puppet 8.0.1-universal-darwin → 8.2.0-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 545167c442d15f2c52faa2e1cc7248b2530205b053a0b25f5d165198f496a318
-  data.tar.gz: 11fc8d36afbc752431421b696c6fbcae16aa4f28ab064cf004336d4748f1d938
+  metadata.gz: a007559506837db8fff3be2557fe949b928b52c8d13e5d8e12957391263e4efe
+  data.tar.gz: ae6866634e1e346ef8a28a964cfa1552c02f8afe21ca4894682cc850656afb1c
 SHA512:
-  metadata.gz: da5d3000b9022268b25de9d3b87de65d26e5307b5206291ca68941868b8281890a6afafa1f4c30217fe68c1e3d1615b4e86d16ecff0d510082a59ab61615c329
-  data.tar.gz: 528c25dc7f81fc6603722b36f2c908a0687eb94ac59953e6a9c1b7e7846be375c90dff7cac3bff8f5e5d72e9cb5657f07a884dec443aa46b0a2d41ecd212d8e9
+  metadata.gz: 80c8d4b7774956f7fe5ba2a4aa0fcbffffab695d3517f91473bbde7cac509dc8b8f67317f499182cbd3f9b7d8f86d2f33de0363d936e74f012493f100dd0d199
+  data.tar.gz: d826de6788fbe4fb802c2ff1be076783669a6c257ba2332ceca5d3e2bae64a576a4a5f8bcccab1f23f983b5b0bd4b2624106de27e6f35199d2beff79e5c6e94d

data/CODEOWNERS

@@ -1,11 +1,11 @@
 # defaults
-* @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
+* @puppetlabs/phoenix
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt
 
 # puppet module
-/lib/puppet/application/module.rb @puppetlabs/pdk
-/lib/puppet/face/module @puppetlabs/pdk
-/lib/puppet/forge @puppetlabs/pdk
-/lib/puppet/module_tool @puppetlabs/pdk
+/lib/puppet/application/module.rb @puppetlabs/modules
+/lib/puppet/face/module @puppetlabs/modules
+/lib/puppet/forge @puppetlabs/modules
+/lib/puppet/module_tool @puppetlabs/modules

data/Gemfile.lock

@@ -1,9 +1,23 @@
+GIT
+  remote: https://github.com/puppetlabs/packaging
+  revision: affecba5dfacc5862fc7199895ccf11b69153570
+  branch: 1.0.x
+  specs:
+    packaging (0)
+      apt_stage_artifacts
+      artifactory (~> 3)
+      csv (>= 3.1.5)
+      google-cloud-storage
+      googleauth
+      rake (>= 12.3)
+      release-metrics
+
 PATH
   remote: .
   specs:
-    puppet (8.0.1)
+    puppet (8.2.0)
       CFPropertyList (~> 2.2)
-      concurrent-ruby (~> 1.0, < 1.2.0)
+      concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
       facter (>= 4.3.0, < 5)
       fast_gettext (>= 2.1, < 3)
@@ -14,47 +28,48 @@ PATH
       semantic_puppet (~> 1.0)
 
 GEM
-  remote: https://rubygems.org/
+  remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     apt_stage_artifacts (0.11.0)
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
-    csv (3.2.6)
+    csv (3.2.7)
     declarative (0.0.20)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
-    digest-crc (0.6.4)
+    digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
     erubi (1.12.0)
-    facter (4.4.0)
+    facter (4.4.2)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.4)
+    faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     fast_gettext (2.3.0)
     ffi (1.15.5)
     forwardable (1.3.3)
-    gettext (3.4.3)
+    gettext (3.4.7)
       erubi
       locale (>= 2.0.5)
       prime
+      racc
       text (>= 1.3.0)
     gettext-setup (1.1.0)
       fast_gettext (~> 2.1)
       gettext (~> 3.4)
       locale
-    google-apis-core (0.11.0)
+    google-apis-core (0.11.1)
       addressable (~> 2.5, >= 2.5.1)
       googleauth (>= 0.16.2, < 2.a)
       httpclient (>= 2.8.1, < 3.a)
@@ -81,7 +96,7 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.5.2)
+    googleauth (1.7.0)
       faraday (>= 0.17.3, < 3.a)
       jwt (>= 1.4, < 3.0)
       memoist (~> 0.16)
@@ -89,7 +104,7 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     hashdiff (1.0.1)
-    hiera-eyaml (3.3.0)
+    hiera-eyaml (3.4.0)
       highline
       optimist
     highline (2.1.0)
@@ -98,46 +113,39 @@ GEM
     httpclient (2.8.3)
     json-schema (2.8.1)
       addressable (>= 2.4)
-    jwt (2.7.0)
+    jwt (2.7.1)
     locale (2.1.3)
     memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
-    mini_mime (1.1.2)
+    mini_mime (1.1.5)
     minitar (0.9)
-    msgpack (1.7.0)
+    msgpack (1.7.2)
     multi_json (1.15.0)
     mustache (1.1.1)
-    optimist (3.0.1)
+    optimist (3.1.0)
     os (1.1.4)
-    packaging (0.109.7)
-      apt_stage_artifacts
-      artifactory (~> 3)
-      csv (>= 3.1.5)
-      google-cloud-storage
-      googleauth
-      rake (>= 12.3)
-      release-metrics
     parallel (1.23.0)
-    parser (3.2.2.1)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
+      racc
     prime (0.1.2)
       forwardable
       singleton
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
-    puppet-resource_api (1.8.14)
+    public_suffix (5.0.3)
+    puppet-resource_api (1.9.0)
       hocon (>= 1.0)
-    puppetserver-ca (2.5.0)
+    puppetserver-ca (2.6.0)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (3.1.1)
     rake (13.0.6)
-    rdiscount (2.2.7)
+    rdiscount (2.2.7.1)
     rdoc (6.3.3)
-    regexp_parser (2.8.0)
+    regexp_parser (2.8.1)
     release-metrics (1.1.0)
       csv
       docopt
@@ -146,7 +154,7 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.2.5)
+    rexml (3.2.6)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -163,10 +171,10 @@ GEM
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
     rubocop (1.28.0)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
@@ -176,7 +184,7 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
@@ -192,11 +200,11 @@ GEM
       multi_json (~> 1.10)
     singleton (0.1.1)
     text (1.3.1)
-    thor (1.2.1)
+    thor (1.2.2)
     trailblazer-option (0.1.2)
     uber (0.1.0)
     unicode-display_width (2.4.2)
-    vcr (6.1.0)
+    vcr (6.2.0)
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -218,7 +226,7 @@ DEPENDENCIES
   memory_profiler
   minitar (~> 0.9)
   msgpack (~> 1.2)
-  packaging (~> 0.99)
+  packaging!
   pry
   puppet!
   puppet-resource_api (~> 1.5)
@@ -240,4 +248,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.3.22
+   2.4.12

data/ext/project_data.yaml

@@ -24,7 +24,7 @@ gem_runtime_dependencies:
   locale: '~> 2.1'
   multi_json: '~> 1.13'
   puppet-resource_api: '~>1.5'
-  concurrent-ruby: ["~> 1.0", "< 1.2.0"]
+  concurrent-ruby: "~> 1.0"
   deep_merge: '~> 1.0'
   scanf: '~> 1.0'
 gem_rdoc_options:

data/lib/puppet/defaults.rb

@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
-      ""
-    else
-      "-u"
-    end
+    '-u'
   end
 
   def self.default_digest_algorithm
@@ -1212,6 +1208,24 @@ EOT
       :desc       => "The default TTL for new certificates.
       #{AS_DURATION}",
     },
+    :ca_refresh_interval => {
+      :default    => "1d",
+      :type       => :duration,
+      :desc       => "How often the Puppet agent refreshes its local CA certs. By
+         default the CA certs are refreshed once every 24 hours. If a different
+         duration is specified, then the agent will refresh its CA certs whenever
+         it next runs and the elapsed time since the certs were last refreshed
+         exceeds the duration.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to 0 or an equal or lesser value than `runinterval`,
+         will cause the CA certs to be refreshed on every run.
+
+         If the agent downloads new CA certs, the agent will use it for subsequent
+         network requests. If the refresh request fails or if the CA certs are
+         unchanged on the server, then the agent run will continue using the
+         local CA certs it already has. #{AS_DURATION}",
+    },
     :crl_refresh_interval => {
       :default    => "1d",
       :type       => :duration,
@@ -1222,14 +1236,30 @@ EOT
          exceeds the duration.
 
          In general, the duration should be greater than the `runinterval`.
-         Setting it to an equal or lesser value will cause the CRL to be
-         refreshed on every run.
+         Setting it to 0 or an equal or lesser value than `runinterval`,
+         will cause the CRL to be refreshed on every run.
 
          If the agent downloads a new CRL, the agent will use it for subsequent
          network requests. If the refresh request fails or if the CRL is
          unchanged on the server, then the agent run will continue using the
          local CRL it already has.#{AS_DURATION}",
     },
+    :hostcert_renewal_interval => {
+      :default => "30d",
+      :type    => :duration,
+      :desc    => "How often the Puppet agent refreshes its client certificate.
+         By default the client certificate is refreshed once every 30 days. If
+         a different duration is specified, then the agent will refresh its
+         client certificate whenever it next runs and the elapsed time since the
+         client certificate was last refreshed exceeds the duration.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to 0 will disable automatic renewal.
+
+         If the agent downloads a new certificate, the agent will use it for subsequent
+         network requests. If the refresh request fails, then the agent run will continue using the
+         certificate it already has. #{AS_DURATION}",
+    },
     :keylength => {
       :default    => 4096,
       :type       => :integer,

data/lib/puppet/http/client.rb

@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
         apply_auth(request, basic_auth) if redirects.zero?
 
         # don't call return within the `request` block
+        close_and_sleep = nil
         http.request(request) do |nethttp|
           response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
           begin
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
               interval = @retry_after_handler.retry_after_interval(request, response, retries)
               retries += 1
               if interval
-                if http.started?
-                  Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
-                  http.finish
+                close_and_sleep = proc do
+                  if http.started?
+                    Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
+                    http.finish
+                  end
+                  Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
+                  ::Kernel.sleep(interval)
                 end
-                Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
-                ::Kernel.sleep(interval)
                 next
               end
             end
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
 
           done = true
         end
+      ensure
+        # If a server responded with a retry, make sure the connection is closed and then
+        # sleep the specified time.
+        close_and_sleep.call if close_and_sleep
       end
     end
 

data/lib/puppet/http/service/ca.rb

@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
   # Submit a GET request to retrieve the named certificate from the server.
   #
   # @param [String] name name of the certificate to request
+  # @param [Time] if_modified_since If not nil, only download the cert if it has
+  #   been modified since the specified time.
   # @param [Puppet::SSL::SSLContext] ssl_context
   #
   # @return [Array<Puppet::HTTP::Response, String>] An array containing the
   #   request response and the stringified body of the request response
   #
   # @api public
-  def get_certificate(name, ssl_context: nil)
+  def get_certificate(name, if_modified_since: nil, ssl_context: nil)
+    headers = add_puppet_headers(HEADERS)
+    headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
+
     response = @client.get(
       with_base_url("/certificate/#{name}"),
-      headers: add_puppet_headers(HEADERS),
+      headers: headers,
       options: {ssl_context: ssl_context}
     )
 
@@ -99,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
 
     response
   end
+
+  # Submit a POST request to send a certificate renewal request to the server
+  #
+  # @param [Puppet::SSL::SSLContext] ssl_context
+  #
+  # @return [Array<Puppet::HTTP::Response, String>] The request response
+  #
+  # @api public
+  def post_certificate_renewal(ssl_context)
+    headers = add_puppet_headers(HEADERS)
+    headers['Content-Type'] = 'text/plain'
+
+    response = @client.post(
+      with_base_url('/certificate_renewal'),
+      '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
+      headers: headers,
+      options: {ssl_context: ssl_context}
+    )
+
+    raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
+
+    process_response(response)
+
+    [response, response.body.to_s]
+  end
 end

data/lib/puppet/node/environment.rb

@@ -592,10 +592,12 @@ class Puppet::Node::Environment
       if file == NO_MANIFEST
         empty_parse_result
       elsif File.directory?(file)
-        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
-          parser.file = file_to_parse
-          parser.parse
-          end
+        # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
+        # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
+        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
+                          parser.file = file_to_parse
+                          parser.parse
+                        end
         # Use a parser type specific merger to concatenate the results
         Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
       else

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -10,7 +10,13 @@ class DeferredValue
   end
 
   def resolve
-    @proc.call
+    val = @proc.call
+    # Deferred sensitive values will be marked as such in resolve_futures()
+    if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      val.unwrap
+    else
+      val
+    end
   end
 end
 
@@ -88,8 +94,12 @@ class DeferredResolver
         #
         if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
           resolved = resolved.unwrap
-          unless r.sensitive_parameters.include?(k.to_sym)
-            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+          mark_sensitive_parameters(r, k)
+        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
+        # The DeferredValue.resolve method will unwrap it during catalog application
+        elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+          if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
+            mark_sensitive_parameters(r, k)
           end
         end
         overrides[ k ] = resolved
@@ -98,6 +108,13 @@ class DeferredResolver
     end
   end
 
+  def mark_sensitive_parameters(r, k)
+    unless r.sensitive_parameters.include?(k.to_sym)
+      r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+    end
+  end
+  private :mark_sensitive_parameters
+
   def resolve(x)
     if x.class == @deferred_class
       resolve_future(x)

data/lib/puppet/ssl/oids.rb

@@ -71,7 +71,9 @@ module Puppet::SSL::Oids
     ["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],
 
     ["1.3.6.1.4.1.34380.1.3.1",  'pp_authorization', 'Certificate Extension Authorization'],
+    ["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Attribute'],
     ["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
+    ["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
   ]
 
   @did_register_puppet_oids = false

data/lib/puppet/ssl/ssl_provider.rb

@@ -225,7 +225,7 @@ class Puppet::SSL::SSLProvider
       ssl_context.crls.each do |crl|
         oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
         crlNumber = oid_values['crlNumber'] || 'unknown'
-        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
+        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp
         Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
       end
     end