puppet 7.14.0-x86-mingw32 → 7.17.0-x86-mingw32

Sign up to get free protection for your applications and to get access to all the features.
Files changed (77) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +1 -1
  3. data/Gemfile.lock +86 -25
  4. data/ext/systemd/puppet.service +1 -1
  5. data/lib/puppet/agent.rb +20 -2
  6. data/lib/puppet/application/agent.rb +3 -13
  7. data/lib/puppet/application/apply.rb +2 -2
  8. data/lib/puppet/application/lookup.rb +24 -28
  9. data/lib/puppet/configurer.rb +7 -3
  10. data/lib/puppet/defaults.rb +11 -2
  11. data/lib/puppet/functions/next.rb +18 -1
  12. data/lib/puppet/functions/tree_each.rb +0 -1
  13. data/lib/puppet/http/client.rb +23 -3
  14. data/lib/puppet/parameter.rb +19 -4
  15. data/lib/puppet/pops/evaluator/deferred_resolver.rb +46 -6
  16. data/lib/puppet/pops/functions/dispatcher.rb +10 -6
  17. data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +7 -6
  18. data/lib/puppet/pops/types/type_mismatch_describer.rb +22 -1
  19. data/lib/puppet/provider/package/puppetserver_gem.rb +7 -16
  20. data/lib/puppet/provider/package/yum.rb +8 -3
  21. data/lib/puppet/provider/user/directoryservice.rb +15 -8
  22. data/lib/puppet/ssl/ssl_provider.rb +75 -19
  23. data/lib/puppet/ssl/state_machine.rb +13 -17
  24. data/lib/puppet/transaction.rb +22 -0
  25. data/lib/puppet/type/exec.rb +1 -1
  26. data/lib/puppet/type/user.rb +3 -0
  27. data/lib/puppet/type.rb +20 -3
  28. data/lib/puppet/util/monkey_patches.rb +0 -2
  29. data/lib/puppet/util.rb +1 -0
  30. data/lib/puppet/version.rb +1 -1
  31. data/lib/puppet.rb +1 -14
  32. data/man/man5/puppet.conf.5 +11 -3
  33. data/man/man8/puppet-agent.8 +2 -2
  34. data/man/man8/puppet-apply.8 +1 -1
  35. data/man/man8/puppet-catalog.8 +1 -1
  36. data/man/man8/puppet-config.8 +1 -1
  37. data/man/man8/puppet-describe.8 +1 -1
  38. data/man/man8/puppet-device.8 +1 -1
  39. data/man/man8/puppet-doc.8 +1 -1
  40. data/man/man8/puppet-epp.8 +1 -1
  41. data/man/man8/puppet-facts.8 +1 -1
  42. data/man/man8/puppet-filebucket.8 +1 -1
  43. data/man/man8/puppet-generate.8 +1 -1
  44. data/man/man8/puppet-help.8 +1 -1
  45. data/man/man8/puppet-lookup.8 +1 -1
  46. data/man/man8/puppet-module.8 +1 -1
  47. data/man/man8/puppet-node.8 +1 -1
  48. data/man/man8/puppet-parser.8 +1 -1
  49. data/man/man8/puppet-plugin.8 +1 -1
  50. data/man/man8/puppet-report.8 +1 -1
  51. data/man/man8/puppet-resource.8 +1 -1
  52. data/man/man8/puppet-script.8 +1 -1
  53. data/man/man8/puppet-ssl.8 +1 -1
  54. data/man/man8/puppet.8 +2 -2
  55. data/spec/integration/application/agent_spec.rb +157 -0
  56. data/spec/integration/application/apply_spec.rb +74 -0
  57. data/spec/integration/application/lookup_spec.rb +64 -59
  58. data/spec/integration/application/resource_spec.rb +6 -2
  59. data/spec/integration/http/client_spec.rb +51 -4
  60. data/spec/lib/puppet_spec/https.rb +1 -1
  61. data/spec/lib/puppet_spec/puppetserver.rb +39 -2
  62. data/spec/unit/agent_spec.rb +6 -2
  63. data/spec/unit/application/agent_spec.rb +26 -16
  64. data/spec/unit/configurer_spec.rb +34 -3
  65. data/spec/unit/confiner_spec.rb +6 -6
  66. data/spec/unit/daemon_spec.rb +2 -11
  67. data/spec/unit/http/client_spec.rb +18 -0
  68. data/spec/unit/pops/evaluator/deferred_resolver_spec.rb +26 -0
  69. data/spec/unit/pops/loaders/loaders_spec.rb +1 -1
  70. data/spec/unit/pops/types/type_mismatch_describer_spec.rb +167 -1
  71. data/spec/unit/provider/package/puppetserver_gem_spec.rb +2 -2
  72. data/spec/unit/provider/user/directoryservice_spec.rb +1 -1
  73. data/spec/unit/ssl/ssl_provider_spec.rb +75 -1
  74. data/spec/unit/ssl/state_machine_spec.rb +1 -0
  75. data/spec/unit/util/windows_spec.rb +23 -0
  76. data/tasks/generate_cert_fixtures.rake +5 -4
  77. metadata +5 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 50982abf959037fcf083b4dc0fc198092f5124189bcbdbf0b3eb689eed6337c2
4
- data.tar.gz: 402ea46ece628a86c88351d7c93e739456a584bb95a21e2e5a4790616d724ad8
3
+ metadata.gz: 48a2b8760b0d3a6222551f94e700314fe9c5a3e1071d1c1c45022a1d77f19940
4
+ data.tar.gz: 7705591fc0fd2ed3559c29d7d90f803a6730ac835207e919e92195145aae0a8c
5
5
  SHA512:
6
- metadata.gz: 7c01f2da955854fcd779ee57814512c1c7e7e59becaaa1a0d1f305ce0e7b344b8787e7009290444c8b96855aaad4029276ebbaec74fcf269f558de67d40cf385
7
- data.tar.gz: 06add9d22b8a646a50caf987611b1a4b366477619c2681634cc21a38de36e540d8455993c572fd5f20616771361b7bad0b847bbbcd8cac28bc02a8de916ce81c
6
+ metadata.gz: 5ba09184d443d86b0007acbe47fff9dd2f42a08d7f56c5c69bde63120e114ed80e0c7c8ff7465d28b54ef76282badb02e2e70bfb40ff797a222af31e1aca8d18
7
+ data.tar.gz: cef70451f5c9c09e871807b61c04d4d38270878b13bbdebb107391f6c98cc87f77d789b81fb2399358c64e86f5d1764ee8b41fab004ee5465e3f6bdc17dc46b1
data/CODEOWNERS CHANGED
@@ -1,5 +1,5 @@
1
1
  # defaults
2
- * @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers @puppetlabs/night-s-watch
2
+ * @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
3
3
 
4
4
  # PAL
5
5
  /lib/puppet/pal @puppetlabs/bolt
data/Gemfile.lock CHANGED
@@ -1,19 +1,21 @@
1
1
  GIT
2
2
  remote: https://github.com/puppetlabs/packaging
3
- revision: 9d36e41d10ce14c66d9c3c35157788e63c1afef8
3
+ revision: b791353d4f81dbb1df5ce3d79e95bd008b47beb6
4
4
  branch: 1.0.x
5
5
  specs:
6
- packaging (0.105.0)
6
+ packaging (0.106.3.6.gb791353)
7
7
  apt_stage_artifacts
8
- artifactory (~> 2)
8
+ artifactory (~> 3)
9
9
  csv (= 3.1.5)
10
+ google-cloud-storage
11
+ googleauth
10
12
  rake (>= 12.3)
11
13
  release-metrics
12
14
 
13
15
  PATH
14
16
  remote: .
15
17
  specs:
16
- puppet (7.14.0)
18
+ puppet (7.17.0)
17
19
  CFPropertyList (~> 2.2)
18
20
  concurrent-ruby (~> 1.0)
19
21
  deep_merge (~> 1.0)
@@ -33,19 +35,26 @@ GEM
33
35
  public_suffix (>= 2.0.2, < 5.0)
34
36
  apt_stage_artifacts (0.10.1)
35
37
  docopt
36
- artifactory (2.8.2)
38
+ artifactory (3.0.15)
37
39
  ast (2.4.2)
38
40
  coderay (1.1.3)
39
- concurrent-ruby (1.1.9)
41
+ concurrent-ruby (1.1.10)
40
42
  crack (0.4.5)
41
43
  rexml
42
44
  csv (3.1.5)
45
+ declarative (0.0.20)
43
46
  deep_merge (1.2.2)
44
47
  diff-lcs (1.5.0)
48
+ digest-crc (0.6.4)
49
+ rake (>= 12.0.0, < 14.0.0)
45
50
  docopt (0.6.1)
46
- facter (4.2.7)
51
+ facter (4.2.9)
47
52
  hocon (~> 1.3)
48
53
  thor (>= 1.0.1, < 2.0)
54
+ faraday (2.3.0)
55
+ faraday-net_http (~> 2.0)
56
+ ruby2_keywords (>= 0.0.4)
57
+ faraday-net_http (2.0.3)
49
58
  fast_gettext (1.1.2)
50
59
  ffi (1.15.5)
51
60
  gettext (3.2.9)
@@ -55,35 +64,74 @@ GEM
55
64
  fast_gettext (~> 1.1.0)
56
65
  gettext (>= 3.0.2, < 3.3.0)
57
66
  locale
67
+ google-apis-core (0.5.0)
68
+ addressable (~> 2.5, >= 2.5.1)
69
+ googleauth (>= 0.16.2, < 2.a)
70
+ httpclient (>= 2.8.1, < 3.a)
71
+ mini_mime (~> 1.0)
72
+ representable (~> 3.0)
73
+ retriable (>= 2.0, < 4.a)
74
+ rexml
75
+ webrick
76
+ google-apis-iamcredentials_v1 (0.10.0)
77
+ google-apis-core (>= 0.4, < 2.a)
78
+ google-apis-storage_v1 (0.14.0)
79
+ google-apis-core (>= 0.4, < 2.a)
80
+ google-cloud-core (1.6.0)
81
+ google-cloud-env (~> 1.0)
82
+ google-cloud-errors (~> 1.0)
83
+ google-cloud-env (1.6.0)
84
+ faraday (>= 0.17.3, < 3.0)
85
+ google-cloud-errors (1.2.0)
86
+ google-cloud-storage (1.36.2)
87
+ addressable (~> 2.8)
88
+ digest-crc (~> 0.4)
89
+ google-apis-iamcredentials_v1 (~> 0.1)
90
+ google-apis-storage_v1 (~> 0.1)
91
+ google-cloud-core (~> 1.6)
92
+ googleauth (>= 0.16.2, < 2.a)
93
+ mini_mime (~> 1.0)
94
+ googleauth (1.1.3)
95
+ faraday (>= 0.17.3, < 3.a)
96
+ jwt (>= 1.4, < 3.0)
97
+ memoist (~> 0.16)
98
+ multi_json (~> 1.11)
99
+ os (>= 0.9, < 2.0)
100
+ signet (>= 0.16, < 2.a)
58
101
  hashdiff (1.0.1)
59
- hiera (3.8.0)
60
- hiera-eyaml (3.2.2)
102
+ hiera (3.9.0)
103
+ hiera-eyaml (3.3.0)
61
104
  highline
62
105
  optimist
63
106
  highline (2.0.3)
64
107
  hocon (1.3.1)
65
108
  hpricot (0.8.6)
109
+ httpclient (2.8.3)
66
110
  json-schema (2.8.1)
67
111
  addressable (>= 2.4)
112
+ jwt (2.3.0)
68
113
  locale (2.1.3)
114
+ memoist (0.16.2)
69
115
  memory_profiler (1.0.0)
70
116
  method_source (1.0.0)
117
+ mini_mime (1.1.2)
71
118
  minitar (0.9)
72
- msgpack (1.4.2)
119
+ msgpack (1.5.1)
73
120
  multi_json (1.15.0)
74
121
  mustache (1.1.1)
75
122
  optimist (3.0.1)
76
- parallel (1.21.0)
123
+ os (1.1.4)
124
+ parallel (1.22.1)
77
125
  parser (2.7.2.0)
78
126
  ast (~> 2.4.1)
79
127
  powerpack (0.1.3)
80
128
  pry (0.14.1)
81
129
  coderay (~> 1.1)
82
130
  method_source (~> 1.0)
83
- public_suffix (4.0.6)
131
+ public_suffix (4.0.7)
84
132
  puppet-resource_api (1.8.14)
85
133
  hocon (>= 1.0)
86
- puppetserver-ca (2.3.5)
134
+ puppetserver-ca (2.3.6)
87
135
  facter (>= 2.0.1, < 5)
88
136
  racc (1.5.2)
89
137
  rainbow (2.2.2)
@@ -94,27 +142,32 @@ GEM
94
142
  release-metrics (1.1.0)
95
143
  csv
96
144
  docopt
145
+ representable (3.2.0)
146
+ declarative (< 0.1.0)
147
+ trailblazer-option (>= 0.1.1, < 0.2.0)
148
+ uber (< 0.2.0)
149
+ retriable (3.1.2)
97
150
  rexml (3.2.5)
98
151
  ronn (0.7.3)
99
152
  hpricot (>= 0.8.2)
100
153
  mustache (>= 0.7.0)
101
154
  rdiscount (>= 1.5.8)
102
- rspec (3.10.0)
103
- rspec-core (~> 3.10.0)
104
- rspec-expectations (~> 3.10.0)
105
- rspec-mocks (~> 3.10.0)
106
- rspec-core (3.10.1)
107
- rspec-support (~> 3.10.0)
108
- rspec-expectations (3.10.2)
155
+ rspec (3.11.0)
156
+ rspec-core (~> 3.11.0)
157
+ rspec-expectations (~> 3.11.0)
158
+ rspec-mocks (~> 3.11.0)
159
+ rspec-core (3.11.0)
160
+ rspec-support (~> 3.11.0)
161
+ rspec-expectations (3.11.0)
109
162
  diff-lcs (>= 1.2.0, < 2.0)
110
- rspec-support (~> 3.10.0)
163
+ rspec-support (~> 3.11.0)
111
164
  rspec-its (1.3.0)
112
165
  rspec-core (>= 3.0.0)
113
166
  rspec-expectations (>= 3.0.0)
114
- rspec-mocks (3.10.2)
167
+ rspec-mocks (3.11.1)
115
168
  diff-lcs (>= 1.2.0, < 2.0)
116
- rspec-support (~> 3.10.0)
117
- rspec-support (3.10.3)
169
+ rspec-support (~> 3.11.0)
170
+ rspec-support (3.11.0)
118
171
  rubocop (0.49.1)
119
172
  parallel (~> 1.10)
120
173
  parser (>= 2.3.3.1, < 3.0)
@@ -126,10 +179,18 @@ GEM
126
179
  rubocop (~> 0.49.0)
127
180
  ruby-prof (1.4.3)
128
181
  ruby-progressbar (1.11.0)
182
+ ruby2_keywords (0.0.5)
129
183
  scanf (1.0.0)
130
184
  semantic_puppet (1.0.4)
185
+ signet (0.16.1)
186
+ addressable (~> 2.8)
187
+ faraday (>= 0.17.5, < 3.0)
188
+ jwt (>= 1.5, < 3.0)
189
+ multi_json (~> 1.10)
131
190
  text (1.3.1)
132
191
  thor (1.2.1)
192
+ trailblazer-option (0.1.2)
193
+ uber (0.1.0)
133
194
  unicode-display_width (1.8.0)
134
195
  vcr (5.1.0)
135
196
  webmock (3.14.0)
@@ -174,4 +235,4 @@ DEPENDENCIES
174
235
  yard
175
236
 
176
237
  BUNDLED WITH
177
- 2.2.6
238
+ 2.3.10
@@ -11,7 +11,7 @@
11
11
  [Unit]
12
12
  Description=Puppet agent
13
13
  Wants=basic.target
14
- After=basic.target network.target
14
+ After=basic.target network.target network-online.target
15
15
 
16
16
  [Service]
17
17
  EnvironmentFile=-/etc/sysconfig/puppetagent
data/lib/puppet/agent.rb CHANGED
@@ -45,11 +45,19 @@ class Puppet::Agent
45
45
  result = nil
46
46
  wait_for_lock_deadline = nil
47
47
  block_run = Puppet::Application.controlled_run do
48
- splay client_options.fetch :splay, Puppet[:splay]
48
+ # splay may sleep for awhile!
49
+ splay(client_options.fetch(:splay, Puppet[:splay]))
50
+
51
+ # waiting for certs may sleep for awhile depending on onetime, waitforcert and maxwaitforcert!
52
+ # this needs to happen before forking so that if we fail to obtain certs and try to exit, then
53
+ # we exit the main process and not the forked child.
54
+ ssl_context = wait_for_certificates(client_options)
55
+
49
56
  result = run_in_fork(should_fork) do
50
57
  with_client(client_options[:transaction_uuid], client_options[:job_id]) do |client|
51
58
  client_args = client_options.merge(:pluginsync => Puppet::Configurer.should_pluginsync?)
52
59
  begin
60
+ # lock may sleep for awhile depending on waitforlock and maxwaitforlock!
53
61
  lock do
54
62
  # NOTE: Timeout is pretty heinous as the location in which it
55
63
  # throws an error is entirely unpredictable, which means that
@@ -57,7 +65,9 @@ class Puppet::Agent
57
65
  # sanity. The only thing a Puppet agent should do after this
58
66
  # error is thrown is die with as much dignity as possible.
59
67
  Timeout.timeout(Puppet[:runtimeout], RunTimeoutError) do
60
- client.run(client_args)
68
+ Puppet.override(ssl_context: ssl_context) do
69
+ client.run(client_args)
70
+ end
61
71
  end
62
72
  end
63
73
  rescue Puppet::LockError
@@ -84,6 +94,8 @@ class Puppet::Agent
84
94
  rescue StandardError => detail
85
95
  Puppet.log_exception(detail, _("Could not run %{client_class}: %{detail}") % { client_class: client_class, detail: detail })
86
96
  nil
97
+ ensure
98
+ Puppet.runtime[:http].close
87
99
  end
88
100
  end
89
101
  end
@@ -137,4 +149,10 @@ class Puppet::Agent
137
149
  ensure
138
150
  @client = nil
139
151
  end
152
+
153
+ def wait_for_certificates(options)
154
+ waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
155
+ sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert, onetime: Puppet[:onetime])
156
+ sm.ensure_client_certificate
157
+ end
140
158
  end
@@ -158,7 +158,7 @@ applying the whole thing.
158
158
  '--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
159
159
  once and displays on the console (and in the log) the current certificate
160
160
  (or certificate request) fingerprint. Providing the '--digest' option
161
- allows to use a different digest algorithm to generate the fingerprint.
161
+ allows you to use a different digest algorithm to generate the fingerprint.
162
162
  The main use is to verify that before signing a certificate request on
163
163
  the master, the certificate request the master received is the same as
164
164
  the one the client sent (to prevent against man-in-the-middle attacks
@@ -383,15 +383,11 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
383
383
 
384
384
  log_config if Puppet[:daemonize]
385
385
 
386
- # run ssl state machine, waiting if needed
387
- ssl_context = wait_for_certificates
388
-
389
386
  # Each application is responsible for pushing loaders onto the context.
390
387
  # Use the current environment that has already been established, though
391
388
  # it may change later during the configurer run.
392
389
  env = Puppet.lookup(:current_environment)
393
- Puppet.override(ssl_context: ssl_context,
394
- current_environment: env,
390
+ Puppet.override(current_environment: env,
395
391
  loaders: Puppet::Pops::Loaders.new(env, true)) do
396
392
  if Puppet[:onetime]
397
393
  onetime(daemon)
@@ -434,7 +430,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
434
430
 
435
431
  def onetime(daemon)
436
432
  begin
437
- exitstatus = daemon.agent.run({:job_id => options[:job_id], :start_time => options[:start_time]})
433
+ exitstatus = daemon.agent.run({:job_id => options[:job_id], :start_time => options[:start_time], :waitforcert => options[:waitforcert]})
438
434
  rescue => detail
439
435
  Puppet.log_exception(detail)
440
436
  end
@@ -524,10 +520,4 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
524
520
 
525
521
  daemon
526
522
  end
527
-
528
- def wait_for_certificates
529
- waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
530
- sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert)
531
- sm.ensure_client_certificate
532
- end
533
523
  end
@@ -241,7 +241,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
241
241
  end
242
242
 
243
243
  # Resolve all deferred values and replace them / mutate the catalog
244
- Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment)
244
+ Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment, Puppet[:preprocess_deferred])
245
245
 
246
246
  # Translate it to a RAL catalog
247
247
  catalog = catalog.to_ral
@@ -350,7 +350,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
350
350
  raise Puppet::Error, _("Could not deserialize catalog from %{format}: %{detail}") % { format: format, detail: detail }, detail.backtrace
351
351
  end
352
352
  # Resolve all deferred values and replace them / mutate the catalog
353
- Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment)
353
+ Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment, Puppet[:preprocess_deferred])
354
354
 
355
355
  catalog.to_ral
356
356
  end
@@ -373,38 +373,34 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
373
373
  end
374
374
 
375
375
  unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
376
- facts = retrieve_node_facts(node, given_facts)
377
- if Puppet.settings.set_by_cli?('environment')
378
- node = Puppet::Node.new(node, :classes => nil, :parameters => nil, :facts => facts, :environment => Puppet.settings.value('environment'))
379
- else
380
- ni = Puppet::Node.indirection
381
- tc = ni.terminus_class
382
- if options[:compile]
383
- if tc == :plain
384
- node = ni.find(node, facts: facts)
385
- else
386
- begin
387
- service = Puppet.runtime[:http]
388
- session = service.create_session
389
- cert = session.route_to(:ca)
390
-
391
- _, x509 = cert.get_certificate(node)
392
- cert = OpenSSL::X509::Certificate.new(x509)
393
- Puppet::SSL::Oids.register_puppet_oids
394
- trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
395
- Puppet.override(trusted_information: trusted) do
396
- node = ni.find(node, facts: facts)
397
- end
398
- rescue
399
- Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
376
+ facts = retrieve_node_facts(node, given_facts)
377
+ ni = Puppet::Node.indirection
378
+ tc = ni.terminus_class
379
+ if options[:compile] && !Puppet.settings.set_by_cli?('environment')
380
+ if tc == :plain
381
+ node = ni.find(node, facts: facts)
382
+ else
383
+ begin
384
+ service = Puppet.runtime[:http]
385
+ session = service.create_session
386
+ cert = session.route_to(:ca)
387
+
388
+ _, x509 = cert.get_certificate(node)
389
+ cert = OpenSSL::X509::Certificate.new(x509)
390
+ Puppet::SSL::Oids.register_puppet_oids
391
+ trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
392
+ Puppet.override(trusted_information: trusted) do
400
393
  node = ni.find(node, facts: facts)
401
394
  end
395
+ rescue
396
+ Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
397
+ node = ni.find(node, facts: facts)
402
398
  end
403
- else
404
- ni.terminus_class = :plain
405
- node = ni.find(node, facts: facts)
406
- ni.terminus_class = tc
407
399
  end
400
+ else
401
+ ni.terminus_class = :plain
402
+ node = ni.find(node, facts: facts, environment: Puppet[:environment])
403
+ ni.terminus_class = tc
408
404
  end
409
405
  else
410
406
  node.add_extra_facts(given_facts) if given_facts
@@ -112,7 +112,7 @@ class Puppet::Configurer
112
112
  catalog_conversion_time = thinmark do
113
113
  # Will mutate the result and replace all Deferred values with resolved values
114
114
  if facts
115
- Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment))
115
+ Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment), Puppet[:preprocess_deferred])
116
116
  end
117
117
 
118
118
  catalog = result.to_ral
@@ -418,7 +418,7 @@ class Puppet::Configurer
418
418
  temp_value = options[:pluginsync]
419
419
 
420
420
  # only validate server environment if pluginsync is requested
421
- options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
421
+ options[:pluginsync] = valid_server_environment? if options[:pluginsync]
422
422
 
423
423
  query_options, facts = get_facts(options) unless query_options
424
424
  options[:pluginsync] = temp_value
@@ -531,7 +531,11 @@ class Puppet::Configurer
531
531
  true
532
532
  rescue Puppet::HTTP::ResponseError => detail
533
533
  if detail.response.code == 404
534
- Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
534
+ if Puppet[:strict_environment_mode]
535
+ raise Puppet::Error.new(_("Environment '%{environment}' not found on server, aborting run.") % { environment: @environment })
536
+ else
537
+ Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
538
+ end
535
539
  else
536
540
  Puppet.log_exception(detail, detail.message)
537
541
  end
@@ -1534,7 +1534,7 @@ EOT
1534
1534
  :type => :file,
1535
1535
  :mode => "0640",
1536
1536
  :desc => "Transactional storage file for persisting data between
1537
- transactions for the purposes of infering information (such as
1537
+ transactions for the purposes of inferring information (such as
1538
1538
  corrective_change) on new data received."
1539
1539
  },
1540
1540
  :clientyamldir => {
@@ -1995,7 +1995,6 @@ EOT
1995
1995
  :hook => proc do |value|
1996
1996
  paths = value.split(File::PATH_SEPARATOR)
1997
1997
  facter = Puppet.runtime[:facter]
1998
- facter.reset
1999
1998
  facter.search(*paths)
2000
1999
  end
2001
2000
  }
@@ -2022,6 +2021,16 @@ EOT
2022
2021
  being evaluated. This allows you to interactively see exactly
2023
2022
  what is being done.",
2024
2023
  },
2024
+ :preprocess_deferred => {
2025
+ :default => true,
2026
+ :type => :boolean,
2027
+ :desc => "Whether puppet should call deferred functions before applying
2028
+ the catalog. If set to `true`, then all prerequisites needed for the
2029
+ deferred function must be satified prior to puppet running. If set to
2030
+ `false`, then deferred functions will follow puppet relationships and
2031
+ ordering. This allows puppet to install prerequisites needed for a
2032
+ deferred function and call the deferred function in the same run."
2033
+ },
2025
2034
  :summarize => {
2026
2035
  :default => false,
2027
2036
  :type => :boolean,
@@ -1,8 +1,25 @@
1
1
  # Makes iteration continue with the next value, optionally with a given value for this iteration.
2
2
  # If a value is not given it defaults to `undef`
3
+ #
4
+ # @example Using the `next()` function
3
5
  #
4
- # @since 4.7.0
6
+ # ```puppet
7
+ # $data = ['a','b','c']
8
+ # $data.each |Integer $index, String $value| {
9
+ # if $index == 1 {
10
+ # next()
11
+ # }
12
+ # notice ("${index} = ${value}")
13
+ # }
14
+ # ```
15
+ #
16
+ # Would notice:
17
+ # ```
18
+ # Notice: Scope(Class[main]): 0 = a
19
+ # Notice: Scope(Class[main]): 2 = c
20
+ # ```
5
21
  #
22
+ # @since 4.7.0
6
23
  Puppet::Functions.create_function(:next) do
7
24
  dispatch :next_impl do
8
25
  optional_param 'Any', :value
@@ -112,7 +112,6 @@
112
112
  # * `reverse_each` - get "leaves before root"
113
113
  # * `filter` - prune the tree
114
114
  # * `map` - transform each element
115
- # * `reduce` - produce something else
116
115
  #
117
116
  # Note than when chaining, the value passed on is a `Tuple` with `[path, value]`.
118
117
  #
@@ -19,7 +19,7 @@
19
19
  # response = client.get(URI("http://www.example.com"))
20
20
  #
21
21
  # @example To make an HTTPS GET request, trusting the puppet CA and certs in Puppet's CA bundle:
22
- # response = client.get(URI("https://www.example.com"), include_system_store: true)
22
+ # response = client.get(URI("https://www.example.com"), options: { include_system_store: true })
23
23
  #
24
24
  # @example To use a URL containing special characters, such as spaces:
25
25
  # response = client.get(URI(Puppet::Util.uri_encode("https://www.example.com/path to file")))
@@ -98,7 +98,7 @@ class Puppet::HTTP::Client
98
98
  # used if :include_system_store is set to true
99
99
  # @param [Integer] redirect_limit default number of HTTP redirections to allow
100
100
  # in a given request. Can also be specified per-request.
101
- # @param [Integer] retry_limit number of HTTP reties allowed in a given
101
+ # @param [Integer] retry_limit number of HTTP retries allowed in a given
102
102
  # request
103
103
  #
104
104
  def initialize(pool: Puppet::HTTP::Pool.new(Puppet[:http_keepalive_timeout]), ssl_context: nil, system_ssl_context: nil, redirect_limit: 10, retry_limit: 100)
@@ -300,6 +300,24 @@ class Puppet::HTTP::Client
300
300
  # @api public
301
301
  def close
302
302
  @pool.close
303
+ @default_ssl_context = nil
304
+ @default_system_ssl_context = nil
305
+ end
306
+
307
+ def default_ssl_context
308
+ cert = Puppet::X509::CertProvider.new
309
+ password = cert.load_private_key_password
310
+
311
+ ssl = Puppet::SSL::SSLProvider.new
312
+ ctx = ssl.load_context(certname: Puppet[:certname], password: password)
313
+ ssl.print(ctx)
314
+ ctx
315
+ rescue => e
316
+ # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
317
+ Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
318
+ # TRANSLATORS: `puppet agent -t` is a command and should not be translated
319
+ Puppet.err(_("Run `puppet agent -t`"))
320
+ raise e
303
321
  end
304
322
 
305
323
  protected
@@ -458,7 +476,9 @@ class Puppet::HTTP::Client
458
476
  cacerts = cert_provider.load_cacerts || []
459
477
 
460
478
  ssl = Puppet::SSL::SSLProvider.new
461
- @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts)
479
+ @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts, include_client_cert: true)
480
+ ssl.print(@default_system_ssl_context)
481
+ @default_system_ssl_context
462
482
  end
463
483
 
464
484
  def apply_auth(request, basic_auth)
@@ -177,15 +177,15 @@ class Puppet::Parameter
177
177
  end
178
178
 
179
179
  # @overload unmunge {|| ... }
180
- # Defines an optional method used to convert the parameter value to DSL/string form from an internal form.
180
+ # Defines an optional method used to convert the parameter value from internal form to DSL/string form.
181
181
  # If an `unmunge` method is not defined, the internal form is used.
182
182
  # @see munge
183
- # @note This adds a method with the name `unmunge` in the created parameter class.
183
+ # @note This adds a method with the name `unsafe_unmunge` in the created parameter class.
184
184
  # @dsl type
185
185
  # @api public
186
186
  #
187
187
  def unmunge(&block)
188
- define_method(:unmunge, &block)
188
+ define_method(:unsafe_unmunge, &block)
189
189
  end
190
190
 
191
191
  # Sets a marker indicating that this parameter is the _namevar_ (unique identifier) of the type
@@ -415,10 +415,21 @@ class Puppet::Parameter
415
415
  # @return [Object] the unmunged value
416
416
  #
417
417
  def unmunge(value)
418
+ return value if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
419
+
420
+ unsafe_unmunge(value)
421
+ end
422
+
423
+ # This is the default implementation of `unmunge` that simply produces the value (if it is valid).
424
+ # The DSL method {unmunge} should be used to define an overriding method if unmunging is required.
425
+ #
426
+ # @api private
427
+ #
428
+ def unsafe_unmunge(value)
418
429
  value
419
430
  end
420
431
 
421
- # Munges the value to internal form.
432
+ # Munges the value from DSL form to internal form.
422
433
  # This implementation of `munge` provides exception handling around the specified munging of this parameter.
423
434
  # @note This method should not be overridden. Use the DSL method {munge} to define a munging method
424
435
  # if required.
@@ -426,6 +437,8 @@ class Puppet::Parameter
426
437
  # @return [Object] the munged (internal) value
427
438
  #
428
439
  def munge(value)
440
+ return value if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
441
+
429
442
  begin
430
443
  ret = unsafe_munge(value)
431
444
  rescue Puppet::Error => detail
@@ -459,6 +472,8 @@ class Puppet::Parameter
459
472
  # @api public
460
473
  #
461
474
  def validate(value)
475
+ return if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
476
+
462
477
  begin
463
478
  unsafe_validate(value)
464
479
  rescue ArgumentError => detail