puppet 7.0.0-x64-mingw32 → 7.5.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9329aafa3ece7ad47eb0bc16f9e852fe84b7af220281aea339d058afd51b012b
-  data.tar.gz: 5a62475b96aac33593df2ec4e6d8684df608569f91c890b24e977e123e413fe0
+  metadata.gz: fa9b7a15f4253ed60d5c63718410c36de96134febc6c940430b5c75ab30736b8
+  data.tar.gz: 61e7341398349d2a05d44e3ccc4f5da4557cd39ad7e1017e45a34a86392da5ff
 SHA512:
-  metadata.gz: 0d4f22931a1f4c8d7389c984cedd1692ca332de31898077b57c30e299eaf6b6d9cccabe87a3683a541b3b90f5055d3bf2d0a6e47a350dbf6ffee36921a088bb6
-  data.tar.gz: a2f1d1f5adae1d1238d3d66ed5be88bb1db449b66a94c7eebdd562741792a3dc0dc1e2accc9f54a358a29365d1fe33cac3a788b7d702630bec2f197175ba1df3
+  metadata.gz: 9d37fc99d52cce580328b84256b626c057c918a4d50b8bcd87b22df5f6ffe5170d6947a46930c432141311b4a9729b054dd56eb1951db7dc2fe577ee5b69fdaf
+  data.tar.gz: e0ba897dac6c1d742347c8081e99803b4fbaaef4568bdae8d49886528008ed63d8a544794bbcd6934313ef3135b026b57ddbc8d21a18149579586fc8842bf450

data/CODEOWNERS

@@ -1,23 +1,9 @@
-# default to platform-core
-* @puppetlabs/platform-core @puppetlabs/puppetserver-maintainers
-
-# Night's Watch
-/lib/puppet/type/group @puppetlabs/night-s-watch
-/lib/puppet/type/package @puppetlabs/night-s-watch
-/lib/puppet/type/service @puppetlabs/night-s-watch
-/lib/puppet/type/user @puppetlabs/night-s-watch
-/lib/puppet/provider/group @puppetlabs/night-s-watch
-/lib/puppet/provider/package @puppetlabs/night-s-watch
-/lib/puppet/provider/service @puppetlabs/night-s-watch
-/lib/puppet/provider/user @puppetlabs/night-s-watch
+# defaults
+* @puppetlabs/platform-core @puppetlabs/puppetserver-maintainers @puppetlabs/night-s-watch
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt
 
-# puppet device
-/lib/puppet/application/device.rb @puppetlabs/networking
-/lib/puppet/util/network_device @puppetlabs/networking
-
 # puppet module
 /lib/puppet/application/module.rb @puppetlabs/pdk
 /lib/puppet/face/module @puppetlabs/pdk

data/Gemfile

@@ -18,8 +18,6 @@ gem "hiera", *location_for(ENV['HIERA_LOCATION']) if ENV.has_key?('HIERA_LOCATIO
 gem "semantic_puppet", *location_for(ENV['SEMANTIC_PUPPET_LOCATION'] || ["~> 1.0"])
 gem "puppet-resource_api", *location_for(ENV['RESOURCE_API_LOCATION'] || ["~> 1.5"])
 
-gem "scanf" if RUBY_VERSION.to_f >= 2.7
-
 group(:features) do
   gem 'diff-lcs', '~> 1.3', require: false
   gem 'hiera-eyaml', *location_for(ENV['HIERA_EYAML_LOCATION'])
@@ -33,10 +31,11 @@ group(:features) do
   # gem 'ruby-augeas', require: false, platforms: [:ruby]
   # requires native ldap headers/libs
   # gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
-  gem 'puppetserver-ca', '~> 1.1', require: false
+  gem 'puppetserver-ca', '~> 2.0', require: false
 end
 
 group(:test) do
+  gem "ffi", require: false
   gem "json-schema", "~> 2.0", require: false
   gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
   gem "rspec", "~> 3.1", require: false

data/Gemfile.lock

@@ -1,7 +1,18 @@
+GIT
+  remote: git://github.com/ciprianbadescu/packaging
+  revision: 5f8d2bda941abfeeb8fb1731c9b1dd4d108f5d33
+  branch: maint/windows-signing
+  specs:
+    packaging (0.99.49.171.g5f8d2bd)
+      artifactory (~> 2)
+      csv (= 3.1.5)
+      rake (>= 12.3)
+      release-metrics
+
 PATH
   remote: .
   specs:
-    puppet (7.0.0)
+    puppet (7.5.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -10,6 +21,7 @@ PATH
       hiera (>= 3.2.1, < 4)
       locale (~> 2.1)
       multi_json (~> 1.13)
+      scanf (~> 1.0)
       semantic_puppet (~> 1.0)
 
 GEM
@@ -19,18 +31,20 @@ GEM
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     artifactory (2.8.2)
-    ast (2.4.1)
+    ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.7)
-    crack (0.4.4)
+    concurrent-ruby (1.1.8)
+    crack (0.4.5)
+      rexml
     csv (3.1.5)
     deep_merge (1.2.1)
     diff-lcs (1.4.4)
     docopt (0.6.1)
-    facter (4.0.44)
+    facter (4.0.51)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
+    ffi (1.15.0)
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
@@ -40,48 +54,44 @@ GEM
       locale
     hashdiff (1.0.1)
     hiera (3.6.0)
-    hiera-eyaml (3.2.0)
-      highline (~> 1.6.19)
+    hiera-eyaml (3.2.1)
+      highline
       optimist
-    highline (1.6.21)
+    highline (2.0.3)
     hocon (1.3.1)
     hpricot (0.8.6)
     json-schema (2.8.1)
       addressable (>= 2.4)
     locale (2.1.3)
-    memory_profiler (0.9.14)
+    memory_profiler (1.0.0)
     method_source (1.0.0)
     minitar (0.9)
-    msgpack (1.3.3)
+    msgpack (1.4.2)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
-    packaging (0.99.73)
-      artifactory (~> 2)
-      csv (= 3.1.5)
-      rake (>= 12.3)
-      release-metrics
-    parallel (1.20.0)
+    parallel (1.20.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
-    powerpack (0.1.2)
-    pry (0.13.1)
+    powerpack (0.1.3)
+    pry (0.14.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
     puppet-resource_api (1.8.13)
       hocon (>= 1.0)
-    puppetserver-ca (1.9.0)
+    puppetserver-ca (2.0.1)
       facter (>= 2.0.1, < 5)
     racc (1.4.9)
     rainbow (2.2.2)
       rake
     rake (12.3.3)
     rdiscount (2.2.0.2)
-    rdoc (6.2.1)
+    rdoc (6.3.0)
     release-metrics (1.1.0)
       csv
       docopt
+    rexml (3.2.4)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -90,18 +100,18 @@ GEM
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
       rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.0)
+    rspec-core (3.10.1)
       rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-support (3.10.0)
+    rspec-support (3.10.2)
     rubocop (0.49.1)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -111,24 +121,26 @@ GEM
       unicode-display_width (~> 1.0, >= 1.0.1)
     rubocop-i18n (1.2.0)
       rubocop (~> 0.49.0)
-    ruby-prof (1.4.2)
-    ruby-progressbar (1.10.1)
-    semantic_puppet (1.0.2)
+    ruby-prof (1.4.3)
+    ruby-progressbar (1.11.0)
+    scanf (1.0.0)
+    semantic_puppet (1.0.3)
     text (1.3.1)
-    thor (1.0.1)
+    thor (1.1.0)
     unicode-display_width (1.7.0)
     vcr (5.1.0)
-    webmock (3.10.0)
+    webmock (3.12.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.25)
+    yard (0.9.26)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
+  ffi
   gettext-setup (~> 0.28)
   hiera-eyaml
   hocon (~> 1.0)
@@ -136,11 +148,11 @@ DEPENDENCIES
   memory_profiler
   minitar (~> 0.9)
   msgpack (~> 1.2)
-  packaging (~> 0.99)
+  packaging!
   pry
   puppet!
   puppet-resource_api (~> 1.5)
-  puppetserver-ca (~> 1.1)
+  puppetserver-ca (~> 2.0)
   racc (= 1.4.9)
   rake (~> 12.2)
   rdoc (~> 6.0)
@@ -157,4 +169,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.0.0
+   1.17.3

data/ext/build_defaults.yaml

@@ -1,6 +1,5 @@
 ---
 packager: 'puppetlabs'
-gpg_key: '7F438280EF8D349F'
 
 # These are the build targets used by the packaging repo. Uncomment to allow use.
 #final_mocks: 'pl-el-5-i386 pl-el-6-i386 pl-el-7-x86_64'

data/ext/project_data.yaml

@@ -26,6 +26,7 @@ gem_runtime_dependencies:
   puppet-resource_api: '~>1.5'
   concurrent-ruby: '~> 1.0'
   deep_merge: '~> 1.0'
+  scanf: '~> 1.0'
 gem_rdoc_options:
   - --title
   - "Puppet - Configuration Management"

data/lib/puppet/application.rb

@@ -475,12 +475,16 @@ class Application
   def handle_logdest_arg(arg)
     return if arg.nil?
 
-    begin
-      Puppet[:logdest] = arg
-      Puppet::Util::Log.newdestination(arg)
-      options[:setdest] = true
-    rescue => detail
-      Puppet.log_and_raise(detail, _("Could not set logdest to %{dest}.") % { dest: arg })
+    logdest = arg.split(',').map!(&:strip)
+    Puppet[:logdest] = arg
+
+    logdest.each do |dest|
+      begin
+        Puppet::Util::Log.newdestination(dest)
+        options[:setdest] = true
+      rescue => detail
+        Puppet.log_and_raise(detail, _("Could not set logdest to %{dest}.") % { dest: arg })
+      end
     end
   end
 

data/lib/puppet/application/agent.rb

@@ -267,6 +267,7 @@ generated by running puppet agent with '--genconfig'.
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. If debugging or verbosity is enabled, this defaults to 'console'.
   Otherwise, it defaults to 'syslog' on POSIX systems and 'eventlog' on Windows.
+  Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the

data/lib/puppet/application/apply.rb

@@ -113,6 +113,7 @@ configuration options by running puppet with
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. Defaults to 'console'.
+  Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the
@@ -236,7 +237,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         end
 
         # Resolve all deferred values and replace them / mutate the catalog
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog)
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment)
 
         # Translate it to a RAL catalog
         catalog = catalog.to_ral
@@ -330,7 +331,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         raise Puppet::Error, _("Could not deserialize catalog from %{format}: %{detail}") % { format: format, detail: detail }, detail.backtrace
       end
       # Resolve all deferred values and replace them / mutate the catalog
-      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog)
+      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment)
 
       catalog.to_ral
     end

data/lib/puppet/application/device.rb

@@ -155,6 +155,7 @@ you can specify '--server <servername>' as an argument.
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'console', or the path to a log file. If debugging or verbosity is
   enabled, this defaults to 'console'. Otherwise, it defaults to 'syslog'.
+  Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the

data/lib/puppet/application/script.rb

@@ -71,6 +71,7 @@ configuration options can also be generated by running puppet with
   Where to send log messages. Choose between 'syslog' (the POSIX syslog
   service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
   file. Defaults to 'console'.
+  Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
 
   A path ending with '.json' will receive structured output in JSON format. The
   log file will not have an ending ']' automatically written to it due to the

data/lib/puppet/application/ssl.rb

@@ -74,6 +74,9 @@ ACTIONS
   `--localca` is specified, then also remove this host's local copy of the
   CA certificate(s) and CRL bundle. if `--target CERTNAME` is specified, then
   remove the files for the specified device on this host instead of this host.
+
+ * show:
+  Print the full-text version of this host's certificate.
 HELP
   end
 
@@ -142,11 +145,19 @@ HELP
       end
       @machine.ensure_client_certificate
       Puppet.notice(_("Completed SSL initialization"))
+    when 'show'
+      show(certname)
     else
       raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
     end
   end
 
+  def show(certname)
+    password = @cert_provider.load_private_key_password
+    ssl_context = @ssl_provider.load_context(certname: certname, password: password)
+    puts ssl_context.client_cert.to_text
+  end
+
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key

data/lib/puppet/application_support.rb

@@ -53,6 +53,13 @@ module Puppet
       route_file = Puppet[:route_file]
       if Puppet::FileSystem.exist?(route_file)
         routes = Puppet::Util::Yaml.safe_load_file(route_file, [Symbol])
+        if routes["server"] && routes["master"]
+          Puppet.warning("Route file #{route_file} contains both server and master route settings.")
+        elsif routes["server"] && !routes["master"]
+          routes["master"] = routes["server"]
+        elsif routes["master"] && !routes["server"]
+          routes["server"] = routes["master"]
+        end
         application_routes = routes[application_name]
         Puppet::Indirector.configure_routes(application_routes) if application_routes
       end

data/lib/puppet/configurer.rb

@@ -112,7 +112,7 @@ class Puppet::Configurer
     catalog_conversion_time = thinmark do
       # Will mutate the result and replace all Deferred values with resolved values
       if facts
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result)
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment))
       end
 
       catalog = result.to_ral
@@ -395,16 +395,29 @@ class Puppet::Configurer
       if !cached_catalog && options[:catalog]
         ral_catalog = options[:catalog]
       else
+        # Ordering here matters. We have to resolve deferred resources in the
+        # resource catalog, convert the resource catalog to a RAL catalog (which
+        # triggers type/provider validation), and only if that is successful,
+        # should we cache the *original* resource catalog. However, deferred
+        # evaluation mutates the resource catalog, so we need to make a copy of
+        # it here. If PUP-9323 is ever implemented so that we resolve deferred
+        # resources in the RAL catalog as they are needed, then we could eliminate
+        # this step.
+        catalog_to_cache = Puppet.override(:rich_data => Puppet[:rich_data]) do
+          Puppet::Resource::Catalog.from_data_hash(catalog.to_data_hash)
+        end
+
         # REMIND @duration is the time spent loading the last catalog, and doesn't
         # account for things like we failed to download and fell back to the cache
         ral_catalog = convert_catalog(catalog, @duration, facts, options)
 
-        # If not noop, commit the cached resource catalog (not ral catalog). Ideally
+        # Validation succeeded, so commit the `catalog_to_cache` for non-noop runs. Don't
+        # commit `catalog` since it contains the result of deferred evaluation. Ideally
         # we'd just copy the downloaded response body, instead of serializing the
         # in-memory catalog, but that's hard due to the indirector.
         indirection = Puppet::Resource::Catalog.indirection
         if !Puppet[:noop] && indirection.cache?
-          request = indirection.request(:save, nil, catalog, environment: Puppet::Node::Environment.remote(catalog.environment))
+          request = indirection.request(:save, nil, catalog_to_cache, environment: Puppet::Node::Environment.remote(catalog_to_cache.environment))
           Puppet.info("Caching catalog for #{request.key}")
           indirection.cache.save(request)
         end

data/lib/puppet/defaults.rb

@@ -32,20 +32,6 @@ module Puppet
       %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
   end
 
-  def self.log_ca_migration_warning
-    urge_to_migrate = <<-UTM
-The cadir is currently configured to be inside the #{Puppet[:ssldir]} directory. This config
-setting and the directory location will not be used in a future version of puppet. Please run the
-puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca
-directory. Use `puppetserver ca migrate --help` for more info.
-UTM
-    Puppet.warn_once('deprecations',
-                     'CA migration message',
-                     urge_to_migrate,
-                     :default,
-                     :default)
-  end
-
   def self.default_cadir
     return "" if Puppet::Util::Platform.windows?
     old_ca_dir = "#{Puppet[:ssldir]}/ca"
@@ -53,13 +39,8 @@ UTM
 
     if File.exist?(old_ca_dir)
       if File.symlink?(old_ca_dir)
-        target = File.readlink(old_ca_dir)
-        if target.start_with?(Puppet[:ssldir])
-          Puppet.log_ca_migration_warning
-        end
-        target
+        File.readlink(old_ca_dir)
       else
-        Puppet.log_ca_migration_warning
         old_ca_dir
       end
     else
@@ -1052,6 +1033,14 @@ EOT
           certificate revocation checking and does not attempt to download the CRL.
         EOT
     },
+    :ciphers => {
+      :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
+      :type => :string,
+      :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
+                default value is chosen to support TLS 1.0 and up, but can be made
+                more restrictive if needed. The ciphersuites must be specified in OpenSSL
+                format, not IANA."
+    },
     :key_type => {
       :default => 'rsa',
       :type    => :enum,
@@ -1095,7 +1084,7 @@ EOT
       :type      => :string,
       :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
       service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
-      file."
+      file. Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
       # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
       # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
       # settings are initialized as they test what gets logged during settings initialization.
@@ -1112,13 +1101,6 @@ EOT
       :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
-      :call_hook => :on_initialize_and_write,
-      :hook => proc do |value|
-        if value.start_with?(Puppet[:ssldir])
-          Puppet.log_ca_migration_warning
-        end
-        value
-      end
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
@@ -1345,25 +1327,16 @@ EOT
       by `puppet`, and should only be set if you're writing your own Puppet
       executable.",
     },
-    :serverport => {
+    :masterport => {
       :default    => 8140,
       :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
-      :hook       => proc do |value|
-        Puppet[:masterport] = value unless Puppet.settings.set_by_config?(:masterport)
-      end
     },
-    :masterport => {
-      :default    => "$serverport",
-      :type       => :port,
-      :desc       => "The default port puppet subcommands use to communicate
-      with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
-      overridden by more specific settings (see `ca_port`, `report_port`).",
-      :hook => proc do |value|
-        Puppet[:serverport] = value unless Puppet.settings.set_by_config?(:serverport)
-      end
+    :serverport => {
+      :type => :alias,
+      :alias_for => :masterport
     },
     :bucketdir => {
       :default => "$vardir/bucket",