yaml, allowed_classes = [], filename = nil)
-    data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0')
+      data = YAML.safe_load(yaml, permitted_classes: allowed_classes, aliases: true, filename: filename)
+    else
+      data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    end
     data = false if data.nil?
     data
   rescue ::Psych::DisallowedClass => detail
@@ -42,6 +46,17 @@ module Puppet::Util::Yaml
     safe_load(yaml, allowed_classes, filename)
   end
 
+  # Safely load the content from a file as YAML if
+  # contents are in valid format. This method does not
+  # raise error but returns `nil` when invalid file is
+  # given.
+  def self.safe_load_file_if_valid(filename, allowed_classes = [])
+    safe_load_file(filename, allowed_classes)
+  rescue YamlLoadError, ArgumentError, Errno::ENOENT => detail
+    Puppet.debug("Could not retrieve YAML content from '#{filename}': #{detail.message}")
+    nil
+  end
+
   # @deprecated Use {#safe_load_file} instead.
   def self.load_file(filename, default_value = false, strip_classes = false)
     Puppet.deprecation_warning(_("Puppet::Util::Yaml.load_file is deprecated. Use safe_load_file instead."))
@@ -57,7 +72,11 @@ module Puppet::Util::Yaml
       end
       data.to_ruby || default_value
     else
-      yaml = YAML.load_file(filename)
+      if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.3.2')
+        yaml = YAML.unsafe_load_file(filename)
+      else
+        yaml = YAML.load_file(filename)
+      end
       yaml || default_value
     end
   rescue *YamlLoadExceptions => detail

data/lib/puppet/util.rb

@@ -7,6 +7,7 @@ require 'uri'
 require 'pathname'
 require 'ostruct'
 require 'puppet/util/platform'
+require 'puppet/util/windows'
 require 'puppet/util/symbolic_file_mode'
 require 'puppet/file_system/uniquefile'
 require 'securerandom'
@@ -22,8 +23,6 @@ module Util
   require 'puppet/util/posix'
   extend Puppet::Util::POSIX
 
-  require 'puppet/util/windows/process' if Puppet::Util::Platform.windows?
-
   extend Puppet::Util::SymbolicFileMode
 
   def default_env