puppet 7.26.0 → 7.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4350a93f3369c12583813d15ee2ff5f3a723acef569dcbb6e70f56e462a9e13a
-  data.tar.gz: b4194a13ab7e9f12eb46a82d5995e483b203ed578be64b9b39fd1d77e1f6199a
+  metadata.gz: 9469aaf05c733283683b9b56622c59cf7e24619784e652349f0875b6ae007ada
+  data.tar.gz: 682f12641fdef56f5a9966bd9ceb3ef5c4040b8fbc78cb2047b95b6f1e9d4249
 SHA512:
-  metadata.gz: 87919389e1447dd22cb532cc81f0c5c432cd375b5822b5849eedb179047cf496828f101039e955c848643029f29dfb147b7e8fed98ba41bd958b726858ad730a
-  data.tar.gz: 04ed925c840517e266cf62475897d32e6564f6bef383e3c57d0f144d89df13a584c21f4e95170f97d4fb8a71c6c7167f5e28dceb0591ba57c86771a84dae6da9
+  metadata.gz: d0961a95f4661dc54212e5aaef78f374ea157e41e3b183aa818e2f8daf6acc204aaf1c3bc22b9311123a7f1e5190b273b8b67cce7ce25ef1b57600c7934f5988
+  data.tar.gz: 5babca90f6a026d264cc36c681b5a7de11955801b52ca25f64185106c8997429546caa3c66a906a177c3ec32261e303ab382f6bcc35b545f37a0e32bc7089c51

data/Gemfile

@@ -35,7 +35,7 @@ group(:features) do
 end
 
 group(:test) do
-  gem "ffi", require: false
+  gem "ffi", '1.15.5', require: false
   gem "json-schema", "~> 2.0", require: false
   gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
   gem "rspec", "~> 3.1", require: false

data/Gemfile.lock

@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: affecba5dfacc5862fc7199895ccf11b69153570
+  revision: 8adf33f59cc443c311c5d5d70c6ba2084625ceea
   branch: 1.0.x
   specs:
     packaging (0)
@@ -15,7 +15,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.26.0)
+    puppet (7.27.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -37,6 +37,7 @@ GEM
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
+    base64 (0.1.1)
     coderay (1.1.3)
     concurrent-ruby (1.2.2)
     crack (0.4.5)
@@ -48,10 +49,11 @@ GEM
     digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
-    facter (4.4.2)
+    facter (4.5.0)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.10)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
@@ -91,10 +93,9 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.7.0)
+    googleauth (1.8.1)
       faraday (>= 0.17.3, < 3.a)
       jwt (>= 1.4, < 3.0)
-      memoist (~> 0.16)
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
@@ -111,7 +112,6 @@ GEM
       addressable (>= 2.4)
     jwt (2.7.1)
     locale (2.1.3)
-    memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
     mini_mime (1.1.5)
@@ -122,7 +122,7 @@ GEM
     optimist (3.1.0)
     os (1.1.4)
     parallel (1.23.0)
-    parser (3.2.2.3)
+    parser (3.2.2.4)
       ast (~> 2.4.1)
       racc
     pry (0.14.2)
@@ -138,7 +138,7 @@ GEM
     rake (13.0.6)
     rdiscount (2.2.7.1)
     rdoc (6.3.3)
-    regexp_parser (2.8.1)
+    regexp_parser (2.8.2)
     release-metrics (1.1.0)
       csv
       docopt
@@ -186,18 +186,18 @@ GEM
     ruby2_keywords (0.0.5)
     scanf (1.0.0)
     semantic_puppet (1.1.0)
-    signet (0.17.0)
+    signet (0.18.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
     text (1.3.1)
-    thor (1.2.2)
+    thor (1.3.0)
     trailblazer-option (0.1.2)
     uber (0.1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
     vcr (5.1.0)
-    webmock (3.18.1)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -209,7 +209,7 @@ PLATFORMS
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
-  ffi
+  ffi (= 1.15.5)
   gettext-setup (~> 0.28)
   hiera-eyaml
   hocon (~> 1.0)
@@ -238,4 +238,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.4.12
+   2.4.20

data/ext/project_data.yaml

@@ -40,11 +40,11 @@ gem_platform_dependencies:
       CFPropertyList: '~> 2.2'
   x86-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
   x64-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
 bundle_platforms:
   universal-darwin: all

data/lib/puppet/application/ssl.rb

@@ -59,6 +59,11 @@ ACTIONS
   the CSR. Otherwise a new key pair will be generated. If a CSR has already
   been submitted with the given `certname`, then the operation will fail.
 
+* generate_request:
+  Generate a certificate signing request (CSR). If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated.
+
 * download_cert:
   Download a certificate for this host. If the current private key matches
   the downloaded certificate, then the certificate will be saved and used
@@ -136,9 +141,21 @@ HELP
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'generate_request'
+      generate_request(certname)
     when 'verify'
       verify(certname)
     when 'clean'
+      possible_extra_args = command_line.args.drop(1)
+      unless possible_extra_args.empty?
+        raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
+Extra arguments detected: %{args}
+Did you mean to run:
+  puppetserver ca clean --certname <name>
+Or:
+  puppet ssl clean --target <name>
+END
+      end
       clean(certname)
     when 'bootstrap'
       if !Puppet::Util::Log.sendlevel?(:info)
@@ -162,13 +179,7 @@ HELP
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
-      if Puppet[:key_type] == 'ec'
-        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
-        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
-      else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
-      end
+      key = create_key(Puppet[:certname])
       @cert_provider.save_private_key(Puppet[:certname], key)
     end
 
@@ -187,6 +198,20 @@ HELP
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
+  def generate_request(certname)
+    key = @cert_provider.load_private_key(certname)
+    unless key
+      key = create_key(certname)
+      @cert_provider.save_private_key(certname, key)
+    end
+
+    csr = @cert_provider.create_request(certname, key)
+    @cert_provider.save_request(certname, csr)
+    Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
+  rescue => e
+    raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
+  end
+
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
@@ -285,4 +310,14 @@ END
   def create_route(ssl_context)
     @session.route_to(:ca, ssl_context: ssl_context)
   end
+
+  def create_key(certname)
+    if Puppet[:key_type] == 'ec'
+      Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
+      OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+    else
+      Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
+      OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+    end
+  end
 end

data/lib/puppet/application.rb

@@ -503,8 +503,12 @@ class Application
     runtime_info = {
       'puppet_version' => Puppet.version,
       'ruby_version'   => RUBY_VERSION,
-      'run_mode'       => self.class.run_mode.name,
+      'run_mode'       => self.class.run_mode.name
     }
+    unless Puppet::Util::Platform.jruby_fips?
+      runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
+      runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
+    end
     runtime_info['default_encoding'] = Encoding.default_external
     runtime_info.merge!(extra_info) unless extra_info.nil?
 

data/lib/puppet/functions/split.rb

@@ -35,6 +35,21 @@ Puppet::Functions.create_function(:split) do
     param 'Type[Regexp]', :pattern
   end
 
+  dispatch :split_String_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'String', :pattern
+  end
+
+  dispatch :split_Regexp_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Regexp', :pattern
+  end
+
+  dispatch :split_RegexpType_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Type[Regexp]', :pattern
+  end
+
   def split_String(str, pattern)
     str.split(Regexp.compile(pattern))
   end
@@ -46,4 +61,16 @@ Puppet::Functions.create_function(:split) do
   def split_RegexpType(str, pattern)
     str.split(pattern.regexp)
   end
-end
+
+  def split_String_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
+  end
+
+  def split_Regexp_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
+  end
+
+  def split_RegexpType_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
+  end
+end

data/lib/puppet/node/environment.rb

@@ -591,10 +591,12 @@ class Puppet::Node::Environment
       if file == NO_MANIFEST
         empty_parse_result
       elsif File.directory?(file)
-        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
-          parser.file = file_to_parse
-          parser.parse
-          end
+        # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
+        # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
+        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
+                          parser.file = file_to_parse
+                          parser.parse
+                        end
         # Use a parser type specific merger to concatenate the results
         Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
       else

data/lib/puppet/pops/time/timespan.rb

@@ -633,7 +633,7 @@ module Time
         position = -1
         fstart = 0
 
-        str.codepoints do |codepoint|
+        str.each_codepoint do |codepoint|
           position += 1
           if state == STATE_LITERAL
             if codepoint == 0x25 # '%'

data/lib/puppet/provider/package/apt.rb

@@ -12,7 +12,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     These options should be specified as an array where each element is either a
      string or a hash."
 
-  has_feature :versionable, :install_options, :virtual_packages
+  has_feature :versionable, :install_options, :virtual_packages, :version_ranges
 
   commands :aptget => "/usr/bin/apt-get"
   commands :aptcache => "/usr/bin/apt-cache"

data/lib/puppet/provider/package/dnf.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   These options should be specified as an array where each element is either
    a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages, :install_only
+  has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
 
   commands :cmd => "dnf", :rpm => "rpm"
 

data/lib/puppet/provider/package/yum.rb

@@ -15,7 +15,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
   This provider supports the `install_options` attribute, which allows command-line flags to be passed to yum.
   These options should be specified as an array where each element is either a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages, :install_only
+  has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
 
   RPM_VERSION       = Puppet::Util::Package::Version::Rpm
   RPM_VERSION_RANGE = Puppet::Util::Package::Version::Range

data/lib/puppet/util/execution.rb

@@ -222,8 +222,12 @@ module Puppet::Util::Execution
             # Use non-blocking read to check for data. After each attempt,
             # check whether the child is done. This is done in case the child
             # forks and inherits stdout, as happens in `foo &`.
-            
-            until results = Process.waitpid2(child_pid, Process::WNOHANG) #rubocop:disable Lint/AssignmentInCondition
+            # If we encounter EOF, though, then switch to a blocking wait for
+            # the child; after EOF, IO.select will never block and the loop
+            # below will use maximum CPU available.
+
+            wait_flags = Process::WNOHANG
+            until results = Process.waitpid2(child_pid, wait_flags) #rubocop:disable Lint/AssignmentInCondition
 
               # If not done, wait for data to read with a timeout
               # This timeout is selected to keep activity low while waiting on
@@ -234,6 +238,7 @@ module Puppet::Util::Execution
                 output << reader.read_nonblock(4096) if ready
               rescue Errno::EAGAIN
               rescue EOFError
+                wait_flags = 0
               end
             end
 

data/lib/puppet/util/windows/adsi.rb

@@ -175,6 +175,13 @@ module Puppet::Util::Windows::ADSI
         sids = []
         adsi_child_collection.each do |m|
           sids << Puppet::Util::Windows::SID.ads_to_principal(m)
+        rescue Puppet::Util::Windows::Error => e
+          case e.code
+          when Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE, Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE
+            sids << Puppet::Util::Windows::SID.unresolved_principal(m.name, m.sid)
+          else
+            raise e
+          end
         end
 
         sids

data/lib/puppet/util/windows/sid.rb

@@ -6,8 +6,10 @@ module Puppet::Util::Windows
     extend FFI::Library
 
     # missing from Windows::Error
-    ERROR_NONE_MAPPED           = 1332
-    ERROR_INVALID_SID_STRUCTURE = 1337
+    ERROR_NONE_MAPPED                  = 1332
+    ERROR_INVALID_SID_STRUCTURE        = 1337
+    ERROR_TRUSTED_DOMAIN_FAILURE       = 1788
+    ERROR_TRUSTED_RELATIONSHIP_FAILURE = 1789
 
     # Well Known SIDs
     Null                        = 'S-1-0'

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '7.26.0'
+  PUPPETVERSION = '7.27.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509/cert_provider.rb

@@ -346,13 +346,17 @@ class Puppet::X509::CertProvider
     OpenSSL::X509::Request.new(pem)
   end
 
-  private
-
+  # Return the path to the cert related object (key, CSR, cert, etc).
+  #
+  # @param base [String] base directory
+  # @param name [String] the name associated with the cert related object
   def to_path(base, name)
     raise _("Certname %{name} must not contain unprintable or non-ASCII characters") % { name: name.inspect } unless name =~ VALID_CERTNAME
     File.join(base, "#{name.downcase}.pem")
   end
 
+  private
+
   def permissions_for_setting(name)
     setting = Puppet.settings.setting(name)
     perm = { mode: setting.mode.to_i(8) }

data/man/man5/puppet.conf.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPETCONF" "5" "October 2023" "Puppet, Inc." "Puppet manual"
 \fBThis page is autogenerated; any changes will get overwritten\fR
 .
 .SH "Configuration settings"
@@ -945,7 +945,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: \fBPuppet/7\.26\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
+\fIDefault\fR: \fBPuppet/7\.27\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
 .
 .IP "" 0
 .

data/man/man8/puppet-agent.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-AGENT" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-AGENT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-agent\fR \- The puppet agent daemon

data/man/man8/puppet-apply.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-APPLY" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-APPLY" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-apply\fR \- Apply Puppet manifests locally

data/man/man8/puppet-catalog.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CATALOG" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CATALOG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.

data/man/man8/puppet-config.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CONFIG" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CONFIG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.

data/man/man8/puppet-describe.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DESCRIBE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DESCRIBE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-describe\fR \- Display help about resource types

data/man/man8/puppet-device.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DEVICE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DEVICE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-device\fR \- Manage remote network devices

data/man/man8/puppet-doc.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DOC" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DOC" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-doc\fR \- Generate Puppet references

data/man/man8/puppet-epp.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-EPP" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-EPP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.

data/man/man8/puppet-facts.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FACTS" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FACTS" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-facts\fR \- Retrieve and store facts\.

data/man/man8/puppet-filebucket.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FILEBUCKET" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FILEBUCKET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket

data/man/man8/puppet-generate.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-GENERATE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-GENERATE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.

data/man/man8/puppet-help.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-HELP" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-HELP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-help\fR \- Display Puppet help\.

data/man/man8/puppet-lookup.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-LOOKUP" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-LOOKUP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-lookup\fR \- Interactive Hiera lookup

data/man/man8/puppet-module.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-MODULE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-MODULE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.

data/man/man8/puppet-node.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-NODE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-NODE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-node\fR \- View and manage node definitions\.

data/man/man8/puppet-parser.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PARSER" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PARSER" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-parser\fR \- Interact directly with the parser\.

data/man/man8/puppet-plugin.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PLUGIN" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PLUGIN" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.

data/man/man8/puppet-report.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-REPORT" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-REPORT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-report\fR \- Create, display, and submit reports\.

data/man/man8/puppet-resource.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-RESOURCE" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-RESOURCE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-resource\fR \- The resource abstraction layer shell

data/man/man8/puppet-script.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SCRIPT" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SCRIPT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog

data/man/man8/puppet-ssl.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SSL" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SSL" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
@@ -42,6 +42,10 @@ submit_request
 Generate a certificate signing request (CSR) and submit it to the CA\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\. If a CSR has already been submitted with the given \fBcertname\fR, then the operation will fail\.
 .
 .TP
+generate_request
+Generate a certificate signing request (CSR)\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\.
+.
+.TP
 download_cert
 Download a certificate for this host\. If the current private key matches the downloaded certificate, then the certificate will be saved and used for subsequent requests\. If there is already an existing certificate, it will be overwritten\.
 .

data/man/man8/puppet.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET" "8" "August 2023" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\fR
@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.26\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.27\.0

data/spec/integration/type/exec_spec.rb

@@ -75,6 +75,19 @@ describe Puppet::Type.type(:exec), unless: Puppet::Util::Platform.jruby? do
     end
   end
 
+  context 'when an exec sends an EOF' do
+    let(:command) { ["/bin/bash", "-c", "exec /bin/sleep 1 >/dev/null 2>&1"] }
+
+    it 'should not take significant user time' do
+      exec = described_class.new :command => command, :path => ENV['PATH']
+      catalog.add_resource exec
+      timed_apply = Benchmark.measure { catalog.apply }
+      # In testing I found the user time before the patch in 4f35fd262e to be above
+      # 0.3, after the patch it was consistently below 0.1 seconds.
+      expect(timed_apply.utime).to be < 0.3
+    end
+  end
+
   context 'when command is a string' do
     let(:command) { "ruby -e 'File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }'" }
 

data/spec/unit/application/ssl_spec.rb

@@ -171,6 +171,50 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     end
   end
 
+  context 'when generating a CSR' do
+    let(:csr_path) { Puppet[:hostcsr] }
+    let(:requestdir) { Puppet[:requestdir] }
+
+    before do
+      ssl.command_line.args << 'generate_request'
+    end
+
+    it 'generates an RSA private key' do
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'generates an EC private key' do
+      Puppet[:key_type] = 'ec'
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'registers OIDs' do
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'saves the CSR locally' do
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+
+      expect(Puppet::FileSystem).to be_exist(csr_path)
+    end
+
+    it 'accepts dns alt names' do
+      Puppet[:dns_alt_names] = 'majortom'
+
+      expects_command_to_pass
+
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.read(csr_path)
+      expect(csr.subject_alt_names).to include('DNS:majortom')
+    end
+  end
+
   context 'when downloading a certificate' do
     before do
       ssl.command_line.args << 'download_cert'
@@ -347,6 +391,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
     end
 
+    it 'raises if we have extra args' do
+      ssl.command_line.args << 'hostname.example.biz'
+      expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
+    end
+
     context 'when deleting local CA' do
       before do
         ssl.command_line.args << '--localca'

data/spec/unit/file_system/path_pattern_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet_spec/files'
 require 'puppet/file_system'
+require 'puppet/util'
 
 describe Puppet::FileSystem::PathPattern do
   include PuppetSpec::Files
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
                                          File.join(dir, "found_two")])
   end
 
+  it 'globs wildcard patterns properly' do
+    # See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
+    pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
+
+    dir = tmpdir('globtest')
+    create_file_in(dir, 'foo.pp')
+    create_file_in(dir, 'foo.pp.pp')
+
+    pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
+
+    expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
+                                         File.join(dir, 'foo.pp.pp')])
+  end
+
   def create_file_in(dir, name)
     File.open(File.join(dir, name), "w") { |f| f.puts "data" }
   end

data/spec/unit/functions/split_spec.rb

@@ -50,4 +50,10 @@ describe 'the split function' do
   it 'should handle pattern in Regexp Type form with missing regular expression' do
     expect(split('ab',type_parser.parse('Regexp'))).to eql(['a', 'b'])
   end
+
+  it 'should handle sensitive String' do
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), ',')).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), /,/)).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), type_parser.parse('Regexp[/,/]'))).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+  end
 end

data/spec/unit/ssl/certificate_signer_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Puppet::SSL::CertificateSigner do
+  include PuppetSpec::Files
+
+  let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
+  let(:client_cert) { cert_fixture('signed.pem') }
+
+  # jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a
+  # certificate when there is a discrepancy between the certificate and key.
+  it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
+    expect {
+      client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+    }.to raise_error(OpenSSL::X509::CertificateError,
+                     'invalid public key data')
+  end
+end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -298,7 +298,7 @@ describe Puppet::SSL::SSLProvider do
       ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
     end
 
-    it 'raises if client cert signature is invalid' do
+    it 'raises if client cert signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
       client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
         subject.create_context(**config.merge(client_cert: client_cert))
@@ -337,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
       end
     end
 
-    it 'raises if intermediate CA signature is invalid' do
+    it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
       int = global_cacerts.last
       int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 

data/spec/unit/util/execution_spec.rb

@@ -29,6 +29,7 @@ describe Puppet::Util::Execution, if: !Puppet::Util::Platform.jruby? do
         allow(FFI::WIN32).to receive(:CloseHandle).with(thread_handle)
       else
         allow(Process).to receive(:waitpid2).with(pid, Process::WNOHANG).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
+        allow(Process).to receive(:waitpid2).with(pid, 0).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
         allow(Process).to receive(:waitpid2).with(pid).and_return([pid, double('child_status', :exitstatus => exitstatus)])
       end
     end

data/spec/unit/util/windows/adsi_spec.rb

@@ -95,6 +95,31 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
     end
   end
 
+  describe '.get_sids' do
+    it 'returns an array of SIDs given two an array of ADSI children' do
+      child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
+      expect(sids).to eq(['Administrator', 'Guest'])
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+  end
+
   describe Puppet::Util::Windows::ADSI::User do
     let(:username)  { 'testuser' }
     let(:domain)    { 'DOMAIN' }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 7.26.0
+  version: 7.27.0
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-21 00:00:00.000000000 Z
+date: 2023-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -2379,6 +2379,7 @@ files:
 - spec/unit/ssl/base_spec.rb
 - spec/unit/ssl/certificate_request_attributes_spec.rb
 - spec/unit/ssl/certificate_request_spec.rb
+- spec/unit/ssl/certificate_signer_spec.rb
 - spec/unit/ssl/certificate_spec.rb
 - spec/unit/ssl/digest_spec.rb
 - spec/unit/ssl/oids_spec.rb
@@ -2541,7 +2542,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.4.12
+rubygems_version: 3.4.20
 signing_key: 
 specification_version: 4
 summary: Puppet, an automated configuration management tool
@@ -3642,6 +3643,7 @@ test_files:
 - spec/unit/ssl/base_spec.rb
 - spec/unit/ssl/certificate_request_attributes_spec.rb
 - spec/unit/ssl/certificate_request_spec.rb
+- spec/unit/ssl/certificate_signer_spec.rb
 - spec/unit/ssl/certificate_spec.rb
 - spec/unit/ssl/digest_spec.rb
 - spec/unit/ssl/oids_spec.rb