puppet 7.4.1-universal-darwin → 7.5.0-universal-darwin

data/lib/puppet/pops/parser/lexer2.rb

@@ -134,10 +134,6 @@ class Lexer2
     'type'     => [:TYPE,     'type',     4],
     'attr'     => [:ATTR,     'attr',     4],
     'private'  => [:PRIVATE,  'private',  7],
-    'application' => [:APPLICATION, 'application',  11], # reserved
-    'consumes'    => [:CONSUMES,    'consumes',  8], # reserved
-    'produces'    => [:PRODUCES,    'produces',  8], # reserved
-    'site'        => [:SITE,        'site',  4], # reserved
   }
 
   KEYWORDS.each {|k,v| v[1].freeze; v.freeze }

data/lib/puppet/pops/validation/checker4_0.rb

@@ -236,7 +236,6 @@ class Checker4_0 < Evaluator::LiteralEvaluator
     case p
     when Model::AbstractResource
     when Model::CollectExpression
-      acceptor.accept(Issues::UNSUPPORTED_OPERATOR_IN_CONTEXT, p, :operator=>'* =>')
     else
       # protect against just testing a snippet that has no parent, error message will be a bit strange
       # but it is not for a real program.

data/lib/puppet/settings/environment_conf.rb

@@ -29,6 +29,7 @@ class Puppet::Settings::EnvironmentConf
       section = config.sections[:main]
     rescue Errno::ENOENT
       # environment.conf is an optional file
+      Puppet.debug { "Path to #{path_to_env} does not exist, using default environment.conf" }
     end
 
     new(path_to_env, section, global_module_path)

data/lib/puppet/util/monkey_patches.rb

@@ -32,6 +32,13 @@ end
 # (#19151) Reject all SSLv2 ciphers and handshakes
 require 'puppet/ssl/openssl_loader'
 unless Puppet::Util::Platform.jruby_fips?
+  unless defined?(OpenSSL::SSL::TLS1_VERSION)
+    module OpenSSL::SSL
+      # see https://github.com/ruby/ruby/commit/609103dbb5fb182eec12f052226c43e39b907682#diff-09f822c26289f5347111795ca22ed7ed1cfadd6ebd28f987991d1d414eef565aR2755-R2759
+      OpenSSL::SSL::TLS1_VERSION = 0x301
+    end
+  end
+
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
       DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3

data/lib/puppet/util/windows/adsi.rb

@@ -504,6 +504,43 @@ module Puppet::Util::Windows::ADSI
       user_name
     end
 
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/ne-secext-extended_name_format
+    NameUnknown           = 0
+    NameFullyQualifiedDN  = 1
+    NameSamCompatible     = 2
+    NameDisplay           = 3
+    NameUniqueId          = 6
+    NameCanonical         = 7
+    NameUserPrincipal     = 8
+    NameCanonicalEx       = 9
+    NameServicePrincipal  = 10
+    NameDnsDomain         = 12
+    NameGivenName         = 13
+    NameSurname           = 14
+
+    def self.current_user_name_with_format(format)
+      user_name = ''
+      max_length = 1024
+
+      FFI::MemoryPointer.new(:lpwstr, max_length * 2 + 1) do |buffer|
+        FFI::MemoryPointer.new(:dword, 1) do |buffer_size|
+          buffer_size.write_dword(max_length + 1)
+
+          if GetUserNameExW(format.to_i, buffer, buffer_size) == FFI::WIN32_FALSE
+            raise Puppet::Util::Windows::Error.new(_("Failed to get user name"), FFI.errno)
+          end
+
+          user_name = buffer.read_wide_string(buffer_size.read_dword).chomp
+        end
+      end
+
+      user_name
+    end
+
+    def self.current_sam_compatible_user_name
+      current_user_name_with_format(NameSamCompatible)
+    end
+
     def self.current_user_sid
       Puppet::Util::Windows::SID.name_to_principal(current_user_name)
     end
@@ -518,6 +555,15 @@ module Puppet::Util::Windows::ADSI
     ffi_lib :advapi32
     attach_function_private :GetUserNameW,
       [:lpwstr, :lpdword], :win32_bool
+
+    # https://docs.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexa
+    # BOOLEAN SEC_ENTRY GetUserNameExA(
+    #   EXTENDED_NAME_FORMAT NameFormat,
+    #   LPSTR                lpNameBuffer,
+    #   PULONG               nSize
+    # );type
+    ffi_lib :secur32
+    attach_function_private :GetUserNameExW, [:uint16, :lpwstr, :pointer], :win32_bool
   end
 
   class UserProfile

data/lib/puppet/util/windows/principal.rb

@@ -44,7 +44,8 @@ module Puppet::Util::Windows::SID
     ERROR_INVALID_PARAMETER   = 87
     ERROR_INSUFFICIENT_BUFFER = 122
 
-    def self.lookup_account_name(system_name = nil, account_name)
+    def self.lookup_account_name(system_name = nil, sanitize = true, account_name)
+      account_name = sanitize_account_name(account_name) if sanitize
       system_name_ptr = FFI::Pointer::NULL
       begin
         if system_name
@@ -146,6 +147,13 @@ module Puppet::Util::Windows::SID
       end
     end
 
+    # Sanitize the given account name for lookup to avoid known issues
+    def self.sanitize_account_name(account_name)
+      return account_name unless account_name.start_with?('APPLICATION PACKAGE AUTHORITY\\')
+      account_name.split('\\').last
+    end
+    private_class_method :sanitize_account_name
+
     ffi_convention :stdcall
 
     # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx
@@ -191,4 +199,3 @@ module Puppet::Util::Windows::SID
       [:lpcwstr, :pointer, :lpwstr, :lpdword, :lpwstr, :lpdword, :pointer], :win32_bool
   end
 end
-

data/lib/puppet/util/windows/sid.rb

@@ -74,11 +74,13 @@ module Puppet::Util::Windows
         string_to_sid_ptr(name) do |sid_ptr|
           raw_sid_bytes = sid_ptr.read_array_of_uchar(get_length_sid(sid_ptr))
         end
-      rescue
+      rescue => e
+        Puppet.debug("Could not retrieve raw SID bytes from '#{name}': #{e.message}")
       end
 
       raw_sid_bytes ? Principal.lookup_account_sid(raw_sid_bytes) : Principal.lookup_account_name(name)
-    rescue
+    rescue => e
+      Puppet.debug("#{e.message}")
       (allow_unresolved && raw_sid_bytes) ? unresolved_principal(name, raw_sid_bytes) : nil
     end
     module_function :name_to_principal

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '7.4.1'
+  PUPPETVERSION = '7.5.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/man/man5/puppet.conf.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPETCONF" "5" "March 2021" "Puppet, Inc." "Puppet manual"
 \fBThis page is autogenerated; any changes will get overwritten\fR
 .
 .SH "Configuration settings"
@@ -288,6 +288,14 @@ Defaults to the node\'s fully qualified domain name\.
 .
 .IP "" 0
 .
+.SS "ciphers"
+The list of ciphersuites for TLS connections initiated by puppet\. The default value is chosen to support TLS 1\.0 and up, but can be made more restrictive if needed\. The ciphersuites must be specified in OpenSSL format, not IANA\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384:DHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256:ECDHE\-ECDSA\-AES128\-SHA:ECDHE\-RSA\-AES128\-SHA:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES256\-SHA:ECDHE\-RSA\-AES256\-SHA:DHE\-RSA\-AES128\-SHA256:DHE\-RSA\-AES256\-SHA256:AES128\-GCM\-SHA256:AES256\-GCM\-SHA384:AES128\-SHA256:AES256\-SHA256
+.
+.IP "" 0
+.
 .SS "classfile"
 The file in which puppet agent stores a list of the classes associated with the retrieved configuration\. Can be loaded in the separate \fBpuppet\fR executable using the \fB\-\-loadclasses\fR option\.
 .
@@ -899,7 +907,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: Puppet/7\.4\.0 Ruby/2\.5\.1\-p57 (x86_64\-linux)
+\fIDefault\fR: Puppet/7\.5\.0 Ruby/2\.5\.1\-p57 (x86_64\-linux)
 .
 .IP "" 0
 .

data/man/man8/puppet-agent.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-AGENT" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-AGENT" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-agent\fR \- The puppet agent daemon

data/man/man8/puppet-apply.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-APPLY" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-APPLY" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-apply\fR \- Apply Puppet manifests locally

data/man/man8/puppet-catalog.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CATALOG" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CATALOG" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.

data/man/man8/puppet-config.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CONFIG" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CONFIG" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.

data/man/man8/puppet-describe.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DESCRIBE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DESCRIBE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-describe\fR \- Display help about resource types

data/man/man8/puppet-device.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DEVICE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DEVICE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-device\fR \- Manage remote network devices

data/man/man8/puppet-doc.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DOC" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DOC" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-doc\fR \- Generate Puppet references

data/man/man8/puppet-epp.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-EPP" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-EPP" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.

data/man/man8/puppet-facts.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FACTS" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FACTS" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-facts\fR \- Retrieve and store facts\.

data/man/man8/puppet-filebucket.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FILEBUCKET" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FILEBUCKET" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket

data/man/man8/puppet-generate.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-GENERATE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-GENERATE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.

data/man/man8/puppet-help.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-HELP" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-HELP" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-help\fR \- Display Puppet help\.

data/man/man8/puppet-lookup.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-LOOKUP" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-LOOKUP" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-lookup\fR \- Interactive Hiera lookup

data/man/man8/puppet-module.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-MODULE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-MODULE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.

data/man/man8/puppet-node.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-NODE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-NODE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-node\fR \- View and manage node definitions\.

data/man/man8/puppet-parser.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PARSER" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PARSER" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-parser\fR \- Interact directly with the parser\.

data/man/man8/puppet-plugin.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PLUGIN" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PLUGIN" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.

data/man/man8/puppet-report.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-REPORT" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-REPORT" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-report\fR \- Create, display, and submit reports\.

data/man/man8/puppet-resource.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-RESOURCE" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-RESOURCE" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-resource\fR \- The resource abstraction layer shell

data/man/man8/puppet-script.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SCRIPT" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SCRIPT" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog

data/man/man8/puppet-ssl.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SSL" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SSL" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
@@ -52,4 +52,8 @@ Verify the private key and certificate are present and match, verify the certifi
 .TP
 clean
 Remove the private key and certificate related files for this host\. If \fB\-\-localca\fR is specified, then also remove this host\'s local copy of the CA certificate(s) and CRL bundle\. if \fB\-\-target CERTNAME\fR is specified, then remove the files for the specified device on this host instead of this host\.
+.
+.TP
+show
+Print the full\-text version of this host\'s certificate\.
 

data/man/man8/puppet.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET" "8" "February 2021" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET" "8" "March 2021" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\fR
@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.4\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.5\.0

data/spec/integration/application/plugin_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 require 'puppet/face'
 require 'puppet_spec/puppetserver'
 
-describe "puppet plugin" do
+describe "puppet plugin", unless: Puppet::Util::Platform.jruby? do
   include_context "https client"
 
   let(:server) { PuppetSpec::Puppetserver.new }

data/spec/integration/http/client_spec.rb

@@ -151,4 +151,16 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       end
     end
   end
+
+  context 'ciphersuites' do
+    it "does not connect when using an SSLv3 ciphersuite" do
+      Puppet[:ciphers] = "DES-CBC3-SHA"
+
+      https_server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: root_context})
+        }.to raise_error(Puppet::HTTP::ConnectionError, /no cipher match|sslv3 alert handshake failure/)
+      end
+    end
+  end
 end