puppet 7.16.0-universal-darwin → 7.19.0-universal-darwin

data/lib/puppet/util.rb

@@ -34,6 +34,17 @@ module Util
   end
   module_function :default_env
 
+  if RUBY_VERSION >= "2.6"
+    def create_erb(content)
+      ERB.new(content, trim_mode: '-')
+    end
+  else
+    def create_erb(content)
+      ERB.new(content, 0, '-')
+    end
+  end
+  module_function :create_erb
+
   # @param name [String] The name of the environment variable to retrieve
   # @param mode [Symbol] Which operating system mode to use e.g. :posix or :windows.  Use nil to autodetect
   # @return [String] Value of the specified environment variable.  nil if it does not exist
@@ -530,7 +541,7 @@ module Util
             IO::new(f.to_i).close rescue nil
           end
         end
-      rescue Errno::ENOENT # /proc/self/fd not found
+      rescue Errno::ENOENT, Errno::ENOTDIR # /proc/self/fd not found, /proc/self not a dir
         3.upto(256){|fd| IO::new(fd).close rescue nil}
       end
 

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '7.16.0'
+  PUPPETVERSION = '7.19.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet.rb

@@ -235,20 +235,7 @@ module Puppet
 
     {
       :environments => Puppet::Environments::Cached.new(Puppet::Environments::Combined.new(*loaders)),
-      :ssl_context => proc {
-        begin
-          cert = Puppet::X509::CertProvider.new
-          password = cert.load_private_key_password
-          ssl = Puppet::SSL::SSLProvider.new
-          ssl.load_context(certname: Puppet[:certname], password: password)
-        rescue => e
-          # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
-          Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
-          # TRANSLATORS: `puppet agent -t` is a command and should not be translated
-          Puppet.err(_("Run `puppet agent -t`"))
-          raise e
-        end
-      },
+      :ssl_context => proc { Puppet.runtime[:http].default_ssl_context },
       :http_session => proc { Puppet.runtime[:http].create_session },
       :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
       :rich_data => false

data/man/man5/puppet.conf.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPETCONF" "5" "September 2022" "Puppet, Inc." "Puppet manual"
 \fBThis page is autogenerated; any changes will get overwritten\fR
 .
 .SH "Configuration settings"
@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
+\fIDefault\fR: \fBPuppet/7\.19\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
 .
 .IP "" 0
 .
@@ -1486,6 +1486,14 @@ The preferred means of serializing ruby instances for passing over the wire\. Th
 .
 .IP "" 0
 .
+.SS "preprocess_deferred"
+Whether puppet should call deferred functions before applying the catalog\. If set to \fBtrue\fR, then all prerequisites needed for the deferred function must be satified prior to puppet running\. If set to \fBfalse\fR, then deferred functions will follow puppet relationships and ordering\. This allows puppet to install prerequisites needed for a deferred function and call the deferred function in the same run\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: \fBtrue\fR
+.
+.IP "" 0
+.
 .SS "prerun_command"
 A command to run before every agent run\. If this command returns a non\-zero return code, the entire Puppet run will fail\.
 .
@@ -1800,7 +1808,7 @@ The maximum time to delay before an agent\'s first run when \fBsplay\fR is enabl
 The domain which will be queried to find the SRV records of servers to use\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: \fBci\-jenkins\-setup\-platform\.svc\.cluster\.local\fR
+\fIDefault\fR: \fBexample\.com\fR
 .
 .IP "" 0
 .
@@ -2000,7 +2008,7 @@ Whether to print stack traces on some errors\. Will print internal Ruby stack tr
 .IP "" 0
 .
 .SS "transactionstorefile"
-Transactional storage file for persisting data between transactions for the purposes of infering information (such as corrective_change) on new data received\.
+Transactional storage file for persisting data between transactions for the purposes of inferring information (such as corrective_change) on new data received\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: \fB$statedir/transactionstore\.yaml\fR

data/man/man8/puppet-agent.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-AGENT" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-AGENT" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-agent\fR \- The puppet agent daemon
@@ -51,7 +51,7 @@ Some flags are meant specifically for interactive use \-\-\- in particular, \'te
 \'\-\-tags\' allows you to specify what portions of a configuration you want to apply\. Puppet elements are tagged with all of the class or definition names that contain them, and you can use the \'tags\' flag to specify one of these names, causing only configuration elements contained within that class or definition to be applied\. This is very useful when you are testing new configurations \-\-\- for instance, if you are just starting to manage \'ntpd\', you would put all of the new elements into an \'ntpd\' class, and call puppet with \'\-\-tags ntpd\', which would only apply that small portion of the configuration during your testing, rather than applying the whole thing\.
 .
 .P
-\'\-\-fingerprint\' is a one\-time flag\. In this mode \'puppet agent\' runs once and displays on the console (and in the log) the current certificate (or certificate request) fingerprint\. Providing the \'\-\-digest\' option allows to use a different digest algorithm to generate the fingerprint\. The main use is to verify that before signing a certificate request on the master, the certificate request the master received is the same as the one the client sent (to prevent against man\-in\-the\-middle attacks when signing certificates)\.
+\'\-\-fingerprint\' is a one\-time flag\. In this mode \'puppet agent\' runs once and displays on the console (and in the log) the current certificate (or certificate request) fingerprint\. Providing the \'\-\-digest\' option allows you to use a different digest algorithm to generate the fingerprint\. The main use is to verify that before signing a certificate request on the master, the certificate request the master received is the same as the one the client sent (to prevent against man\-in\-the\-middle attacks when signing certificates)\.
 .
 .P
 \'\-\-skip_tags\' is a flag used to filter resources\. If this is set, then only resources not tagged with the specified tags will be applied\. Values must be comma\-separated\.

data/man/man8/puppet-apply.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-APPLY" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-APPLY" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-apply\fR \- Apply Puppet manifests locally

data/man/man8/puppet-catalog.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CATALOG" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CATALOG" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.

data/man/man8/puppet-config.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CONFIG" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CONFIG" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.

data/man/man8/puppet-describe.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DESCRIBE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DESCRIBE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-describe\fR \- Display help about resource types

data/man/man8/puppet-device.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DEVICE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DEVICE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-device\fR \- Manage remote network devices

data/man/man8/puppet-doc.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DOC" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DOC" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-doc\fR \- Generate Puppet references

data/man/man8/puppet-epp.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-EPP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-EPP" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.

data/man/man8/puppet-facts.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FACTS" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FACTS" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-facts\fR \- Retrieve and store facts\.

data/man/man8/puppet-filebucket.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FILEBUCKET" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FILEBUCKET" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket

data/man/man8/puppet-generate.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-GENERATE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-GENERATE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.

data/man/man8/puppet-help.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-HELP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-HELP" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-help\fR \- Display Puppet help\.

data/man/man8/puppet-lookup.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-LOOKUP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-LOOKUP" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-lookup\fR \- Interactive Hiera lookup

data/man/man8/puppet-module.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-MODULE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-MODULE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.

data/man/man8/puppet-node.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-NODE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-NODE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-node\fR \- View and manage node definitions\.

data/man/man8/puppet-parser.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PARSER" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PARSER" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-parser\fR \- Interact directly with the parser\.

data/man/man8/puppet-plugin.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PLUGIN" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PLUGIN" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.

data/man/man8/puppet-report.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-REPORT" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-REPORT" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-report\fR \- Create, display, and submit reports\.

data/man/man8/puppet-resource.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-RESOURCE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-RESOURCE" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-resource\fR \- The resource abstraction layer shell

data/man/man8/puppet-script.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SCRIPT" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SCRIPT" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog

data/man/man8/puppet-ssl.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SSL" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SSL" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients

data/man/man8/puppet.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET" "8" "March 2022" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET" "8" "September 2022" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\fR
@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.16\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.19\.0

data/spec/integration/application/agent_spec.rb

@@ -3,6 +3,7 @@ require 'puppet_spec/files'
 require 'puppet_spec/puppetserver'
 require 'puppet_spec/compiler'
 require 'puppet_spec/https'
+require 'puppet/application/agent'
 
 describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
   include PuppetSpec::Files
@@ -97,6 +98,18 @@ describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
   end
 
   context 'rich data' do
+    let(:deferred_file) { tmpfile('deferred') }
+    let(:deferred_manifest) do <<~END
+      file { '#{deferred_file}':
+        ensure => file,
+        content => '123',
+      } ->
+      notify { 'deferred':
+        message => Deferred('binary_file', ['#{deferred_file}'])
+      }
+      END
+    end
+
     it "calls a deferred 4x function" do
       catalog_handler = -> (req, res) {
         catalog = compile_to_catalog(<<-MANIFEST, node)
@@ -141,6 +154,43 @@ describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
       end
     end
 
+    it "fails to apply a deferred function with an unsatified prerequisite" do
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(deferred_manifest, node)
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+
+      server.start_server(mounts: {catalog: catalog_handler}) do |port|
+        Puppet[:serverport] = port
+        expect {
+          agent.command_line.args << '--test'
+          agent.run
+        }.to exit_with(1)
+         .and output(%r{Using environment}).to_stdout
+         .and output(%r{The given file '#{deferred_file}' does not exist}).to_stderr
+      end
+    end
+
+    it "applies a deferred function and its prerequisite in the same run" do
+      Puppet[:preprocess_deferred] = false
+
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(deferred_manifest, node)
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+
+      server.start_server(mounts: {catalog: catalog_handler}) do |port|
+        Puppet[:serverport] = port
+        expect {
+          agent.command_line.args << '--test'
+          agent.run
+        }.to exit_with(2)
+         .and output(%r{defined 'message' as Binary\("MTIz"\)}).to_stdout
+      end
+    end
+
     it "re-evaluates a deferred function in a cached catalog" do
       Puppet[:report] = false
       Puppet[:use_cached_catalog] = true
@@ -740,4 +790,111 @@ describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
       end
     end
   end
+
+  context "ssl" do
+    context "bootstrapping" do
+      before :each do
+        # reconfigure ssl to non-existent dir and files to force bootstrapping
+        dir = tmpdir('ssl')
+        Puppet[:ssldir] = dir
+        Puppet[:localcacert] = File.join(dir, 'ca.pem')
+        Puppet[:hostcrl] = File.join(dir, 'crl.pem')
+        Puppet[:hostprivkey] = File.join(dir, 'cert.pem')
+        Puppet[:hostcert] = File.join(dir, 'key.pem')
+
+        Puppet[:daemonize] = false
+        Puppet[:logdest] = 'console'
+        Puppet[:log_level] = 'info'
+      end
+
+      it "exits if the agent is not allowed to wait" do
+        Puppet[:waitforcert] = 0
+
+        server.start_server do |port|
+          Puppet[:serverport] = port
+          expect {
+            agent.run
+          }.to exit_with(1)
+           .and output(%r{Exiting now because the waitforcert setting is set to 0}).to_stdout
+           .and output(%r{Failed to submit the CSR, HTTP response was 404}).to_stderr
+        end
+      end
+
+      it "exits if the maxwaitforcert time is exceeded" do
+        Puppet[:waitforcert] = 1
+        Puppet[:maxwaitforcert] = 1
+
+        server.start_server do |port|
+          Puppet[:serverport] = port
+          expect {
+            agent.run
+          }.to exit_with(1)
+            .and output(%r{Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(127.0.0.1\). Exiting now because the maxwaitforcert timeout has been exceeded.}).to_stdout
+            .and output(%r{Failed to submit the CSR, HTTP response was 404}).to_stderr
+        end
+      end
+    end
+
+    def copy_fixtures(sources, dest)
+      ssldir = File.join(PuppetSpec::FIXTURE_DIR, 'ssl')
+      File.open(dest, 'w') do |f|
+        sources.each do |s|
+          f.write(File.read(File.join(ssldir, s)))
+        end
+      end
+    end
+
+    it "reloads the CRL between runs" do
+      Puppet[:localcacert] = ca = tmpfile('ca')
+      Puppet[:hostcrl] = crl = tmpfile('crl')
+      Puppet[:hostcert] = cert = tmpfile('cert')
+      Puppet[:hostprivkey] = key = tmpfile('key')
+
+      copy_fixtures(%w[ca.pem intermediate.pem], ca)
+      copy_fixtures(%w[crl.pem intermediate-crl.pem], crl)
+      copy_fixtures(%w[127.0.0.1.pem], cert)
+      copy_fixtures(%w[127.0.0.1-key.pem], key)
+
+      revoked = cert_fixture('revoked.pem')
+      revoked_key = key_fixture('revoked-key.pem')
+
+      mounts = {}
+      mounts[:catalog] = -> (req, res) {
+        catalog = compile_to_catalog(<<~MANIFEST, node)
+          file { '#{cert}':
+            ensure => file,
+            content => '#{revoked}'
+          }
+          file { '#{key}':
+            ensure => file,
+            content => '#{revoked_key}'
+          }
+        MANIFEST
+
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+
+      server.start_server(mounts: mounts) do |port|
+        Puppet[:serverport] = port
+        Puppet[:daemonize] = false
+        Puppet[:runinterval] = 1
+        Puppet[:waitforcert] = 1
+        Puppet[:maxwaitforcert] = 1
+
+        # simulate two runs of the agent, then return so we don't infinite loop
+        allow_any_instance_of(Puppet::Daemon).to receive(:run_event_loop) do |instance|
+          instance.agent.run(splay: false)
+          instance.agent.run(splay: false)
+        end
+
+        agent.command_line.args << '--verbose'
+        expect {
+          agent.run
+        }.to exit_with(1)
+         .and output(%r{Exiting now because the maxwaitforcert timeout has been exceeded}).to_stdout
+         .and output(%r{Certificate 'CN=revoked' is revoked}).to_stderr
+      end
+    end
+  end
 end

data/spec/integration/application/apply_spec.rb

@@ -665,6 +665,18 @@ class amod::bad_type {
   end
 
   context 'rich data' do
+    let(:deferred_file) { tmpfile('deferred') }
+    let(:deferred_manifest) do <<~END
+      file { '#{deferred_file}':
+        ensure => file,
+        content => '123',
+      } ->
+      notify { 'deferred':
+        message => Deferred('binary_file', ['#{deferred_file}'])
+      }
+      END
+    end
+
     it "calls a deferred 4x function" do
       apply.command_line.args = ['-e', 'notify { "deferred3x": message => Deferred("join", [[1,2,3], ":"]) }']
 
@@ -681,5 +693,67 @@ class amod::bad_type {
       }.to exit_with(0) # for some reason apply returns 0 instead of 2
        .and output(%r{Notice: /Stage\[main\]/Main/Notify\[deferred4x\]/message: defined 'message' as 'I am deferred'}).to_stdout
     end
+
+    it "fails to apply a deferred function with an unsatified prerequisite" do
+      apply.command_line.args = ['-e', deferred_manifest]
+      expect {
+        apply.run
+      }.to exit_with(1) # for some reason apply returns 0 instead of 2
+       .and output(/Compiled catalog/).to_stdout
+       .and output(%r{The given file '#{deferred_file}' does not exist}).to_stderr
+    end
+
+    it "applies a deferred function and its prerequisite in the same run" do
+      Puppet[:preprocess_deferred] = false
+
+      apply.command_line.args = ['-e', deferred_manifest]
+      expect {
+        apply.run
+      }.to exit_with(0) # for some reason apply returns 0 instead of 2
+        .and output(%r{defined 'message' as Binary\("MTIz"\)}).to_stdout
+    end
+
+    it "validates the deferred resource before applying any resources" do
+      undeferred_file = tmpfile('undeferred')
+
+      manifest = <<~END
+      file { '#{undeferred_file}':
+        ensure => file,
+      }
+      file { '#{deferred_file}':
+          ensure => file,
+          content => Deferred('inline_epp', ['<%= 42 %>']),
+          source => 'http://example.com/content',
+      }
+      END
+      apply.command_line.args = ['-e', manifest]
+      expect {
+        apply.run
+      }.to exit_with(1)
+        .and output(/Compiled catalog/).to_stdout
+        .and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
+
+      # validation happens before all resources are applied, so this shouldn't exist
+      expect(File).to_not be_exist(undeferred_file)
+    end
+
+    it "evaluates resources before validating the deferred resource" do
+      Puppet[:preprocess_deferred] = false
+
+      manifest = <<~END
+        notify { 'runs before file': } ->
+        file { '#{deferred_file}':
+          ensure => file,
+          content => Deferred('inline_epp', ['<%= 42 %>']),
+          source => 'http://example.com/content',
+      }
+      END
+      apply.command_line.args = ['-e', manifest]
+      expect {
+        apply.run
+      }.to exit_with(1)
+        .and output(/Notify\[runs before file\]/).to_stdout
+        .and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
+    end
   end
 end