puppet 7.13.1-x64-mingw32 → 7.16.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25259cd4567045cebd4357999ad05061027308464aa48d09b26ded67dda9d67f
-  data.tar.gz: d42f0f3bbe8c442eb5d82c4327fbd643423198944e5844c6b20c1464887d83e1
+  metadata.gz: d970fc3081c1f274db3199e615d213776542d27ce4043a6d155ba28016e8965d
+  data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
 SHA512:
-  metadata.gz: 65a7d5a72d4e2cf54b8256347b9bc1b8dbef894dcf9cfdff1645aa2aa53d21643a905b6f29364835146c0292fa6cf2d4ec98422491b27a4510bbada347fd3495
-  data.tar.gz: c49b9358667b61a79d075ac1c5ce527bd1792506f54294a9b65f5457b3e0f14090a9d36f651f71b213c108483a0b35417588c9bd623368dd1628b892169db37b
+  metadata.gz: 14f99fbee6289753cdd96876b973627e1f17e7b888dbdd04803671ce192b35e2d44b55850d3bc9ba40d1c61a14874d69e0d45ec926914533dd39217a0f88948d
+  data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8

data/CODEOWNERS

@@ -1,5 +1,5 @@
 # defaults
-* @puppetlabs/platform-core @puppetlabs/puppetserver-maintainers @puppetlabs/night-s-watch
+* @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt

data/Gemfile

@@ -26,7 +26,7 @@ group(:features) do
   #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
   gem 'minitar', '~> 0.9', require: false
   gem 'msgpack', '~> 1.2', require: false
-  gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
+  gem 'rdoc', ['~> 6.0', '< 6.4.0'], require: false, platforms: [:ruby]
   # requires native augeas headers/libs
   # gem 'ruby-augeas', require: false, platforms: [:ruby]
   # requires native ldap headers/libs

data/Gemfile.lock

@@ -1,11 +1,11 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: 98613aaebad419700b4c37163fe3bbc612f2239d
+  revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
   branch: 1.0.x
   specs:
-    packaging (0.104.0.4.g98613aa)
+    packaging (0.106.1)
       apt_stage_artifacts
-      artifactory (~> 2)
+      artifactory (~> 3)
       csv (= 3.1.5)
       rake (>= 12.3)
       release-metrics
@@ -13,7 +13,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.13.1)
+    puppet (7.16.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -33,21 +33,21 @@ GEM
       public_suffix (>= 2.0.2, < 5.0)
     apt_stage_artifacts (0.10.1)
       docopt
-    artifactory (2.8.2)
+    artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     crack (0.4.5)
       rexml
     csv (3.1.5)
-    deep_merge (1.2.1)
-    diff-lcs (1.4.4)
+    deep_merge (1.2.2)
+    diff-lcs (1.5.0)
     docopt (0.6.1)
-    facter (4.2.5)
+    facter (4.2.9)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
-    ffi (1.15.4)
+    ffi (1.15.5)
     gettext (3.2.9)
       locale (>= 2.0.5)
       text (>= 1.3.0)
@@ -56,7 +56,7 @@ GEM
       gettext (>= 3.0.2, < 3.3.0)
       locale
     hashdiff (1.0.1)
-    hiera (3.7.0)
+    hiera (3.8.0)
     hiera-eyaml (3.2.2)
       highline
       optimist
@@ -69,21 +69,21 @@ GEM
     memory_profiler (1.0.0)
     method_source (1.0.0)
     minitar (0.9)
-    msgpack (1.4.2)
+    msgpack (1.5.1)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
-    parallel (1.21.0)
+    parallel (1.22.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
     powerpack (0.1.3)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.6)
+    public_suffix (4.0.7)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (2.3.5)
+    puppetserver-ca (2.3.6)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (2.2.2)
@@ -99,22 +99,22 @@ GEM
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
       rdiscount (>= 1.5.8)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
+      rspec-support (~> 3.11.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.10.2)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.3)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
     rubocop (0.49.1)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -129,7 +129,7 @@ GEM
     scanf (1.0.0)
     semantic_puppet (1.0.4)
     text (1.3.1)
-    thor (1.1.0)
+    thor (1.2.1)
     unicode-display_width (1.8.0)
     vcr (5.1.0)
     webmock (3.14.0)
@@ -141,7 +141,7 @@ GEM
       webrick (~> 1.7.0)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
@@ -160,7 +160,7 @@ DEPENDENCIES
   puppetserver-ca (~> 2.0)
   racc (= 1.5.2)
   rake (~> 13.0)
-  rdoc (~> 6.0)
+  rdoc (~> 6.0, < 6.4.0)
   ronn (~> 0.7.3)
   rspec (~> 3.1)
   rspec-expectations (~> 3.9, != 3.9.3)
@@ -174,4 +174,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   1.17.3
+   2.3.10

data/lib/puppet/application/lookup.rb

@@ -373,32 +373,34 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
     end
 
     unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
-      facts = retrieve_node_facts(node, given_facts) 
-      if Puppet.settings.set_by_cli?('environment')
-        node = Puppet::Node.new(node, :classes => nil, :parameters => nil, :facts => facts, :environment => Puppet.settings.value('environment'))
-      else
-        ni = Puppet::Node.indirection
-        tc = ni.terminus_class
-
-        service = Puppet.runtime[:http]
-        session = service.create_session
-        cert = session.route_to(:ca)
-
-        _, x509 = cert.get_certificate(node)
-        cert = OpenSSL::X509::Certificate.new(x509)
-
-        Puppet::SSL::Oids.register_puppet_oids
-        trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
-
-        Puppet.override(trusted_information: trusted) do
-          if tc == :plain || options[:compile]
-            node = ni.find(node, facts: facts)
-          else
-            ni.terminus_class = :plain
+      facts = retrieve_node_facts(node, given_facts)
+      ni = Puppet::Node.indirection
+      tc = ni.terminus_class
+      if options[:compile] && !Puppet.settings.set_by_cli?('environment')
+        if tc == :plain
+          node = ni.find(node, facts: facts)
+        else
+          begin
+            service = Puppet.runtime[:http]
+            session = service.create_session
+            cert = session.route_to(:ca)
+
+            _, x509 = cert.get_certificate(node)
+            cert = OpenSSL::X509::Certificate.new(x509)
+            Puppet::SSL::Oids.register_puppet_oids
+            trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
+            Puppet.override(trusted_information: trusted) do
+              node = ni.find(node, facts: facts)
+            end
+          rescue
+            Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
             node = ni.find(node, facts: facts)
-            ni.terminus_class = tc
           end
         end
+      else
+        ni.terminus_class = :plain
+        node = ni.find(node, facts: facts, environment: Puppet[:environment])
+        ni.terminus_class = tc
       end
     else
       node.add_extra_facts(given_facts) if given_facts

data/lib/puppet/configurer.rb

@@ -392,7 +392,7 @@ class Puppet::Configurer
         Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
         initial_environment, loaded_last_environment = last_server_specified_environment
 
-        unless loaded_last_environment
+        unless Puppet[:use_last_environment] && loaded_last_environment
           Puppet.debug(_("Requesting environment from the server"))
           initial_environment = current_server_specified_environment(@environment, configured_environment, options)
         end
@@ -418,7 +418,7 @@ class Puppet::Configurer
       temp_value = options[:pluginsync]
 
       # only validate server environment if pluginsync is requested
-      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync]
 
       query_options, facts = get_facts(options) unless query_options
       options[:pluginsync] = temp_value
@@ -531,7 +531,11 @@ class Puppet::Configurer
       true
     rescue Puppet::HTTP::ResponseError => detail
       if detail.response.code == 404
-        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        if Puppet[:strict_environment_mode]
+          raise Puppet::Error.new(_("Environment '%{environment}' not found on server, aborting run.") % { environment: @environment })
+        else
+          Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+        end
       else
         Puppet.log_exception(detail, detail.message)
       end
@@ -601,17 +605,7 @@ class Puppet::Configurer
                                              :transaction_uuid => @transaction_uuid,
                                              :fail_on_404 => true)
 
-        # The :rest node terminus returns a node with an environment_name, but not an
-        # environment instance. Attempting to get the environment instance will load
-        # it from disk, which will likely fail. So create a remote environment.
-        #
-        # The :plain node terminus returns a node with an environment, but not an
-        # environment_name.
-        if !node.has_environment_instance? && node.environment_name
-          node.environment = Puppet::Node::Environment.remote(node.environment_name)
-        end
-
-        @server_specified_environment = node.environment.to_s
+        @server_specified_environment = node.environment_name.to_s
 
         if @server_specified_environment != @environment
           Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: @server_specified_environment }

data/lib/puppet/defaults.rb

@@ -421,6 +421,17 @@ module Puppet
         <https://puppet.com/docs/puppet/latest/environments_about.html>",
       :type    => :path,
     },
+    :use_last_environment => {
+      :type     => :boolean,
+      :default  => true,
+      :desc     => <<-'EOT'
+      Puppet saves both the initial and converged environment in the last_run_summary file.
+      If they differ, and this setting is set to true, we will use the last converged
+      environment and skip the node request.
+
+      When set to false, we will do the node request and ignore the environment data from the last_run_summary file.
+    EOT
+    },
     :always_retry_plugins => {
         :type     => :boolean,
         :default  => true,
@@ -1984,7 +1995,6 @@ EOT
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
         facter = Puppet.runtime[:facter]
-        facter.reset
         facter.search(*paths)
       end
     }

data/lib/puppet/face/generate.rb

@@ -58,6 +58,8 @@ Puppet::Face.define(:generate, '0.1.0') do
       Puppet::FileSystem::mkpath(outputdir)
 
       generator.generate(inputs, outputdir, options[:force])
+
+      exit(1) if generator.bad_input?
       nil
     end
   end

data/lib/puppet/functions/next.rb

@@ -1,8 +1,25 @@
 # Makes iteration continue with the next value, optionally with a given value for this iteration.
 # If a value is not given it defaults to `undef`
+# 
+# @example Using the `next()` function
 #
-# @since 4.7.0
+# ```puppet
+# $data = ['a','b','c']
+# $data.each |Integer $index, String $value| {
+#   if $index == 1 {
+#     next()
+#   }
+#   notice ("${index} = ${value}")
+# }
+# ```
+#
+# Would notice:
+# ```
+# Notice: Scope(Class[main]): 0 = a
+# Notice: Scope(Class[main]): 2 = c
+# ```
 #
+# @since 4.7.0
 Puppet::Functions.create_function(:next) do
   dispatch :next_impl do
     optional_param 'Any', :value

data/lib/puppet/functions/tree_each.rb

@@ -112,7 +112,6 @@
 # * `reverse_each` - get "leaves before root"
 # * `filter` - prune the tree
 # * `map` - transform each element
-# * `reduce` - produce something else
 #
 # Note than when chaining, the value passed on is a `Tuple` with `[path, value]`.
 #

data/lib/puppet/generate/type.rb

@@ -134,6 +134,9 @@ module Puppet
         inputs.sort_by! { |input| input.path }
       end
 
+      def self.bad_input?
+        @bad_input
+      end
       # Generates files for the given inputs.
       # If a file is up to date (newer than input) it is kept.
       # If a file is out of date it is regenerated.
@@ -170,6 +173,8 @@ module Puppet
         }
 
         up_to_date = true
+        @bad_input = false
+
         Puppet.notice _('Generating Puppet resource types.')
         inputs.each do |input|
           if !force && input.up_to_date?(outputdir)
@@ -187,6 +192,7 @@ module Puppet
             raise
           rescue Exception => e
             # Log the exception and move on to the next input
+            @bad_input = true
             Puppet.log_exception(e, _("Failed to load custom type '%{type_name}' from '%{input}': %{message}") % { type_name: type_name, input: input, message: e.message })
             next
           end
@@ -205,6 +211,7 @@ module Puppet
           begin
             model = Models::Type::Type.new(type)
           rescue Exception => e
+            @bad_input = true
             # Move on to the next input
             Puppet.log_exception(e, "#{input}: #{e.message}")
             next
@@ -214,6 +221,7 @@ module Puppet
           begin
             result = model.render(templates[input.template_path])
           rescue Exception => e
+            @bad_input = true
             Puppet.log_exception(e)
             raise
           end
@@ -227,6 +235,7 @@ module Puppet
               file.write(result)
             end
           rescue Exception => e
+            @bad_input = true
             Puppet.log_exception(e, _("Failed to generate '%{effective_output_path}': %{message}") % { effective_output_path: effective_output_path, message: e.message })
             # Move on to the next input
             next

data/lib/puppet/http/client.rb

@@ -19,7 +19,7 @@
 #   response = client.get(URI("http://www.example.com"))
 #
 # @example To make an HTTPS GET request, trusting the puppet CA and certs in Puppet's CA bundle:
-#   response = client.get(URI("https://www.example.com"), include_system_store: true)
+#   response = client.get(URI("https://www.example.com"), options: { include_system_store: true })
 #
 # @example To use a URL containing special characters, such as spaces:
 #  response = client.get(URI(Puppet::Util.uri_encode("https://www.example.com/path to file")))

data/lib/puppet/node.rb

@@ -89,7 +89,7 @@ class Puppet::Node
     unless @environment.nil?
       # always set the environment parameter. It becomes top scope $environment for a manifest during catalog compilation.
       @parameters[ENVIRONMENT] = @environment.name.to_s
-      self.environment_name = @environment.name if instance_variable_defined?(:@environment_name)
+      self.environment_name = @environment.name
     end
     @environment
   end

data/lib/puppet/resource/type_collection.rb

@@ -24,6 +24,7 @@ class Puppet::Resource::TypeCollection
     @definitions = {}
     @nodes = {}
     @notfound = {}
+    # always lock the environment before acquiring this lock
     @lock = Puppet::Concurrent::Lock.new
 
     # So we can keep a list and match the first-defined regex
@@ -185,26 +186,29 @@ class Puppet::Resource::TypeCollection
   # Resolve namespaces and find the given object.  Autoload it if
   # necessary.
   def find_or_load(name, type)
-    @lock.synchronize do
-      # Name is always absolute, but may start with :: which must be removed
-      fqname = (name[0,2] == COLON_COLON ? name[2..-1] : name)
-
-      result = send(type, fqname)
-      unless result
-        if @notfound[ fqname ] && Puppet[ :ignoremissingtypes ]
-          # do not try to autoload if we already tried and it wasn't conclusive
-          # as this is a time consuming operation. Warn the user.
-          # Check first if debugging is on since the call to debug_once is expensive
-          if Puppet[:debug]
-            debug_once _("Not attempting to load %{type} %{fqname} as this object was missing during a prior compilation") % { type: type, fqname: fqname }
+    # always lock the environment before locking the type collection
+    @environment.lock.synchronize do
+      @lock.synchronize do
+        # Name is always absolute, but may start with :: which must be removed
+        fqname = (name[0,2] == COLON_COLON ? name[2..-1] : name)
+
+        result = send(type, fqname)
+        unless result
+          if @notfound[ fqname ] && Puppet[ :ignoremissingtypes ]
+            # do not try to autoload if we already tried and it wasn't conclusive
+            # as this is a time consuming operation. Warn the user.
+            # Check first if debugging is on since the call to debug_once is expensive
+            if Puppet[:debug]
+              debug_once _("Not attempting to load %{type} %{fqname} as this object was missing during a prior compilation") % { type: type, fqname: fqname }
+            end
+          else
+            fqname = munge_name(fqname)
+            result = loader.try_load_fqname(type, fqname)
+            @notfound[ fqname ] = result.nil?
           end
-        else
-          fqname = munge_name(fqname)
-          result = loader.try_load_fqname(type, fqname)
-          @notfound[ fqname ] = result.nil?
         end
+        result
       end
-      result
     end
   end
 

data/lib/puppet/ssl/ssl_provider.rb

@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
   # @raise (see #create_context)
   # @api private
   def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
-    store = create_x509_store(cacerts, [], false)
-    store.set_default_paths
+    store = create_x509_store(cacerts, [], false, include_system_store: true)
 
     if path
       stat = Puppet::FileSystem.stat(path)
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::SSL::SSLError] There was an issue with the
   #   `private_key`.
   # @api private
-  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
+  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
     raise ArgumentError, _("CA certs are missing") unless cacerts
     raise ArgumentError, _("CRLs are missing") unless crls
     raise ArgumentError, _("Private key is missing") unless private_key
     raise ArgumentError, _("Client cert is missing") unless client_cert
 
-    store = create_x509_store(cacerts, crls, revocation)
+    store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
     client_chain = verify_cert_with_store(store, client_cert)
 
     if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
   # @param password [String, nil] If the private key is encrypted, decrypt
   #   it using the password. If the key is encrypted, but a password is
   #   not specified, then the key cannot be loaded.
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::Error] There was an issue with one of the required components.
   # @api private
-  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
     cert = Puppet::X509::CertProvider.new
     cacerts = cert.load_cacerts(required: true)
     crls = case revocation
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
     private_key = cert.load_private_key(certname, required: true, password: password)
     client_cert = cert.load_client_cert(certname, required: true)
 
-    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
   rescue OpenSSL::PKey::PKeyError => e
     raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
   end
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
     end
   end
 
-  def create_x509_store(roots, crls, revocation)
+  def create_x509_store(roots, crls, revocation, include_system_store: false)
     store = OpenSSL::X509::Store.new
     store.purpose = OpenSSL::X509::PURPOSE_ANY
     store.flags = default_flags | revocation_mode(revocation)
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
     roots.each { |cert| store.add_cert(cert) }
     crls.each { |crl| store.add_crl(crl) }
 
+    store.set_default_paths if include_system_store
+
     store
   end
 

data/lib/puppet/type/exec.rb

@@ -457,7 +457,7 @@ module Puppet
 
             exec { '/bin/echo root >> /usr/lib/cron/cron.allow':
               path   => '/usr/bin:/usr/sbin:/bin',
-              unless => 'grep root /usr/lib/cron/cron.allow 2>/dev/null',
+              unless => 'grep ^root$ /usr/lib/cron/cron.allow 2>/dev/null',
             }
 
         This would add `root` to the cron.allow file (on Solaris) unless

data/lib/puppet/type/user.rb

@@ -693,7 +693,7 @@ module Puppet
     end
 
     def generate
-      if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false
+      if !self[:purge_ssh_keys].empty?
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else

data/lib/puppet/util/monkey_patches.rb

@@ -79,8 +79,6 @@ unless Puppet::Util::Platform.jruby_fips?
 end
 
 if Puppet::Util::Platform.windows?
-  require_relative '../../puppet/util/windows'
-
   class OpenSSL::X509::Store
     @puppet_certs_loaded = false
     alias __original_set_default_paths set_default_paths

data/lib/puppet/util/yaml.rb

@@ -24,7 +24,11 @@ module Puppet::Util::Yaml
   # @raise [YamlLoadException] If deserialization fails.
   # @return The parsed YAML, which can be Hash, Array or scalar types.
   def self.safe_load(yaml, allowed_classes = [], filename = nil)
-    data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0')
+      data = YAML.safe_load(yaml, permitted_classes: allowed_classes, aliases: true, filename: filename)
+    else
+      data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    end
     data = false if data.nil?
     data
   rescue ::Psych::DisallowedClass => detail

data/lib/puppet/util.rb

@@ -7,6 +7,7 @@ require 'uri'
 require 'pathname'
 require 'ostruct'
 require_relative 'util/platform'
+require_relative 'util/windows'
 require_relative 'util/symbolic_file_mode'
 require_relative '../puppet/file_system/uniquefile'
 require 'securerandom'

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '7.13.1'
+  PUPPETVERSION = '7.16.0'
 
   ##
   # version is a public API method intended to always provide a fast and