puppet 6.27.0-x86-mingw32 → 6.29.0-x86-mingw32

data/spec/integration/http/client_spec.rb

@@ -77,13 +77,13 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       }
     }
 
-    let(:systemstore) do
-      res = tmpfile('systemstore')
+    let(:cert_file) do
+      res = tmpfile('cert_file')
       File.write(res, https_server.ca_cert)
       res
     end
 
-    it "mutually authenticates the connection" do
+    it "mutually authenticates the connection using an explicit context" do
       client_context = ssl_provider.create_context(
         cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
         client_cert: https_server.server_cert, private_key: https_server.server_key
@@ -95,10 +95,27 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       end
     end
 
+    it "mutually authenticates the connection when the client and server certs are issued from different CAs" do
+      # this is the client cert's CA, key and cert
+      Puppet[:localcacert] = fixtures('ssl/unknown-ca.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/unknown-127.0.0.1-key.pem')
+      Puppet[:hostcert] = fixtures('ssl/unknown-127.0.0.1.pem')
+
+      # this is the server cert's CA that the client needs in order to authenticate the server
+      Puppet[:ssl_trust_store] = fixtures('ssl/ca.pem')
+
+      # need to pass both the client and server CAs. The former is needed so the server can authenticate our client cert
+      https_server = PuppetSpec::HTTPSServer.new(ca_cert: [cert_fixture('ca.pem'), cert_fixture('unknown-ca.pem')])
+      https_server.start_server(ctx_proc: ctx_proc) do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), options: {include_system_store: true})
+        expect(res).to be_success
+      end
+    end
+
     it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
-      Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
+      Puppet::Util.withenv("SSL_CERT_FILE" => cert_file) do
         client_context = ssl_provider.create_context(
-          cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
+          cacerts: [], crls: [],
           client_cert: https_server.server_cert, private_key: https_server.server_key,
           revocation: false, include_system_store: true
         )
@@ -109,8 +126,8 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       end
     end
 
-    it "connects when the server's CA is in the system store and the connection is mutually authenticated uning load_context" do
-      Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
+    it "connects when the server's CA is in the system store and the connection is mutually authenticated using load_context" do
+      Puppet::Util.withenv("SSL_CERT_FILE" => cert_file) do
         client_context = ssl_provider.load_context(revocation: false, include_system_store: true)
         https_server.start_server(ctx_proc: ctx_proc) do |port|
           res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
@@ -132,12 +149,12 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
 
     it "connects when the server's CA is in the system store" do
       # create a temp cacert bundle
-      ssl_file = tmpfile('systemstore')
-      File.write(ssl_file, https_server.ca_cert)
+      cert_file = tmpfile('cert_file')
+      File.write(cert_file, https_server.ca_cert)
 
       # override path to system cacert bundle, this must be done before
       # the SSLContext is created and the call to X509::Store.set_default_paths
-      Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+      Puppet::Util.withenv("SSL_CERT_FILE" => cert_file) do
         system_context = ssl_provider.create_system_context(cacerts: [])
         https_server.start_server do |port|
           res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: system_context})

data/spec/lib/puppet_spec/https.rb

@@ -40,7 +40,7 @@ class PuppetSpec::HTTPSServer
 
     IO.pipe {|stop_pipe_r, stop_pipe_w|
       store = OpenSSL::X509::Store.new
-      store.add_cert(@ca_cert)
+      Array(@ca_cert).each { |c| store.add_cert(c) }
       store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.cert_store = store

data/spec/lib/puppet_spec/puppetserver.rb

@@ -72,6 +72,40 @@ class PuppetSpec::Puppetserver
     end
   end
 
+  class CertificateServlet < WEBrick::HTTPServlet::AbstractServlet
+    def initialize(server, ca_cert)
+      super(server)
+      @ca_cert = ca_cert
+    end
+
+    def do_GET request, response
+      if request.path =~ %r{/puppet-ca/v1/certificate/ca$}
+        response['Content-Type'] = 'text/plain'
+        response.body = @ca_cert.to_pem
+      else
+        response.status = 404
+      end
+    end
+  end
+
+  class CertificateRevocationListServlet < WEBrick::HTTPServlet::AbstractServlet
+    def initialize(server, crl)
+      super(server)
+      @crl = crl
+    end
+
+    def do_GET request, response
+      response['Content-Type'] = 'text/plain'
+      response.body = @crl.to_pem
+    end
+  end
+
+  class CertificateRequestServlet < WEBrick::HTTPServlet::AbstractServlet
+    def do_PUT request, response
+      response.status = 404
+    end
+  end
+
   def initialize
     @ca_cert = cert_fixture('ca.pem')
     @ca_crl = crl_fixture('crl.pem')
@@ -125,15 +159,18 @@ class PuppetSpec::Puppetserver
     register_mount('/puppet/v3/static_file_content', mounts[:static_file_content], StaticFileContentServlet)
     register_mount('/puppet/v3/report', mounts[:report], ReportServlet)
     register_mount('/puppet/v3/file_bucket_file', mounts[:filebucket], FilebucketServlet)
+    register_mount('/puppet-ca/v1/certificate', mounts[:certificate], CertificateServlet, @ca_cert)
+    register_mount('/puppet-ca/v1/certificate_revocation_list', mounts[:certificate_revocation_list], CertificateRevocationListServlet, @ca_crl)
+    register_mount('/puppet-ca/v1/certificate_request', mounts[:certificate_request], CertificateRequestServlet)
   end
 
-  def register_mount(path, user_proc, default_servlet)
+  def register_mount(path, user_proc, default_servlet, *args)
     handler = if user_proc
                 WEBrick::HTTPServlet::ProcHandler.new(user_proc)
               else
                 default_servlet
               end
-    @https.mount(path, handler)
+    @https.mount(path, handler, *args)
   end
 
   def upload_directory

data/spec/unit/agent_spec.rb

@@ -38,6 +38,10 @@ describe Puppet::Agent do
         end
       end
     end
+
+    ssl_context = Puppet::SSL::SSLContext.new
+    machine = instance_double("Puppet::SSL::StateMachine", ensure_client_certificate: ssl_context)
+    allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
   end
 
   after do
@@ -99,6 +103,8 @@ describe Puppet::Agent do
     end
 
     it "should splay" do
+      Puppet[:splay] = true
+
       expect(@agent).to receive(:splay)
 
       @agent.run
@@ -181,6 +187,26 @@ describe Puppet::Agent do
       expect(@agent.run).to eq(:result)
     end
 
+    it "should check if it's disabled after splaying and log a message" do
+      Puppet[:splay] = true
+      Puppet[:splaylimit] = '5s'
+      Puppet[:onetime] = true
+
+      expect(@agent).to receive(:disabled?).and_return(false, true)
+
+      allow(Puppet).to receive(:notice).and_call_original
+      expect(Puppet).to receive(:notice).with(/Skipping run of .*; administratively disabled.*/)
+      @agent.run
+    end
+
+    it "should check if it's disabled after acquiring the lock and log a message" do
+      expect(@agent).to receive(:disabled?).and_return(false, true)
+
+      allow(Puppet).to receive(:notice).and_call_original
+      expect(Puppet).to receive(:notice).with(/Skipping run of .*; administratively disabled.*/)
+      @agent.run
+    end
+
     describe "and a puppet agent is already running" do
       before(:each) do
         allow_any_instance_of(Object).to receive(:sleep)
@@ -197,7 +223,7 @@ describe Puppet::Agent do
         @agent.run
       end
 
-      it "should inform that a run is already in progres and try to run every X seconds if waitforlock is used" do
+      it "should inform that a run is already in progress and try to run every X seconds if waitforlock is used" do
         # so the locked file exists
         allow(File).to receive(:file?).and_return(true)
         # so we don't have to wait again for the run to exit (default maxwaitforcert is 60)
@@ -226,7 +252,7 @@ describe Puppet::Agent do
         @agent.run
       end
     end
-    
+
     describe "when should_fork is true", :if => Puppet.features.posix? && RUBY_PLATFORM != 'java' do
       before do
         @agent = Puppet::Agent.new(AgentTestClient, true)

data/spec/unit/application/agent_spec.rb

@@ -4,6 +4,11 @@ require 'puppet/agent'
 require 'puppet/application/agent'
 require 'puppet/daemon'
 
+class TestAgentClientClass
+  def initialize(transaction_uuid = nil, job_id = nil); end
+  def run(options = {}); end
+end
+
 describe Puppet::Application::Agent do
   include PuppetSpec::Files
 
@@ -12,13 +17,20 @@ describe Puppet::Application::Agent do
   before :each do
     @puppetd = Puppet::Application[:agent]
 
-    @agent = double('agent')
+    @client = TestAgentClientClass.new
+    allow(TestAgentClientClass).to receive(:new).and_return(@client)
+
+    @agent = Puppet::Agent.new(TestAgentClientClass, false)
     allow(Puppet::Agent).to receive(:new).and_return(@agent)
 
-    @daemon = Puppet::Daemon.new(@agent, nil)
+    Puppet[:pidfile] = tmpfile('pidfile')
+    @daemon = Puppet::Daemon.new(@agent, Puppet::Util::Pidlock.new(Puppet[:pidfile]))
     allow(@daemon).to receive(:daemonize)
-    allow(@daemon).to receive(:start)
     allow(@daemon).to receive(:stop)
+    # simulate one run so we don't infinite looptwo runs of the agent, then return so we don't infinite loop
+    allow(@daemon).to receive(:run_event_loop) do
+      @agent.run(splay: false)
+    end
     allow(Puppet::Daemon).to receive(:new).and_return(@daemon)
     Puppet[:daemonize] = false
 
@@ -92,10 +104,6 @@ describe Puppet::Application::Agent do
   end
 
   describe "when handling options" do
-    before do
-      allow(@puppetd.command_line).to receive(:args).and_return([])
-    end
-
     [:enable, :debug, :fqdn, :test, :verbose, :digest].each do |option|
       it "should declare handle_#{option} method" do
         expect(@puppetd).to respond_to("handle_#{option}".to_sym)
@@ -127,32 +135,34 @@ describe Puppet::Application::Agent do
     end
 
     it "should set waitforcert to 0 with --onetime and if --waitforcert wasn't given" do
-      allow(@agent).to receive(:run).and_return(2)
+      allow(@client).to receive(:run).and_return(2)
       Puppet[:onetime] = true
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 0).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 0)).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use supplied waitforcert when --onetime is specified" do
-      allow(@agent).to receive(:run).and_return(2)
+      allow(@client).to receive(:run).and_return(2)
       Puppet[:onetime] = true
       @puppetd.handle_waitforcert(60)
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 60).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 60)).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(machine)
+      allow(@client).to receive(:run).and_return(2)
+
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 120)).and_return(machine)
 
       execute_agent
     end
 
     it "should register ssl OIDs" do
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 120)).and_return(machine)
       expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
 
       execute_agent
@@ -161,7 +171,7 @@ describe Puppet::Application::Agent do
     it "should use the waitforcert setting when checking for a signed certificate" do
       Puppet[:waitforcert] = 10
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 10).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 10)).and_return(machine)
 
       execute_agent
     end
@@ -413,9 +423,9 @@ describe Puppet::Application::Agent do
     end
 
     it "should wait for a certificate" do
-      @puppetd.options[:waitforcert] = 123
+      Puppet[:waitforcert] = 123
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 123).and_return(machine)
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(hash_including(waitforcert: 123)).and_return(machine)
 
       execute_agent
     end

data/spec/unit/daemon_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet/daemon'
 require 'puppet/agent'
+require 'puppet/configurer'
 
 def without_warnings
   flag = $VERBOSE
@@ -9,12 +10,6 @@ def without_warnings
   $VERBOSE = flag
 end
 
-class TestClient
-  def lockfile_path
-    "/dev/null"
-  end
-end
-
 describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
   include PuppetSpec::Files
 
@@ -26,7 +21,7 @@ describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
     end
   end
 
-  let(:agent) { Puppet::Agent.new(TestClient.new, false) }
+  let(:agent) { Puppet::Agent.new(Puppet::Configurer, false) }
   let(:server) { double("Server", :start => nil, :wait_for_shutdown => nil) }
 
   let(:pidfile) { double("PidFile", :lock => true, :unlock => true, :file_path => 'fake.pid') }
@@ -131,10 +126,6 @@ describe Puppet::Daemon, :unless => Puppet::Util::Platform.windows? do
   end
 
   describe "when reloading" do
-    it "should do nothing if no agent is configured" do
-      daemon.reload
-    end
-
     it "should do nothing if the agent is running" do
       expect(agent).to receive(:run).with({:splay => false}).and_raise(Puppet::LockError, 'Failed to aquire lock')
       expect(Puppet).to receive(:notice).with('Not triggering already-running agent')

data/spec/unit/http/client_spec.rb

@@ -120,6 +120,24 @@ describe Puppet::HTTP::Client do
 
       client.close
     end
+
+    it 'reloads the default ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(puppet_context)
+      end
+
+      client.close
+      client.connect(uri)
+    end
+
+    it 'reloads the default system ssl context' do
+      expect(client.pool).to receive(:with_connection) do |_, verifier|
+        expect(verifier.ssl_context).to_not equal(system_context)
+      end
+
+      client.close
+      client.connect(uri, options: {include_system_store: true})
+    end
   end
 
   context "for GET requests" do

data/spec/unit/provider/package/puppetserver_gem_spec.rb

@@ -105,9 +105,9 @@ describe Puppet::Type.type(:package).provider(:puppetserver_gem) do
 
   describe ".gemlist" do
     context "listing installed packages" do
-      it "uses the puppet rubygems library to list local gems" do
+      it "uses the puppet_gem provider_command to list local gems" do
         expected = { name: 'world_airports', provider: :puppetserver_gem, ensure: ['1.1.3'] }
-        expect(described_class).to receive(:execute_rubygems_list_command).with(nil).and_return(File.read(my_fixture('gem-list-local-packages')))
+        expect(described_class).to receive(:execute_rubygems_list_command).with(['gem', 'list', '--local']).and_return(File.read(my_fixture('gem-list-local-packages')))
         expect(described_class.gemlist({ local: true })).to include(expected)
       end
     end

data/spec/unit/provider/package/windows/exe_package_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'puppet/provider/package/windows/exe_package'
+require 'puppet/provider/package/windows'
 
 describe Puppet::Provider::Package::Windows::ExePackage do
   let (:name)        { 'Git version 1.7.11' }
@@ -71,10 +72,26 @@ describe Puppet::Provider::Package::Windows::ExePackage do
 
   context '#install_command' do
     it 'should install using the source' do
+      allow(Puppet::FileSystem).to receive(:exist?).with(source).and_return(true)
       cmd = described_class.install_command({:source => source})
 
       expect(cmd).to eq(source)
     end
+
+    it 'should raise error when URI is invalid' do
+      web_source = 'https://www.t e s t.test/test.exe'
+
+      expect do
+        described_class.install_command({:source => web_source, :name => name})
+      end.to raise_error(Puppet::Error, /Error when installing #{name}:/)
+    end
+
+    it 'should download package from source file before installing', if: Puppet::Util::Platform.windows? do
+      web_source = 'https://www.test.test/test.exe'
+      stub_request(:get, web_source).to_return(status: 200, body: 'package binaries')
+      cmd = described_class.install_command({:source => web_source})
+      expect(File.read(cmd)).to eq('package binaries')
+    end
   end
 
   context '#uninstall_command' do

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -113,12 +113,21 @@ describe Puppet::SSL::SSLProvider do
       }.to raise_error(/can't modify frozen/)
     end
 
-    it 'trusts system ca store' do
+    it 'trusts system ca store by default' do
       expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
 
       subject.create_system_context(cacerts: [])
     end
 
+    it 'trusts an external ca store' do
+      path = tmpfile('system_cacerts')
+      File.write(path, cert_fixture('ca.pem').to_pem)
+
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
+
+      subject.create_system_context(cacerts: [], path: path)
+    end
+
     it 'verifies peer' do
       sslctx = subject.create_system_context(cacerts: [])
       expect(sslctx.verify_peer).to eq(true)
@@ -135,6 +144,47 @@ describe Puppet::SSL::SSLProvider do
       expect(sslctx.private_key).to be_nil
     end
 
+    it 'includes the client cert and private key when requested' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_an(OpenSSL::X509::Certificate)
+      expect(sslctx.private_key).to be_an(OpenSSL::PKey::RSA)
+    end
+
+    it 'ignores non-existent client cert and private key when requested' do
+      Puppet[:certname] = 'doesnotexist'
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_nil
+      expect(sslctx.private_key).to be_nil
+    end
+
+    it 'warns if the client cert does not exist' do
+      Puppet[:certname] = 'missingcert'
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+
+      expect(Puppet).to receive(:warning).with("Client certificate for 'missingcert' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
+    it 'warns if the private key does not exist' do
+      Puppet[:certname] = 'missingkey'
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+
+      expect(Puppet).to receive(:warning).with("Private key for 'missingkey' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
+    it 'raises if client cert and private key are mismatched' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/127.0.0.1-key.pem')
+
+      expect {
+        subject.create_system_context(cacerts: [], include_client_cert: true)
+      }.to raise_error(Puppet::SSL::SSLError,
+        "The certificate for 'CN=signed' does not match its private key")
+    end
+
     it 'trusts additional system certs' do
       path = tmpfile('system_cacerts')
       File.write(path, cert_fixture('ca.pem').to_pem)
@@ -448,6 +498,18 @@ describe Puppet::SSL::SSLProvider do
       sslctx = subject.create_context(**config)
       expect(sslctx.verify_peer).to eq(true)
     end
+
+    it 'does not trust the system ca store by default' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths).never
+
+      subject.create_context(**config)
+    end
+
+    it 'trusts the system ca store' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
+
+      subject.create_context(**config.merge(include_system_store: true))
+    end
   end
 
   context 'when loading an ssl context' do
@@ -528,6 +590,18 @@ describe Puppet::SSL::SSLProvider do
         subject.load_context(password: 'wrongpassword')
       }.to raise_error(Puppet::SSL::SSLError, /Failed to load private key for host 'signed': Could not parse PKey/)
     end
+
+    it 'does not trust the system ca store by default' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths).never
+
+      subject.load_context
+    end
+
+    it 'trusts the system ca store' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
+
+      subject.load_context(include_system_store: true)
+    end
   end
 
   context 'when verifying requests' do

data/spec/unit/ssl/state_machine_spec.rb

@@ -27,6 +27,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   let(:refused_message) { %r{Connection refused|No connection could be made because the target machine actively refused it} }
 
   before(:each) do
+    Puppet[:daemonize] = false
     Puppet[:ssl_lockfile] = tmpfile('ssllock')
     allow(Kernel).to receive(:sleep)
   end

data/tasks/generate_cert_fixtures.rake

@@ -37,14 +37,15 @@ task(:gen_cert_fixtures) do
   #                                   |   |
   # signed.pem                        |   +- /CN=signed
   # revoked.pem                       |   +- /CN=revoked
-  # 127.0.0.1.pem                     |   +- /CN=127.0.0.1 (with dns alt names)
   # tampered-cert.pem                 |   +- /CN=signed (with different public key)
   # ec.pem                            |   +- /CN=ec (with EC private key)
   # oid.pem                           |   +- /CN=oid (with custom oid)
   #                                   |
-  #                                   + /CN=Test CA Agent Subauthority
-  #                                   |  |
-  # pluto.pem                         |  +- /CN=pluto
+  # 127.0.0.1.pem                     +- /CN=127.0.0.1 (with dns alt names)
+  #                                   |
+  # intermediate-agent.pem            +- /CN=Test CA Agent Subauthority
+  #                                   |   |
+  # pluto.pem                         |   +- /CN=pluto
   #                                   |
   # bad-int-basic-constraints.pem     +- /CN=Test CA Subauthority (bad isCA constraint)
   #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 6.27.0
+  version: 6.29.0
 platform: x86-mingw32
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-06 00:00:00.000000000 Z
+date: 2023-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -141,6 +141,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -148,6 +151,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: deep_merge
   requirement: !ruby/object:Gem::Requirement
@@ -2709,7 +2715,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.0.9
 signing_key: 
 specification_version: 4
 summary: Puppet, an automated configuration management tool