puppet 7.9.0 → 7.10.0

data/lib/puppet/environments.rb

@@ -48,6 +48,13 @@ module Puppet::Environments
         root.instance_variable_set(:@rich_data, nil)
       end
     end
+
+    # The base implementation is a noop, because `get` returns a new environment
+    # each time.
+    #
+    # @see Puppet::Environments::Cached#guard
+    def guard(name); end
+    def unguard(name); end
   end
 
   # @!macro [new] loader_search_paths
@@ -188,7 +195,7 @@ module Puppet::Environments
 
     def self.real_path(dir)
       if Puppet::FileSystem.symlink?(dir) && Puppet[:versioned_environment_dirs]
-        dir = Puppet::FileSystem.expand_path(Puppet::FileSystem.readlink(dir))
+        dir = Pathname.new Puppet::FileSystem.expand_path(Puppet::FileSystem.readlink(dir))
       end
       return dir
     end
@@ -241,7 +248,7 @@ module Puppet::Environments
 
     def validated_directory(envdir)
       env_name = Puppet::FileSystem.basename_string(envdir)
-      envdir = Puppet::Environments::Directories.real_path(envdir)
+      envdir = Puppet::Environments::Directories.real_path(envdir).to_s
       if Puppet::FileSystem.directory?(envdir) && Puppet::Node::Environment.valid_name?(env_name)
         envdir
       else
@@ -330,21 +337,13 @@ module Puppet::Environments
     end
 
     def self.cache_expiration_service=(service)
-      @cache_expiration_service = service
+      @cache_expiration_service_singleton = service
     end
 
     def self.cache_expiration_service
-      @cache_expiration_service || DefaultCacheExpirationService.new
+      @cache_expiration_service_singleton || DefaultCacheExpirationService.new
     end
 
-    # Returns the end of time (the next Mesoamerican Long Count cycle-end after 2012 (5125+2012) = 7137
-    def self.end_of_time
-      Time.gm(7137)
-    end
-
-    END_OF_TIME = end_of_time
-    START_OF_TIME = Time.gm(1)
-
     def initialize(loader)
       @loader = loader
       @cache_expiration_service = Puppet::Environments::Cached.cache_expiration_service
@@ -356,7 +355,7 @@ module Puppet::Environments
       # Evict all that have expired, in the same way as `get`
       clear_all_expired
 
-      # Evict all that was removed from diks
+      # Evict all that was removed from disk
       cached_envs = @cache.keys.map!(&:to_sym)
       loader_envs = @loader.list.map!(&:name)
       removed_envs = cached_envs - loader_envs
@@ -385,27 +384,35 @@ module Puppet::Environments
 
     # @!macro loader_get
     def get(name)
+      entry = get_entry(name)
+      entry ? entry.value : nil
+    end
+
+    # Get a cache entry for an envionment. It returns nil if the
+    # environment doesn't exist.
+    def get_entry(name, check_expired = true)
       # Aggressively evict all that has expired
       # This strategy favors smaller memory footprint over environment
       # retrieval time.
-      clear_all_expired
-      result = @cache[name]
-      if result
-        Puppet.debug {"Found in cache '#{name}' #{result.label}"}
+      clear_all_expired if check_expired
+      name = name.to_sym
+      entry = @cache[name]
+      if entry
+        Puppet.debug {"Found in cache #{name.inspect} #{entry.label}"}
         # found in cache
-        result.touch
-        return result.value
-      elsif (result = @loader.get(name))
+        entry.touch
+      elsif (env = @loader.get(name))
         # environment loaded, cache it
-        cache_entry = entry(result)
-        add_entry(name, cache_entry)
-        result
+        entry = entry(env)
+        add_entry(name, entry)
       end
+      entry
     end
+    private :get_entry
 
     # Adds a cache entry to the cache
     def add_entry(name, cache_entry)
-      Puppet.debug {"Caching environment '#{name}' #{cache_entry.label}"}
+      Puppet.debug {"Caching environment #{name.inspect} #{cache_entry.label}"}
       @cache[name] = cache_entry
       @cache_expiration_service.created(cache_entry.value)
     end
@@ -413,7 +420,7 @@ module Puppet::Environments
 
     def clear_entry(name, entry)
       @cache.delete(name)
-      Puppet.debug {"Evicting cache entry for environment '#{name}'"}
+      Puppet.debug {"Evicting cache entry for environment #{name.inspect}"}
       @cache_expiration_service.evicted(name.to_sym)
       Puppet::GettextConfig.delete_text_domain(name)
       Puppet.settings.clear_environment_settings(name)
@@ -423,6 +430,7 @@ module Puppet::Environments
     # Clears the cache of the environment with the given name.
     # (The intention is that this could be used from a MANUAL cache eviction command (TBD)
     def clear(name)
+      name = name.to_sym
       entry = @cache[name]
       clear_entry(name, entry) if entry
     end
@@ -443,19 +451,21 @@ module Puppet::Environments
     # Clears all environments that have expired, either by exceeding their time to live, or
     # through an explicit eviction determined by the cache expiration service.
     #
-    def clear_all_expired()
+    def clear_all_expired
       t = Time.now
 
       @cache.each_pair do |name, entry|
         clear_if_expired(name, entry, t)
       end
     end
+    private :clear_all_expired
 
     # Clear an environment if it is expired, either by exceeding its time to live, or
     # through an explicit eviction determined by the cache expiration service.
     #
     def clear_if_expired(name, entry, t = Time.now)
       return unless entry
+      return if entry.guarded?
 
       if entry.expired?(t) || @cache_expiration_service.expired?(name.to_sym)
         clear_entry(name, entry)
@@ -472,10 +482,25 @@ module Puppet::Environments
     #
     # @!macro loader_get_conf
     def get_conf(name)
+      name = name.to_sym
       clear_if_expired(name, @cache[name])
       @loader.get_conf(name)
     end
 
+    # Guard an environment so it can't be evicted while it's in use. The method
+    # may be called multiple times, provided it is unguarded the same number of
+    # times. If you call this method, you must call `unguard` in an ensure block.
+    def guard(name)
+      entry = get_entry(name, false)
+      entry.guard if entry
+    end
+
+    # Unguard an environment.
+    def unguard(name)
+      entry = get_entry(name, false)
+      entry.unguard if entry
+    end
+
     # Creates a suitable cache entry given the time to live for one environment
     #
     def entry(env)
@@ -501,6 +526,7 @@ module Puppet::Environments
 
       def initialize(value)
         @value = value
+        @guards = 0
       end
 
       def touch
@@ -513,6 +539,20 @@ module Puppet::Environments
       def label
         ""
       end
+
+      # These are not protected with a lock, because all of the Cached
+      # methods are protected.
+      def guarded?
+        @guards > 0
+      end
+
+      def guard
+        @guards += 1
+      end
+
+      def unguard
+        @guards -= 1
+      end
     end
 
     # Always evicting entry

data/lib/puppet/file_serving/configuration.rb

@@ -6,6 +6,7 @@ require_relative '../../puppet/file_serving/mount/modules'
 require_relative '../../puppet/file_serving/mount/plugins'
 require_relative '../../puppet/file_serving/mount/locales'
 require_relative '../../puppet/file_serving/mount/pluginfacts'
+require_relative '../../puppet/file_serving/mount/scripts'
 require_relative '../../puppet/file_serving/mount/tasks'
 
 class Puppet::FileServing::Configuration
@@ -83,6 +84,7 @@ class Puppet::FileServing::Configuration
     @mounts["plugins"] ||= Mount::Plugins.new("plugins")
     @mounts["locales"] ||= Mount::Locales.new("locales")
     @mounts["pluginfacts"] ||= Mount::PluginFacts.new("pluginfacts")
+    @mounts["scripts"] ||= Mount::Scripts.new("scripts")
     @mounts["tasks"] ||= Mount::Tasks.new("tasks")
   end
 

data/lib/puppet/file_serving/configuration/parser.rb

@@ -78,6 +78,8 @@ class Puppet::FileServing::Configuration::Parser
       mount = Mount::Modules.new(name)
     when "plugins"
       mount = Mount::Plugins.new(name)
+    when "scripts"
+      mount = Mount::Scripts.new(name)
     when "tasks"
       mount = Mount::Tasks.new(name)
     when "locales"

data/lib/puppet/file_serving/mount/scripts.rb

@@ -0,0 +1,24 @@
+require 'puppet/file_serving/mount'
+
+class Puppet::FileServing::Mount::Scripts < Puppet::FileServing::Mount
+  # Return an instance of the appropriate class.
+  def find(path, request)
+    raise _("No module specified") if path.to_s.empty?
+    module_name, relative_path = path.split("/", 2)
+    mod = request.environment.module(module_name)
+    return nil unless mod
+
+    mod.script(relative_path)
+  end
+
+  def search(path, request)
+    result = find(path, request)
+    if result
+      [result]
+    end
+  end
+
+  def valid?
+    true
+  end
+end

data/lib/puppet/functions/find_template.rb

@@ -2,11 +2,11 @@
 #
 # This function accepts an argument that is a String as a `<MODULE NAME>/<TEMPLATE>`
 # reference, which searches for `<TEMPLATE>` relative to a module's `templates`
-# directory on the master. (For example, the reference `mymod/secret.conf.epp`
+# directory on the primary server. (For example, the reference `mymod/secret.conf.epp`
 # will search for the file `<MODULES DIRECTORY>/mymod/templates/secret.conf.epp`.)
 #
 # The primary use case is for agent-side template rendering with late-bound variables
-# resolved, such as from secret stores inaccessible to the master, such as
+# resolved, such as from secret stores inaccessible to the primary server, such as
 #
 # ```
 # $variables = {

data/lib/puppet/http/service/compiler.rb

@@ -60,6 +60,10 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
   # @param [String] environment The name of the environment we are operating in
   # @param [String] configured_environment Optional, the name of the configured
   #   environment. If unset, `environment` is used.
+  # @param [Boolean] check_environment If true, request that the server check if
+  #   our `environment` matches the server-specified environment. If they do not
+  #   match, then the server may return an empty catalog in the server-specified
+  #   environment.
   # @param [String] transaction_uuid An agent generated transaction uuid, used
   #   for connecting catalogs and reports.
   # @param [String] job_uuid A unique job identifier defined when the orchestrator
@@ -75,7 +79,7 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
   #   the server
   #
   # @api public
-  def post_catalog(name, facts:, environment:, configured_environment: nil, transaction_uuid: nil, job_uuid: nil, static_catalog: true, checksum_type: Puppet[:supported_checksum_types])
+  def post_catalog(name, facts:, environment:, configured_environment: nil, check_environment: false, transaction_uuid: nil, job_uuid: nil, static_catalog: true, checksum_type: Puppet[:supported_checksum_types])
     if Puppet[:preferred_serialization_format] == "pson"
       formatter = Puppet::Network::FormatHandler.format_for(:pson)
       # must use 'pson' instead of 'text/pson'
@@ -93,6 +97,7 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
       facts: Puppet::Util.uri_query_encode(facts_as_string),
       environment: environment,
       configured_environment: configured_environment || environment,
+      check_environment: !!check_environment,
       transaction_uuid: transaction_uuid,
       job_uuid: job_uuid,
       static_catalog: static_catalog,

data/lib/puppet/indirector/catalog/compiler.rb

@@ -53,8 +53,22 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     node.trusted_data = Puppet.lookup(:trusted_information) { Puppet::Context::TrustedInformation.local(node) }.to_h
 
     if node.environment
+      # If the requested environment doesn't match the server specified environment,
+      # as determined by the node terminus, and the request wants us to check for an
+      # environment mismatch, then return an empty catalog with the server-specified
+      # enviroment.
+      if request.remote? && request.options[:check_environment] && node.environment != request.environment
+        return Puppet::Resource::Catalog.new(node.name, node.environment)
+      end
+
       node.environment.with_text_domain do
-        compile(node, request.options)
+        envs = Puppet.lookup(:environments)
+        envs.guard(node.environment.name)
+        begin
+          compile(node, request.options)
+        ensure
+          envs.unguard(node.environment.name)
+        end
       end
     else
       compile(node, request.options)
@@ -78,6 +92,10 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     Puppet.run_mode.server?
   end
 
+  def require_environment?
+    false
+  end
+
   private
 
   # @param facts [String] facts in a wire format for decoding
@@ -154,7 +172,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     location = Puppet::Module::FILETYPES['files']
 
     !!(source_as_uri.path =~ /^\/modules\// &&
-       metadata.full_path =~ /#{environment_path}[^\/]+\/[^\/]+\/#{location}\/.+/)
+       metadata.full_path =~ /#{environment_path}\/[^\/]+\/[^\/]+\/#{location}\/.+/)
   end
 
   # Helper method to log file resources that could not be inlined because they
@@ -173,7 +191,7 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   # Inline file metadata for static catalogs
   # Initially restricted to files sourced from codedir via puppet:/// uri.
   def inline_metadata(catalog, checksum_type)
-    environment_path = Pathname.new File.join(Puppet[:environmentpath], catalog.environment, "")
+    environment_path = Pathname.new File.join(Puppet[:environmentpath], catalog.environment)
     environment_path = Puppet::Environments::Directories.real_path(environment_path)
     list_of_resources = catalog.resources.find_all { |res| res.type == "File" }
 

data/lib/puppet/indirector/catalog/rest.rb

@@ -18,6 +18,7 @@ class Puppet::Resource::Catalog::Rest < Puppet::Indirector::REST
       facts: request.options[:facts_for_catalog],
       environment: request.environment.to_s,
       configured_environment: request.options[:configured_environment],
+      check_environment: request.options[:check_environment],
       transaction_uuid: request.options[:transaction_uuid],
       job_uuid: request.options[:job_id],
       static_catalog: request.options[:static_catalog],

data/lib/puppet/indirector/terminus.rb

@@ -143,6 +143,10 @@ class Puppet::Indirector::Terminus
     self.class.name
   end
 
+  def require_environment?
+    true
+  end
+
   def allow_remote_requests?
     true
   end

data/lib/puppet/module/plan.rb

@@ -50,7 +50,6 @@ class Puppet::Module
     RESERVED_DATA_TYPES = %w{any array boolean catalogentry class collection
         callable data default enum float hash integer numeric optional pattern
         resource runtime scalar string struct tuple type undef variant}
-    MOUNTS = %w[lib files plans]
 
     def self.is_plan_name?(name)
       return true if name =~ /^[a-z][a-z0-9_]*$/

data/lib/puppet/module/task.rb

@@ -45,7 +45,7 @@ class Puppet::Module
     end
 
     FORBIDDEN_EXTENSIONS = %w{.conf .md}
-    MOUNTS = %w[lib files tasks]
+    MOUNTS = %w[files lib scripts tasks]
 
     def self.is_task_name?(name)
       return true if name =~ /^[a-z][a-z0-9_]*$/

data/lib/puppet/module_tool/applications/installer.rb

@@ -138,7 +138,7 @@ module Puppet::ModuleTool
           rescue SemanticPuppet::Dependency::UnsatisfiableGraph => e
             unsatisfied = nil
 
-            if e.respond_to?(:unsatisfied)
+            if e.respond_to?(:unsatisfied) && e.unsatisfied
               constraints = {}
               # If the module we're installing satisfies all its
               # dependencies, but would break an already installed
@@ -164,8 +164,12 @@ module Puppet::ModuleTool
               # If the module fails to satisfy one of its
               # dependencies, show the unsatisfiable module
               else
-                unsatisfied_range = graph.dependencies[name].max.constraints[e.unsatisfied].first[1]
-                constraints[e.unsatisfied] = unsatisfied_range
+                dep_constraints = graph.dependencies[name].max.constraints
+
+                if dep_constraints.key?(e.unsatisfied)
+                  unsatisfied_range = dep_constraints[e.unsatisfied].first[1]
+                  constraints[e.unsatisfied] = unsatisfied_range
+                end
               end
 
               installed_module = @environment.module_by_forge_name(e.unsatisfied.tr('-', '/'))
@@ -175,7 +179,7 @@ module Puppet::ModuleTool
                 :name => e.unsatisfied,
                 :constraints => constraints,
                 :current_version => current_version
-              }
+              } if constraints.any?
             end
 
             raise NoVersionsSatisfyError, results.merge(

data/lib/puppet/network/http/api/indirected_routes.rb

@@ -98,7 +98,7 @@ class Puppet::Network::HTTP::API::IndirectedRoutes
       params[:environment] = configured_environment
     end
 
-    if configured_environment.nil?
+    if configured_environment.nil? && indirection.terminus.require_environment?
       raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new(
         _("Could not find environment '%{environment}'") % { environment: environment })
     end

data/lib/puppet/node/environment.rb

@@ -312,7 +312,9 @@ class Puppet::Node::Environment
                        {}
                      end
       modulepath.each do |path|
-        Dir.entries(path).each do |name|
+        Puppet::FileSystem.children(path).map do |p|
+          Puppet::FileSystem.basename_string(p)
+        end.each do |name|
           next unless Puppet::Module.is_module_directory?(name, path)
           warn_about_mistaken_path(path, name)
           if not seen_modules[name]
@@ -357,9 +359,6 @@ class Puppet::Node::Environment
 
   # Modules broken out by directory in the modulepath
   #
-  # @note This method _changes_ the current working directory while enumerating
-  #   the modules. This seems rather dangerous.
-  #
   # @api public
   #
   # @return [Hash<String, Array<Puppet::Module>>] A hash whose keys are file
@@ -368,13 +367,13 @@ class Puppet::Node::Environment
     modules_by_path = {}
     modulepath.each do |path|
       if Puppet::FileSystem.exist?(path)
-        Dir.chdir(path) do
-          module_names = Dir.entries(path).select do |name|
-            Puppet::Module.is_module_directory?(name, path)
-          end
-          modules_by_path[path] = module_names.sort.map do |name|
-            Puppet::Module.new(name, File.join(path, name), self)
-          end
+        module_names = Puppet::FileSystem.children(path).map do |p|
+          Puppet::FileSystem.basename_string(p)
+        end.select do |name|
+          Puppet::Module.is_module_directory?(name, path)
+        end
+        modules_by_path[path] = module_names.sort.map do |name|
+          Puppet::Module.new(name, File.join(path, name), self)
         end
       else
         modules_by_path[path] = []