puppet 7.12.1 → 7.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c9a5ad10d1fe29d4c28a410c34cc28236cc3a678444e72cdbcbd824ead10f99
-  data.tar.gz: 104352f3f069d1f9043dc386f035f0c18da3bbc09f1715092b682a6508b97842
+  metadata.gz: 236ffe679e7475017af27237b3584914e21fdc4c40640f1068b4f25a683b2b3c
+  data.tar.gz: e0ab738928ad2ff627eb22060064b02016fce0aa742eb0bd995d3cfbffd7ed2a
 SHA512:
-  metadata.gz: 45dcb3ec19cc2b62b3a642a3adbe3697a08eee3f6f79158b30e4b32dfecc4eb908f4d0c7a22958606b2cf3ba4cfefc93f17108b1ec159e49bdb4ed18540538aa
-  data.tar.gz: d5efd563f4a3bd518883d6ed8b8721cff49b81b9f0ccc0a382bb3e96ac4262ebbfe6535a12451f6d6a4ff61399cc5e79aeb64e13832443998dba2fa0fb2702ba
+  metadata.gz: a011343c68d88f25ec0ea67c2a47c74c826a67b1c354365c8d51d39ab3a08c622cc0f9ed631670b13fea35485467757be5aee34e1e94fcc4f579e862ec3040f1
+  data.tar.gz: 8b300a0eb554107049cf1d5fb2bc73c76e6bb4ebc24500c138da1b8dd4b0b945906231e8e3a3f97ee4f9dd8ce4913b5b944eae14dcd87296aafd05e126a950f1

data/CODEOWNERS

@@ -1,5 +1,5 @@
 # defaults
-* @puppetlabs/platform-core @puppetlabs/puppetserver-maintainers @puppetlabs/night-s-watch
+* @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt

data/Gemfile

@@ -3,7 +3,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
 gemspec
 
 def location_for(place, fake_version = nil)
-  if place.is_a?(String) && place =~ /^(git[:@][^#]*)#(.*)/
+  if place.is_a?(String) && place =~ /^((?:git[:@]|https:)[^#]*)#(.*)/
     [fake_version, { git: $1, branch: $2, require: false }].compact
   elsif place.is_a?(String) && place =~ /^file:\/\/(.*)/
     ['>= 0', { path: File.expand_path($1), require: false }]
@@ -26,7 +26,7 @@ group(:features) do
   #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
   gem 'minitar', '~> 0.9', require: false
   gem 'msgpack', '~> 1.2', require: false
-  gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
+  gem 'rdoc', ['~> 6.0', '< 6.4.0'], require: false, platforms: [:ruby]
   # requires native augeas headers/libs
   # gem 'ruby-augeas', require: false, platforms: [:ruby]
   # requires native ldap headers/libs

data/Gemfile.lock

@@ -1,10 +1,11 @@
 GIT
-  remote: git://github.com/puppetlabs/packaging
-  revision: 4c5359786cad0d12877e10e98948065bfeb3e304
+  remote: https://github.com/puppetlabs/packaging
+  revision: 478623dd22de2de32bbb7b7c340a8d80c269c9f4
   branch: 1.0.x
   specs:
-    packaging (0.103.0)
-      artifactory (~> 2)
+    packaging (0.106.0.20.g478623d)
+      apt_stage_artifacts
+      artifactory (~> 3)
       csv (= 3.1.5)
       rake (>= 12.3)
       release-metrics
@@ -12,12 +13,12 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.12.1)
+    puppet (7.15.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
       facter (>= 2.4.0, < 5)
-      fast_gettext (~> 1.1)
+      fast_gettext (>= 1.1, < 3)
       hiera (>= 3.2.1, < 4)
       locale (~> 2.1)
       multi_json (~> 1.13)
@@ -30,21 +31,23 @@ GEM
     CFPropertyList (2.3.6)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    artifactory (2.8.2)
+    apt_stage_artifacts (0.10.1)
+      docopt
+    artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
     concurrent-ruby (1.1.9)
     crack (0.4.5)
       rexml
     csv (3.1.5)
-    deep_merge (1.2.1)
-    diff-lcs (1.4.4)
+    deep_merge (1.2.2)
+    diff-lcs (1.5.0)
     docopt (0.6.1)
-    facter (4.2.5)
+    facter (4.2.7)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
-    ffi (1.15.4)
+    ffi (1.15.5)
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
@@ -53,7 +56,7 @@ GEM
       gettext (>= 3.0.2, < 3.3.0)
       locale
     hashdiff (1.0.1)
-    hiera (3.7.0)
+    hiera (3.8.0)
     hiera-eyaml (3.2.2)
       highline
       optimist
@@ -66,7 +69,7 @@ GEM
     memory_profiler (1.0.0)
     method_source (1.0.0)
     minitar (0.9)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
@@ -80,14 +83,14 @@ GEM
     public_suffix (4.0.6)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (2.3.5)
+    puppetserver-ca (2.3.6)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (2.2.2)
       rake
     rake (13.0.6)
     rdiscount (2.2.0.2)
-    rdoc (6.3.2)
+    rdoc (6.3.3)
     release-metrics (1.1.0)
       csv
       docopt
@@ -96,22 +99,22 @@ GEM
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
       rdiscount (>= 1.5.8)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
+      rspec-support (~> 3.11.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.10.2)
+    rspec-mocks (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
     rubocop (0.49.1)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -126,17 +129,19 @@ GEM
     scanf (1.0.0)
     semantic_puppet (1.0.4)
     text (1.3.1)
-    thor (1.1.0)
+    thor (1.2.1)
     unicode-display_width (1.8.0)
     vcr (5.1.0)
     webmock (3.14.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.26)
+    webrick (1.7.0)
+    yard (0.9.27)
+      webrick (~> 1.7.0)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
@@ -155,7 +160,7 @@ DEPENDENCIES
   puppetserver-ca (~> 2.0)
   racc (= 1.5.2)
   rake (~> 13.0)
-  rdoc (~> 6.0)
+  rdoc (~> 6.0, < 6.4.0)
   ronn (~> 0.7.3)
   rspec (~> 3.1)
   rspec-expectations (~> 3.9, != 3.9.3)
@@ -169,4 +174,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   1.17.3
+   2.3.8

data/ext/project_data.yaml

@@ -21,7 +21,7 @@ gem_runtime_dependencies:
   facter: ['> 2.0.1', '< 5']
   hiera: ['>= 3.2.1', '< 4']
   semantic_puppet: '~> 1.0'
-  fast_gettext: '~> 1.1'
+  fast_gettext: ['>= 1.1', '< 3']
   locale: '~> 2.1'
   multi_json: '~> 1.10'
   puppet-resource_api: '~>1.5'

data/lib/puppet/application/lookup.rb

@@ -7,6 +7,7 @@ class Puppet::Application::Lookup < Puppet::Application
 
   RUN_HELP = _("Run 'puppet lookup --help' for more details").freeze
   DEEP_MERGE_OPTIONS = '--knock-out-prefix, --sort-merged-arrays, and --merge-hash-arrays'.freeze
+  TRUSTED_INFORMATION_FACTS = ["hostname", "domain", "fqdn", "clientcert"].freeze
 
   run_mode :server
 
@@ -54,11 +55,7 @@ class Puppet::Application::Lookup < Puppet::Application
   end
 
   option('--facts FACT_FILE') do |arg|
-    if %w{.yaml .yml .json}.include?(arg.match(/\.[^.]*$/)[0])
-      options[:fact_file] = arg
-    else
-      raise _("The --fact file only accepts yaml and json files.\n%{run_help}") % { run_help: RUN_HELP }
-    end
+    options[:fact_file] = arg
   end
 
   def app_defaults
@@ -137,7 +134,9 @@ DESCRIPTION
 The lookup command is a CLI for Puppet's 'lookup()' function. It searches your
 Hiera data and returns a value for the requested lookup key, so you can test and
 explore your data. It is a modern replacement for the 'hiera' command.
-
+Lookup uses the setting for global hiera.yaml from puppet's config,
+and the environment to find the environment level hiera.yaml as well as the
+resulting modulepath for the environment (for hiera.yaml files in modules).
 Hiera usually relies on a node's facts to locate the relevant data sources. By
 default, 'puppet lookup' uses facts from the node you run the command on, but
 you can get data for any other node with the '--node <NAME>' option. If
@@ -186,7 +185,8 @@ OPTIONS
 * --environment <ENV>
   Like with most Puppet commands, you can specify an environment on the command
   line. This is important for lookup because different environments can have
-  different Hiera data.
+  different Hiera data. This environment will be always be the one used regardless
+  of any other factors.
 
 * --merge first|unique|hash|deep:
   Specify the merge behavior, overriding any merge behavior from the data's
@@ -237,6 +237,13 @@ EXAMPLE
   To look up 'key_name' using the Puppet Server node's facts:
   $ puppet lookup key_name
 
+  To look up 'key_name' using the Puppet Server node's arbitrary variables from a manifest, and 
+  classify the node if applicable:
+  $ puppet lookup key_name --compile
+
+  To look up 'key_name' using the Puppet Server node's facts, overridden by facts given in a file:
+  $ puppet lookup key_name --facts fact_file.yaml
+
   To look up 'key_name' with agent.local's facts:
   $ puppet lookup --node agent.local key_name
 
@@ -341,31 +348,62 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
       Puppet.settings[:facts_terminus] = 'facter'
     end
 
-    unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
-      ni = Puppet::Node.indirection
-      tc = ni.terminus_class
-      if tc == :plain || options[:compile]
-        node = ni.find(node)
-      else
-        ni.terminus_class = :plain
-        node = ni.find(node)
-        ni.terminus_class = tc
-      end
-    end
-
     fact_file = options[:fact_file]
 
     if fact_file
-      if fact_file.end_with?("json")
-        given_facts = Puppet::Util::Json.load(Puppet::FileSystem.read(fact_file, :encoding => 'utf-8'))
-      else
+      if fact_file.end_with?('.json')
+        given_facts = Puppet::Util::Json.load_file(fact_file)
+      elsif fact_file.end_with?('.yml', '.yaml')
         given_facts = Puppet::Util::Yaml.safe_load_file(fact_file)
+      else
+        given_facts = Puppet::Util::Json.load_file_if_valid(fact_file)
+        given_facts = Puppet::Util::Yaml.safe_load_file_if_valid(fact_file) unless given_facts
       end
 
       unless given_facts.instance_of?(Hash)
-        raise _("Incorrect formatted data in %{fact_file} given via the --facts flag") % { fact_file: fact_file }
+        raise _("Incorrectly formatted data in %{fact_file} given via the --facts flag (only accepts yaml and json files)") % { fact_file: fact_file }
+      end
+
+      if TRUSTED_INFORMATION_FACTS.any? { |key| given_facts.key? key }
+        unless TRUSTED_INFORMATION_FACTS.all? { |key| given_facts.key? key }
+          raise _("When overriding any of the %{trusted_facts_list} facts with %{fact_file} "\
+            "given via the --facts flag, they must all be overridden.") % { fact_file: fact_file ,trusted_facts_list: TRUSTED_INFORMATION_FACTS.join(',')}
+        end
       end
-      node.add_extra_facts(given_facts)
+    end
+
+    unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
+      facts = retrieve_node_facts(node, given_facts)
+      ni = Puppet::Node.indirection
+      tc = ni.terminus_class
+      if options[:compile] && !Puppet.settings.set_by_cli?('environment')
+        if tc == :plain
+          node = ni.find(node, facts: facts)
+        else
+          begin
+            service = Puppet.runtime[:http]
+            session = service.create_session
+            cert = session.route_to(:ca)
+
+            _, x509 = cert.get_certificate(node)
+            cert = OpenSSL::X509::Certificate.new(x509)
+            Puppet::SSL::Oids.register_puppet_oids
+            trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
+            Puppet.override(trusted_information: trusted) do
+              node = ni.find(node, facts: facts)
+            end
+          rescue
+            Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
+            node = ni.find(node, facts: facts)
+          end
+        end
+      else
+        ni.terminus_class = :plain
+        node = ni.find(node, facts: facts, environment: Puppet[:environment])
+        ni.terminus_class = tc
+      end
+    else
+      node.add_extra_facts(given_facts) if given_facts
     end
 
     Puppet[:code] = 'undef' unless options[:compile]
@@ -378,4 +416,16 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
       compiler.compile { |catalog| yield(compiler.topscope); catalog }
     end
   end
+
+  def retrieve_node_facts(node, given_facts)
+    facts = Puppet::Node::Facts.indirection.find(node, :environment => Puppet.lookup(:current_environment))
+
+    facts = Puppet::Node::Facts.new(node, {}) if facts.nil?
+    facts.add_extra_values(given_facts) if given_facts
+
+    if facts.values.empty?
+      raise _("No facts available for target node: %{node}") % { node: node}
+    end
+    facts
+  end
 end

data/lib/puppet/concurrent/thread_local_singleton.rb

@@ -5,10 +5,12 @@ module Puppet
       def singleton
         key = (name + ".singleton").intern
         thread = Thread.current
-        unless thread.thread_variable?(key)
-          thread.thread_variable_set(key, new)
+        value = thread.thread_variable_get(key)
+        if value.nil?
+          value = new
+          thread.thread_variable_set(key, value)
         end
-        thread.thread_variable_get(key)
+        value
       end
     end
   end

data/lib/puppet/configurer.rb

@@ -392,7 +392,7 @@ class Puppet::Configurer
         Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
         initial_environment, loaded_last_environment = last_server_specified_environment
 
-        unless loaded_last_environment
+        unless Puppet[:use_last_environment] && loaded_last_environment
           Puppet.debug(_("Requesting environment from the server"))
           initial_environment = current_server_specified_environment(@environment, configured_environment, options)
         end
@@ -418,7 +418,7 @@ class Puppet::Configurer
       temp_value = options[:pluginsync]
 
       # only validate server environment if pluginsync is requested
-      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync]
 
       query_options, facts = get_facts(options) unless query_options
       options[:pluginsync] = temp_value
@@ -531,7 +531,11 @@ class Puppet::Configurer
       true
     rescue Puppet::HTTP::ResponseError => detail
       if detail.response.code == 404
-        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        if Puppet[:strict_environment_mode]
+          raise Puppet::Error.new(_("Environment '%{environment}' not found on server, aborting run.") % { environment: @environment })
+        else
+          Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        end
       else
         Puppet.log_exception(detail, detail.message)
       end
@@ -601,17 +605,7 @@ class Puppet::Configurer
                                              :transaction_uuid => @transaction_uuid,
                                              :fail_on_404 => true)
 
-        # The :rest node terminus returns a node with an environment_name, but not an
-        # environment instance. Attempting to get the environment instance will load
-        # it from disk, which will likely fail. So create a remote environment.
-        #
-        # The :plain node terminus returns a node with an environment, but not an
-        # environment_name.
-        if !node.has_environment_instance? && node.environment_name
-          node.environment = Puppet::Node::Environment.remote(node.environment_name)
-        end
-
-        @server_specified_environment = node.environment.to_s
+        @server_specified_environment = node.environment_name.to_s
 
         if @server_specified_environment != @environment
           Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: @server_specified_environment }

data/lib/puppet/defaults.rb

@@ -421,6 +421,17 @@ module Puppet
         <https://puppet.com/docs/puppet/latest/environments_about.html>",
       :type    => :path,
     },
+    :use_last_environment => {
+      :type     => :boolean,
+      :default  => true,
+      :desc     => <<-'EOT'
+      Puppet saves both the initial and converged environment in the last_run_summary file.
+      If they differ, and this setting is set to true, we will use the last converged
+      environment and skip the node request.
+
+      When set to false, we will do the node request and ignore the environment data from the last_run_summary file.
+    EOT
+    },
     :always_retry_plugins => {
         :type     => :boolean,
         :default  => true,
@@ -1983,7 +1994,8 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Puppet.runtime[:facter].search(*paths)
+        facter = Puppet.runtime[:facter]
+        facter.search(*paths)
       end
     }
   )

data/lib/puppet/face/generate.rb

@@ -58,6 +58,8 @@ Puppet::Face.define(:generate, '0.1.0') do
       Puppet::FileSystem::mkpath(outputdir)
 
       generator.generate(inputs, outputdir, options[:force])
+
+      exit(1) if generator.bad_input?
       nil
     end
   end

data/lib/puppet/file_serving/metadata.rb

@@ -118,6 +118,9 @@ class Puppet::FileServing::Metadata < Puppet::FileServing::Base
     when "link"
       @destination = Puppet::FileSystem.readlink(real_path)
       @checksum = ("{#{@checksum_type}}") + send("#{@checksum_type}_file", real_path).to_s rescue nil
+    when "fifo", "socket"
+      @checksum_type = "none"
+      @checksum = ("{#{@checksum_type}}") + send("#{@checksum_type}_file", real_path).to_s
     else
       raise ArgumentError, _("Cannot manage files of type %{file_type}") % { file_type: stat.ftype }
     end

data/lib/puppet/file_system/file_impl.rb

@@ -130,23 +130,23 @@ class Puppet::FileSystem::FileImpl
   end
 
   def symlink?(path)
-    File.symlink?(path)
+    ::File.symlink?(path)
   end
 
   def readlink(path)
-    File.readlink(path)
+    ::File.readlink(path)
   end
 
   def unlink(*paths)
-    File.unlink(*paths)
+    ::File.unlink(*paths)
   end
 
   def stat(path)
-    File.stat(path)
+    ::File.stat(path)
   end
 
   def lstat(path)
-    File.lstat(path)
+    ::File.lstat(path)
   end
 
   def compare_stream(path, stream)
@@ -159,7 +159,7 @@ class Puppet::FileSystem::FileImpl
 
   def replace_file(path, mode = nil)
     begin
-      stat = Puppet::FileSystem.lstat(path)
+      stat = lstat(path)
       gid = stat.gid
       uid = stat.uid
       mode ||= stat.mode & 07777
@@ -180,7 +180,7 @@ class Puppet::FileSystem::FileImpl
       tempfile_path = tempfile.path
       FileUtils.chown(uid, gid, tempfile_path) if uid && gid
       chmod(mode, tempfile_path)
-      File.rename(tempfile_path, Puppet::FileSystem.path_string(path))
+      ::File.rename(tempfile_path, path_string(path))
     ensure
       tempfile.close!
     end

data/lib/puppet/file_system/jruby.rb

@@ -14,7 +14,7 @@ class Puppet::FileSystem::JRuby < Puppet::FileSystem::Posix
   def replace_file(path, mode = nil, &block)
     # MRI Ruby rename checks if destination is a directory and raises, while
     # JRuby removes the directory and replaces the file.
-    if Puppet::FileSystem.directory?(path)
+    if directory?(path)
       raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
     end
 

data/lib/puppet/file_system/path_pattern.rb

@@ -5,10 +5,9 @@ module Puppet::FileSystem
   class PathPattern
     class InvalidPattern < Puppet::Error; end
 
-    TRAVERSAL = /^\.\.$/
+    DOTDOT = '..'.freeze
     ABSOLUTE_UNIX = /^\//
     ABSOLUTE_WINDOWS = /^[a-z]:/i
-    #ABSOLUT_VODKA #notappearinginthisclass
     CURRENT_DRIVE_RELATIVE_WINDOWS = /^\\/
 
     def self.relative(pattern)
@@ -32,11 +31,11 @@ module Puppet::FileSystem
     end
 
     def glob
-      Dir.glob(pathname.to_s)
+      Dir.glob(@pathstr)
     end
 
     def to_s
-      pathname.to_s
+      @pathstr
     end
 
     protected
@@ -46,13 +45,9 @@ module Puppet::FileSystem
     private
 
     def validate
-      @pathname.each_filename do |e|
-        if e =~ TRAVERSAL
-          raise(InvalidPattern, _("PathPatterns cannot be created with directory traversals."))
-        end
-      end
-      case @pathname.to_s
-      when CURRENT_DRIVE_RELATIVE_WINDOWS
+      if @pathstr.split(Pathname::SEPARATOR_PAT).any? { |f| f == DOTDOT }
+        raise(InvalidPattern, _("PathPatterns cannot be created with directory traversals."))
+      elsif @pathstr.match?(CURRENT_DRIVE_RELATIVE_WINDOWS)
         raise(InvalidPattern, _("A PathPattern cannot be a Windows current drive relative path."))
       end
     end
@@ -60,6 +55,7 @@ module Puppet::FileSystem
     def initialize(pattern)
       begin
         @pathname = Pathname.new(pattern.strip)
+        @pathstr = @pathname.to_s
       rescue ArgumentError => error
         raise InvalidPattern.new(_("PathPatterns cannot be created with a zero byte."), error)
       end
@@ -74,10 +70,9 @@ module Puppet::FileSystem
 
     def validate
       super
-      case @pathname.to_s
-      when ABSOLUTE_WINDOWS
+      if @pathstr.match?(ABSOLUTE_WINDOWS)
         raise(InvalidPattern, _("A relative PathPattern cannot be prefixed with a drive."))
-      when ABSOLUTE_UNIX
+      elsif @pathstr.match?(ABSOLUTE_UNIX)
         raise(InvalidPattern, _("A relative PathPattern cannot be an absolute path."))
       end
     end
@@ -90,7 +85,7 @@ module Puppet::FileSystem
 
     def validate
       super
-      if @pathname.to_s !~ ABSOLUTE_UNIX and @pathname.to_s !~ ABSOLUTE_WINDOWS
+      if !@pathstr.match?(ABSOLUTE_UNIX) && !@pathstr.match?(ABSOLUTE_WINDOWS)
         raise(InvalidPattern, _("An absolute PathPattern cannot be a relative path."))
       end
     end

data/lib/puppet/file_system/uniquefile.rb

@@ -127,7 +127,7 @@ class Puppet::FileSystem::Uniquefile < DelegateClass(File)
     tmpdir ||= tmpdir()
     n = nil
     begin
-      path = File.expand_path(make_tmpname(basename, n), tmpdir)
+      path = File.join(tmpdir, make_tmpname(basename, n))
       yield(path, n, *opts)
     rescue Errno::EEXIST
       n ||= 0

data/lib/puppet/file_system/windows.rb

@@ -123,7 +123,7 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   LOCK_VIOLATION = 33
 
   def replace_file(path, mode = nil)
-    if Puppet::FileSystem.directory?(path)
+    if directory?(path)
       raise Errno::EISDIR, _("Is a directory: %{directory}") % { directory: path }
     end
 
@@ -159,14 +159,14 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
       end
 
       set_dacl(tempfile.path, dacl) if dacl
-      File.rename(tempfile.path, Puppet::FileSystem.path_string(path))
+      ::File.rename(tempfile.path, path_string(path))
     ensure
       tempfile.close!
     end
   rescue Puppet::Util::Windows::Error => e
     case e.code
     when ACCESS_DENIED, SHARING_VIOLATION, LOCK_VIOLATION
-      raise Errno::EACCES.new(Puppet::FileSystem.path_string(path), e)
+      raise Errno::EACCES.new(path_string(path), e)
     else
       raise SystemCallError.new(e.message)
     end
@@ -193,7 +193,7 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
   end
 
   def get_dacl_from_file(path)
-    sd = Puppet::Util::Windows::Security.get_security_descriptor(Puppet::FileSystem.path_string(path))
+    sd = Puppet::Util::Windows::Security.get_security_descriptor(path_string(path))
     sd.dacl
   rescue Puppet::Util::Windows::Error => e
     raise e unless e.code == FILE_NOT_FOUND

data/lib/puppet/file_system.rb

@@ -397,7 +397,7 @@ module Puppet::FileSystem
   # @api public
   #
   def self.chmod(mode, path)
-    @impl.chmod(mode, path)
+    @impl.chmod(mode, assert_path(path))
   end
 
   # Replace the contents of a file atomically, creating the file if necessary.