puppet 7.16.0-universal-darwin → 7.19.0-universal-darwin

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -3,6 +3,16 @@ require_relative '../../../puppet/parser/script_compiler'
 module Puppet::Pops
 module Evaluator
 
+class DeferredValue
+  def initialize(proc)
+    @proc = proc
+  end
+
+  def resolve
+    @proc.call
+  end
+end
+
 # Utility class to help resolve instances of Puppet::Pops::Types::PDeferredType::Deferred
 #
 class DeferredResolver
@@ -20,9 +30,9 @@ class DeferredResolver
   #  are to be mixed into the scope
   # @return [nil] does not return anything - the catalog is modified as a side effect
   #
-  def self.resolve_and_replace(facts, catalog, environment = catalog.environment_instance)
-    compiler = Puppet::Parser::ScriptCompiler.new(environment, catalog.name, true)
-    resolver = new(compiler)
+  def self.resolve_and_replace(facts, catalog, environment = catalog.environment_instance, preprocess_deferred = true)
+    compiler = Puppet::Parser::ScriptCompiler.new(environment, catalog.name, preprocess_deferred)
+    resolver = new(compiler, preprocess_deferred)
     resolver.set_facts_variable(facts)
     # TODO:
     #    # When scripting the trusted data are always local, but set them anyway
@@ -53,11 +63,12 @@ class DeferredResolver
     resolver.resolve(value)
   end
 
-  def initialize(compiler)
+  def initialize(compiler, preprocess_deferred = true)
     @compiler = compiler
     # Always resolve in top scope
     @scope = @compiler.topscope
     @deferred_class = Puppet::Pops::Types::TypeFactory.deferred.implementation_class
+    @preprocess_deferred = preprocess_deferred
   end
 
   # @param facts [Puppet::Node::Facts] the facts to set in $facts in the compiler's topscope
@@ -106,6 +117,24 @@ class DeferredResolver
     end
   end
 
+  def resolve_lazy_args(x)
+    if x.is_a?(DeferredValue)
+      x.resolve
+    elsif x.is_a?(Array)
+      x.map {|v| resolve_lazy_args(v) }
+    elsif x.is_a?(Hash)
+      result = {}
+      x.each_pair {|k,v| result[k] = resolve_lazy_args(v) }
+      result
+    elsif x.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      # rewrap in a new Sensitive after resolving any nested deferred values
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(resolve_lazy_args(x.unwrap))
+    else
+      x
+    end
+  end
+  private :resolve_lazy_args
+
   def resolve_future(f)
     # If any of the arguments to a future is a future it needs to be resolved first
     func_name = f.name
@@ -117,8 +146,19 @@ class DeferredResolver
       mapped_arguments.insert(0, @scope[var_name])
     end
 
-    # call the function (name in deferred, or 'dig' for a variable)
-    @scope.call_function(func_name, mapped_arguments)
+    if @preprocess_deferred
+      # call the function (name in deferred, or 'dig' for a variable)
+      @scope.call_function(func_name, mapped_arguments)
+    else
+      # call the function later
+      DeferredValue.new(
+        Proc.new {
+          # deferred functions can have nested deferred arguments
+          resolved_arguments = mapped_arguments.map { |arg| resolve_lazy_args(arg) }
+          @scope.call_function(func_name, resolved_arguments)
+        }
+      )
+    end
   end
 
   def map_arguments(args)

data/lib/puppet/pops/functions/dispatcher.rb

@@ -19,6 +19,10 @@ class Puppet::Pops::Functions::Dispatcher
     @dispatchers.empty?
   end
 
+  def find_matching_dispatcher(args, &block)
+    @dispatchers.find { |d| d.type.callable_with?(args, block) }
+  end
+
   # Dispatches the call to the first found signature (entry with matching type).
   #
   # @param instance [Puppet::Functions::Function] - the function to call
@@ -28,19 +32,19 @@ class Puppet::Pops::Functions::Dispatcher
   #
   # @api private
   def dispatch(instance, calling_scope, args, &block)
-    found = @dispatchers.find { |d| d.type.callable_with?(args, block) }
-    unless found
+
+    dispatcher = find_matching_dispatcher(args, &block)
+    unless dispatcher
       args_type = Puppet::Pops::Types::TypeCalculator.singleton.infer_set(block_given? ? args + [block] : args)
       raise ArgumentError, Puppet::Pops::Types::TypeMismatchDescriber.describe_signatures(instance.class.name, signatures, args_type)
     end
-
-    if found.argument_mismatch_handler?
-      msg = found.invoke(instance, calling_scope, args)
+    if dispatcher.argument_mismatch_handler?
+      msg = dispatcher.invoke(instance, calling_scope, args)
       raise ArgumentError, "'#{instance.class.name}' #{msg}"
     end
 
     catch(:next) do
-      found.invoke(instance, calling_scope, args, &block)
+      dispatcher.invoke(instance, calling_scope, args, &block)
     end
   end
 

data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb

@@ -18,7 +18,7 @@ class Puppet::Pops::Loader::RubyLegacyFunctionInstantiator
   def self.create(loader, typed_name, source_ref, ruby_code_string)
     # Assert content of 3x function by parsing
     assertion_result = []
-    if assert_code(ruby_code_string, assertion_result)
+    if assert_code(ruby_code_string, source_ref, assertion_result)
       unless ruby_code_string.is_a?(String) && assertion_result.include?(:found_newfunction)
         raise ArgumentError, _("The code loaded from %{source_ref} does not seem to be a Puppet 3x API function - no 'newfunction' call.") % { source_ref: source_ref }
       end
@@ -69,15 +69,15 @@ class Puppet::Pops::Loader::RubyLegacyFunctionInstantiator
   end
   private_class_method :get_binding
 
-  def self.assert_code(code_string, result)
+  def self.assert_code(code_string, source_ref, result)
     ripped = Ripper.sexp(code_string)
     return false if ripped.nil?  # Let the next real parse crash and tell where and what is wrong
-    ripped.each {|x| walk(x, result) }
+    ripped.each {|x| walk(x, source_ref, result) }
     true
   end
   private_class_method :assert_code
 
-  def self.walk(x, result)
+  def self.walk(x, source_ref, result)
     return unless x.is_a?(Array)
     first = x[0]
     case first
@@ -89,13 +89,14 @@ class Puppet::Pops::Loader::RubyLegacyFunctionInstantiator
     when :def, :defs
       # There should not be any calls to def in a 3x function
       mname, mline = extract_name_line(find_identity(x))
-      raise SecurityError, _("Illegal method definition of method '%{method_name}' on line %{line} in legacy function. See %{url} for more information") % { 
+      raise SecurityError, _("Illegal method definition of method '%{method_name}' in source %{source_ref} on line %{line} in legacy function. See %{url} for more information") % {
         method_name: mname,
+        source_ref: source_ref,
         line: mline,
         url: "https://puppet.com/docs/puppet/latest/functions_refactor_legacy.html"
       }
     end
-    x.each {|v| walk(v, result) }
+    x.each {|v| walk(v, source_ref, result) }
   end
   private_class_method :walk
 

data/lib/puppet/pops/types/type_mismatch_describer.rb

@@ -581,6 +581,15 @@ module Types
       end
     end
 
+    def get_deferred_function_return_type(value)
+      func = Puppet.lookup(:loaders).private_environment_loader.
+               load(:function, value.name)
+      dispatcher = func.class.dispatcher.find_matching_dispatcher(value.arguments)
+      raise ArgumentError, "No matching arity found for #{func.class.name} with arguments #{value.arguments}" unless dispatcher
+      dispatcher.type.return_type
+    end
+    private :get_deferred_function_return_type
+
     # Validates that all entries in the _param_hash_ exists in the given param_struct, that their type conforms
     # with the corresponding param_struct element and that all required values are provided.
     # An error message is created for each problem found.
@@ -598,7 +607,19 @@ module Types
         value = param_hash[name]
         value_type = elem.value_type
         if param_hash.include?(name)
-          result << describe(value_type, TypeCalculator.singleton.infer_set(value), [ParameterPathElement.new(name)]) unless value_type.instance?(value)
+          if Puppet::Pops::Types::TypeFactory.deferred.implementation_class == value.class
+            if (df_return_type = get_deferred_function_return_type(value))
+              result << describe(value_type, df_return_type, [ParameterPathElement.new(name)]) unless value_type.generalize.assignable?(df_return_type.generalize)
+            else
+              warning_text = _("Deferred function %{function_name} has no return_type, unable to guarantee value type during compilation.") %
+                             {function_name: value.name }
+              Puppet.warn_once('deprecations',
+                               "#{value.name}_deferred_warning",
+                               warning_text)
+            end
+          else
+            result << describe(value_type, TypeCalculator.singleton.infer_set(value), [ParameterPathElement.new(name)]) unless value_type.instance?(value)
+          end
         else
           result << MissingParameter.new(nil, name) unless missing_ok || elem.key_type.is_a?(POptionalType)
         end

data/lib/puppet/provider/package/puppetserver_gem.rb

@@ -53,7 +53,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
     end
 
     if options[:local]
-      list = execute_rubygems_list_command(gem_regex)
+      list = execute_rubygems_list_command(command_options)
     else
       begin
         list = puppetservercmd(command_options)
@@ -137,7 +137,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
   # for example: json (1.8.3 java)
   # but java platform gems should not be managed by this (or any) provider.
 
-  def self.execute_rubygems_list_command(gem_regex)
+  def self.execute_rubygems_list_command(command_options)
     puppetserver_default_gem_home            = '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
     puppetserver_default_vendored_jruby_gems = '/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems'
     puppet_default_vendor_gems               = '/opt/puppetlabs/puppet/lib/ruby/vendor_gems'
@@ -157,24 +157,15 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
       gem_env['GEM_PATH'] = puppetserver_conf['jruby-puppet'].key?('gem-path') ? puppetserver_conf['jruby-puppet']['gem-path'].join(':') : puppetserver_default_gem_path
     end
     gem_env['GEM_SPEC_CACHE'] = "/tmp/#{$$}"
-    Gem.paths = gem_env
-
-    sio_inn = StringIO.new
-    sio_out = StringIO.new
-    sio_err = StringIO.new
-    stream_ui = Gem::StreamUI.new(sio_inn, sio_out, sio_err, false)
-    gem_list_cmd = Gem::Commands::ListCommand.new
-    gem_list_cmd.options[:domain] = :local
-    gem_list_cmd.options[:args] = [gem_regex] if gem_regex
-    gem_list_cmd.ui = stream_ui
-    gem_list_cmd.execute
+
+    # Remove the 'gem' from the command_options
+    command_options.shift
+    gem_out = execute_gem_command(Puppet::Type::Package::ProviderPuppet_gem.provider_command, command_options, gem_env)
 
     # There is no method exclude default gems from the local gem list,
     # for example: psych (default: 2.2.2)
     # but default gems should not be managed by this (or any) provider.
-    gem_list = sio_out.string.lines.reject { |gem| gem =~ / \(default\: / }
+    gem_list = gem_out.lines.reject { |gem| gem =~ / \(default\: / }
     gem_list.join("\n")
-  ensure
-    Gem.clear_paths
   end
 end

data/lib/puppet/provider/package/yum.rb

@@ -204,7 +204,7 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
         return should
       end
       versions = []
-      available_versions(@resource[:name]).each do |version|
+      available_versions(@resource[:name], disablerepo, enablerepo, disableexcludes).each do |version|
         begin
           rpm_version = RPM_VERSION.parse(version)
           versions << rpm_version if should_range.include?(rpm_version)
@@ -225,8 +225,13 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
     end
   end
 
-  def available_versions(package_name)
-    output = execute("yum list #{package_name} --showduplicates | sed -e '1,/Available Packages/ d' | awk '{print $2}'")
+  def available_versions(package_name, disablerepo, enablerepo, disableexcludes)
+    args = [command(:cmd), 'list', package_name, '--showduplicates']
+    args.concat(disablerepo.map { |repo| ["--disablerepo=#{repo}"] }.flatten)
+    args.concat(enablerepo.map { |repo| ["--enablerepo=#{repo}"] }.flatten)
+    args.concat(disableexcludes.map { |repo| ["--disableexcludes=#{repo}"] }.flatten)
+
+    output = execute("#{args.compact.join(' ')} | sed -e '1,/Available Packages/ d' | awk '{print $2}'")
     output.split("\n")
   end
 

data/lib/puppet/provider/user/directoryservice.rb

@@ -147,9 +147,9 @@ Puppet::Type.type(:user).provide :directoryservice do
     else
       embedded_binary_plist = get_embedded_binary_plist(attribute_hash[:shadowhashdata])
       if embedded_binary_plist['SALTED-SHA512-PBKDF2']
-        attribute_hash[:password]   = get_salted_sha512_pbkdf2('entropy', embedded_binary_plist)
-        attribute_hash[:salt]       = get_salted_sha512_pbkdf2('salt', embedded_binary_plist)
-        attribute_hash[:iterations] = get_salted_sha512_pbkdf2('iterations', embedded_binary_plist)
+        attribute_hash[:password]   = get_salted_sha512_pbkdf2('entropy', embedded_binary_plist, attribute_hash[:name])
+        attribute_hash[:salt]       = get_salted_sha512_pbkdf2('salt', embedded_binary_plist, attribute_hash[:name])
+        attribute_hash[:iterations] = get_salted_sha512_pbkdf2('iterations', embedded_binary_plist, attribute_hash[:name])
       elsif embedded_binary_plist['SALTED-SHA512']
         attribute_hash[:password] = get_salted_sha512(embedded_binary_plist)
       end
@@ -205,16 +205,18 @@ Puppet::Type.type(:user).provide :directoryservice do
   # according to which field is passed.  Arguments passed are the hash
   # containing the value read from the 'ShadowHashData' key in the User's
   # plist, and the field to be read (one of 'entropy', 'salt', or 'iterations')
-  def self.get_salted_sha512_pbkdf2(field, embedded_binary_plist)
+  def self.get_salted_sha512_pbkdf2(field, embedded_binary_plist, user_name = "")
     case field
     when 'salt', 'entropy'
-      embedded_binary_plist['SALTED-SHA512-PBKDF2'][field].unpack('H*').first
+      value = embedded_binary_plist['SALTED-SHA512-PBKDF2'][field]
+      if value == nil
+        raise Puppet::Error, "Invalid #{field} given for user #{user_name}"
+      end
+      value.unpack('H*').first
     when 'iterations'
       Integer(embedded_binary_plist['SALTED-SHA512-PBKDF2'][field])
     else
-      raise Puppet::Error, 'Puppet has tried to read an incorrect value from the ' +
-           "SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', " +
-           "'entropy', or 'iterations'."
+      raise Puppet::Error, "Puppet has tried to read an incorrect value from the user #{user_name} in the SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', 'entropy', or 'iterations'."
     end
   end
 
@@ -401,6 +403,11 @@ Puppet::Type.type(:user).provide :directoryservice do
   # we have to treat the ds cache just like you would in the password=
   # method.
   def salt=(value)
+    if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') >= 0)
+      if value.length != 64
+        self.fail "macOS versions 10.15 and higher require the salt to be 32-bytes. Since Puppet's user resource requires the value to be hex encoded, the length of the salt's string must be 64. Please check your salt and try again."
+      end
+    end
     if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
       assert_full_pbkdf2_password
 

data/lib/puppet/reference/configuration.rb

@@ -38,6 +38,8 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
       val = '$confdir/hiera.yaml. However, for backwards compatibility, if a file exists at $codedir/hiera.yaml, Puppet uses that instead.'
     elsif name.to_s == 'certname'
       val = "the Host's fully qualified domain name, as determined by Facter"
+    elsif name.to_s == 'srv_domain'
+      val = 'example.com'
     end
 
     # Leave out the section information; it was apparently confusing people.

data/lib/puppet/ssl/ssl_provider.rb

@@ -59,15 +59,18 @@ class Puppet::SSL::SSLProvider
   # refers to the cacerts bundle in the puppet-agent package.
   #
   # Connections made from the returned context will authenticate the server,
-  # i.e. `VERIFY_PEER`, but will not use a client certificate and will not
-  # perform revocation checking.
+  # i.e. `VERIFY_PEER`, but will not use a client certificate (unless requested)
+  # and will not perform revocation checking.
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param path [String, nil] A file containing additional trusted CA certs.
+  # @param include_client_cert [true, false] If true, the client cert will be added to the context
+  #   allowing mutual TLS authentication. The default is false. If the client cert doesn't exist
+  #   then the option will be ignored.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise (see #create_context)
   # @api private
-  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
+  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_client_cert: false)
     store = create_x509_store(cacerts, [], false, include_system_store: true)
 
     if path
@@ -88,6 +91,29 @@ class Puppet::SSL::SSLProvider
       end
     end
 
+    if include_client_cert
+      cert_provider = Puppet::X509::CertProvider.new
+      private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
+      unless private_key
+        Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist")
+      end
+
+      client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
+      unless client_cert
+        Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist")
+      end
+
+      if private_key && client_cert
+        client_chain = resolve_client_chain(store, client_cert, private_key)
+
+        return Puppet::SSL::SSLContext.new(
+          store: store, cacerts: cacerts, crls: [],
+          private_key: private_key, client_cert: client_cert, client_chain: client_chain,
+          revocation: false
+        ).freeze
+      end
+    end
+
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
   end
 
@@ -124,15 +150,7 @@ class Puppet::SSL::SSLProvider
     raise ArgumentError, _("Client cert is missing") unless client_cert
 
     store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
-    client_chain = verify_cert_with_store(store, client_cert)
-
-    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
-      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
-    end
-
-    unless client_cert.check_private_key(private_key)
-      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
-    end
+    client_chain = resolve_client_chain(store, client_cert, private_key)
 
     Puppet::SSL::SSLContext.new(
       store: store, cacerts: cacerts, crls: crls,
@@ -191,6 +209,27 @@ class Puppet::SSL::SSLProvider
     csr
   end
 
+  def print(ssl_context, alg = 'SHA256')
+    if Puppet::Util::Log.sendlevel?(:debug)
+      chain = ssl_context.client_chain
+      # print from root to client
+      chain.reverse.each_with_index do |cert, i|
+        digest = Puppet::SSL::Digest.new(alg, cert.to_der)
+        if i == chain.length - 1
+          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        else
+          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
+        end
+      end
+      ssl_context.crls.each do |crl|
+        oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
+        crlNumber = oid_values['crlNumber'] || 'unknown'
+        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
+        Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
+      end
+    end
+  end
+
   private
 
   def default_flags
@@ -237,6 +276,20 @@ class Puppet::SSL::SSLProvider
     end
   end
 
+  def resolve_client_chain(store, client_cert, private_key)
+    client_chain = verify_cert_with_store(store, client_cert)
+
+    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
+      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
+    end
+
+    unless client_cert.check_private_key(private_key)
+      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
+    end
+
+    client_chain
+  end
+
   def verify_cert_with_store(store, cert)
     # StoreContext#initialize accepts a chain argument, but it's set to [] because
     # puppet requires any intermediate CA certs needed to complete the client's

data/lib/puppet/ssl/state_machine.rb

@@ -27,6 +27,15 @@ class Puppet::SSL::StateMachine
       detail.set_backtrace(cause.backtrace)
       Error.new(@machine, message, detail)
     end
+
+    def log_error(message)
+      # When running daemonized we set stdout to /dev/null, so write to the log instead
+      if Puppet[:daemonize]
+        Puppet.err(message)
+      else
+        $stdout.puts(message)
+      end
+    end
   end
 
   # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -270,15 +279,15 @@ class Puppet::SSL::StateMachine
     def next_state
       time = @machine.waitforcert
       if time < 1
-        puts _("Exiting now because the waitforcert setting is set to 0.")
+        log_error(_("Exiting now because the waitforcert setting is set to 0."))
         exit(1)
       elsif Time.now.to_i > @machine.wait_deadline
-        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
+        log_error(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] })
         exit(1)
       else
         Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        # close persistent connections and session state before sleeping
+        # close http/tls and session state before sleeping
         Puppet.runtime[:http].close
         @machine.session = Puppet.runtime[:http].create_session
 
@@ -419,20 +428,7 @@ class Puppet::SSL::StateMachine
   def ensure_client_certificate
     final_state = run_machine(NeedLock.new(self), Done)
     ssl_context = final_state.ssl_context
-
-    if Puppet::Util::Log.sendlevel?(:debug)
-      chain = ssl_context.client_chain
-      # print from root to client
-      chain.reverse.each_with_index do |cert, i|
-        digest = Puppet::SSL::Digest.new(@digest, cert.to_der)
-        if i == chain.length - 1
-          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
-        else
-          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
-        end
-      end
-    end
-
+    @ssl_provider.print(ssl_context, @digest)
     ssl_context
   end
 

data/lib/puppet/transaction.rb

@@ -276,6 +276,7 @@ class Puppet::Transaction
 
   # Evaluate a single resource.
   def eval_resource(resource, ancestor = nil)
+    resolve_resource(resource)
     propagate_failure(resource)
     if skip?(resource)
       resource_status(resource).skipped = true
@@ -464,6 +465,27 @@ class Puppet::Transaction
   public :skip?
   public :missing_tags?
 
+  def resolve_resource(resource)
+    return unless catalog.host_config?
+
+    deferred_validate = false
+
+    resource.eachparameter do |param|
+      if param.value.instance_of?(Puppet::Pops::Evaluator::DeferredValue)
+        # Puppet::Parameter#value= triggers validation and munging. Puppet::Property#value=
+        # overrides the method, but also triggers validation and munging, since we're
+        # setting the desired/should value.
+        resolved = param.value.resolve
+        # resource.notice("Resolved deferred value to #{resolved}")
+        param.value = resolved
+        deferred_validate = true
+      end
+    end
+
+    if deferred_validate
+      resource.validate_resource
+    end
+  end
 end
 
 require_relative 'transaction/report'

data/lib/puppet/type/tidy.rb

@@ -6,7 +6,7 @@ Puppet::Type.newtype(:tidy) do
 
   @doc = "Remove unwanted files based on specific criteria.  Multiple
     criteria are OR'd together, so a file that is too large but is not
-    old enough will still get tidied.
+    old enough will still get tidied. Ignores managed resources.
 
     If you don't specify either `age` or `size`, then all files will
     be removed.

data/lib/puppet/type/user.rb

@@ -227,6 +227,9 @@ module Puppet
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
+        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user 
+          resource requires the value to be hex encoded, the length of the salt's
+          string must be 64. 
         * Windows passwords can be managed only in cleartext, because there is no Windows
           API for setting the password hash.
 

data/lib/puppet/type.rb

@@ -2282,7 +2282,13 @@ class Type
   # @api public
   #
   def self.validate(&block)
-    define_method(:validate, &block)
+    define_method(:unsafe_validate, &block)
+
+    define_method(:validate) do
+      return if enum_for(:eachparameter).any? { |p| p.value.instance_of?(Puppet::Pops::Evaluator::DeferredValue) }
+
+      unsafe_validate
+    end
   end
 
   # @return [String] The file from which this type originates from
@@ -2372,6 +2378,19 @@ class Type
 
     set_parameters(@original_parameters)
 
+    validate_resource
+
+    set_sensitive_parameters(resource.sensitive_parameters)
+  end
+
+  # Optionally validate the resource. This method is a noop if the type has not defined
+  # a `validate` method using the puppet DSL. If validation fails, then an exception will
+  # be raised with this resources as the context.
+  #
+  # @api public
+  #
+  # @return [void]
+  def validate_resource
     begin
       self.validate if self.respond_to?(:validate)
     rescue Puppet::Error, ArgumentError => detail
@@ -2379,8 +2398,6 @@ class Type
       adderrorcontext(error, detail)
       raise error
     end
-
-    set_sensitive_parameters(resource.sensitive_parameters)
   end
 
   protected

data/lib/puppet/util/json.rb

@@ -49,13 +49,16 @@ module Puppet::Util
     def self.load(string, options = {})
       if defined? MultiJson
         begin
-          # This ensures that JrJackson will parse very large or very small
+          # This ensures that JrJackson and Oj will parse very large or very small
           # numbers as floats rather than BigDecimals, which are serialized as
           # strings by the built-in JSON gem and therefore can cause schema errors,
           # for example, when we are rendering reports to JSON using `to_pson` in
           # PuppetDB.
-          if MultiJson.adapter.name == "MultiJson::Adapters::JrJackson"
+          case MultiJson.adapter.name
+          when "MultiJson::Adapters::JrJackson"
             options[:use_bigdecimal] = false
+          when "MultiJson::Adapters::Oj"
+            options[:bigdecimal_load] = :float
           end
 
           MultiJson.load(string, options)

data/lib/puppet/util/resource_template.rb

@@ -40,7 +40,7 @@ class Puppet::Util::ResourceTemplate
 
   def evaluate
     set_resource_variables
-    ERB.new(Puppet::FileSystem.read(@file, :encoding => 'utf-8'), 0, "-").result(binding)
+    Puppet::Util.create_erb(Puppet::FileSystem.read(@file, :encoding => 'utf-8')).result(binding)
   end
 
   def initialize(file, resource)

data/lib/puppet/util/selinux.rb

@@ -204,7 +204,7 @@ module Puppet::Util::SELinux
   def selinux_label_support?(file)
     fstype = find_fs(file)
     return false if fstype.nil?
-    filesystems = ['ext2', 'ext3', 'ext4', 'gfs', 'gfs2', 'xfs', 'jfs', 'btrfs', 'tmpfs']
+    filesystems = ['ext2', 'ext3', 'ext4', 'gfs', 'gfs2', 'xfs', 'jfs', 'btrfs', 'tmpfs', 'zfs']
     filesystems.include?(fstype)
   end