puppet 8.1.0-universal-darwin → 8.3.1-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7eea5fdf57cadd5d893dc4324a16144079bfb11686d4fe50ba34b0c8b9206ffd
-  data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
+  metadata.gz: d51ea29c50817dfb98273a22e10809cabc461017bed352035b000b29fcdb81bd
+  data.tar.gz: 4fef0c63a2a0c6d3be51e7b5f969ca85b8be50a58623badb4dc8efd10b488954
 SHA512:
-  metadata.gz: 3ec9291458052ad337ff5d91808694a842152be78fef074fa50b9345dab18bfefc557d8b879295ad0d6f063b970f48e8bae0726950e6e5a9b8beaf068d2f3fb5
-  data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
+  metadata.gz: 111d4cebd83393c97a92fc40a09f441bedaac2bca73a0e8b51e793dfacf1bf8de1754c9d0a1aa1a165d49618e3332c460f2e290f025b4ca97b9b6fdfd7d23da9
+  data.tar.gz: cae4b82154cca6f2c2aa3a8c19f94306061020b3fa94bc206170491b98777aa8602bd065d0a577135ad1a461da4e3ba29893e52e87f5cc3a824d6f7a96e3ace7

data/Gemfile

@@ -36,7 +36,7 @@ group(:features) do
 end
 
 group(:test) do
-  gem "ffi", require: false
+  gem "ffi", '1.15.5', require: false
   gem "json-schema", "~> 2.0", require: false
   gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
   gem "rspec", "~> 3.1", require: false

data/Gemfile.lock

@@ -1,21 +1,7 @@
-GIT
-  remote: https://github.com/puppetlabs/packaging
-  revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
-  branch: 1.0.x
-  specs:
-    packaging (0)
-      apt_stage_artifacts
-      artifactory (~> 3)
-      csv (>= 3.1.5)
-      google-cloud-storage
-      googleauth
-      rake (>= 12.3)
-      release-metrics
-
 PATH
   remote: .
   specs:
-    puppet (8.1.0)
+    puppet (8.3.1)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -31,35 +17,37 @@ GEM
   remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     apt_stage_artifacts (0.11.0)
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
+    base64 (0.1.1)
     coderay (1.1.3)
     concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
-    csv (3.2.6)
+    csv (3.2.7)
     declarative (0.0.20)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
-    digest-crc (0.6.4)
+    digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
     erubi (1.12.0)
-    facter (4.4.0)
+    facter (4.5.0)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.6)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     fast_gettext (2.3.0)
     ffi (1.15.5)
     forwardable (1.3.3)
-    gettext (3.4.4)
+    gettext (3.4.9)
       erubi
       locale (>= 2.0.5)
       prime
@@ -69,7 +57,7 @@ GEM
       fast_gettext (~> 2.1)
       gettext (~> 3.4)
       locale
-    google-apis-core (0.11.0)
+    google-apis-core (0.11.1)
       addressable (~> 2.5, >= 2.5.1)
       googleauth (>= 0.16.2, < 2.a)
       httpclient (>= 2.8.1, < 3.a)
@@ -96,10 +84,9 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.5.2)
+    googleauth (1.8.1)
       faraday (>= 0.17.3, < 3.a)
       jwt (>= 1.4, < 3.0)
-      memoist (~> 0.16)
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
@@ -115,18 +102,25 @@ GEM
       addressable (>= 2.4)
     jwt (2.7.1)
     locale (2.1.3)
-    memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
-    mini_mime (1.1.2)
+    mini_mime (1.1.5)
     minitar (0.9)
-    msgpack (1.7.1)
+    msgpack (1.7.2)
     multi_json (1.15.0)
     mustache (1.1.1)
-    optimist (3.0.1)
+    optimist (3.1.0)
     os (1.1.4)
+    packaging (0.111.0)
+      apt_stage_artifacts
+      artifactory (~> 3)
+      csv (>= 3.1.5)
+      google-cloud-storage
+      googleauth
+      rake (>= 12.3)
+      release-metrics
     parallel (1.23.0)
-    parser (3.2.2.3)
+    parser (3.2.2.4)
       ast (~> 2.4.1)
       racc
     prime (0.1.2)
@@ -135,17 +129,17 @@ GEM
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
-    puppet-resource_api (1.8.14)
+    public_suffix (5.0.3)
+    puppet-resource_api (1.9.0)
       hocon (>= 1.0)
     puppetserver-ca (2.6.0)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (3.1.1)
     rake (13.0.6)
-    rdiscount (2.2.7)
+    rdiscount (2.2.7.1)
     rdoc (6.3.3)
-    regexp_parser (2.8.1)
+    regexp_parser (2.8.2)
     release-metrics (1.1.0)
       csv
       docopt
@@ -154,7 +148,7 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.2.5)
+    rexml (3.2.6)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -171,10 +165,10 @@ GEM
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
     rubocop (1.28.0)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
@@ -184,7 +178,7 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.29.0)
+    rubocop-ast (1.30.0)
       parser (>= 3.2.1.0)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
@@ -193,19 +187,19 @@ GEM
     ruby2_keywords (0.0.5)
     scanf (1.0.0)
     semantic_puppet (1.1.0)
-    signet (0.17.0)
+    signet (0.18.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
     singleton (0.1.1)
     text (1.3.1)
-    thor (1.2.2)
+    thor (1.3.0)
     trailblazer-option (0.1.2)
     uber (0.1.0)
-    unicode-display_width (2.4.2)
-    vcr (6.1.0)
-    webmock (3.18.1)
+    unicode-display_width (2.5.0)
+    vcr (6.2.0)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -218,7 +212,7 @@ PLATFORMS
 DEPENDENCIES
   diff-lcs (~> 1.3)
   facter (~> 4.3)
-  ffi
+  ffi (= 1.15.5)
   gettext-setup (~> 1.0)
   hiera-eyaml
   hocon (~> 1.0)
@@ -226,7 +220,7 @@ DEPENDENCIES
   memory_profiler
   minitar (~> 0.9)
   msgpack (~> 1.2)
-  packaging!
+  packaging (= 0.111.0)
   pry
   puppet!
   puppet-resource_api (~> 1.5)
@@ -248,4 +242,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.4.12
+   2.4.20

data/ext/project_data.yaml

@@ -39,11 +39,11 @@ gem_platform_dependencies:
       CFPropertyList: '~> 2.2'
   x86-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
   x64-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
 bundle_platforms:
   universal-darwin: all

data/lib/puppet/application/doc.rb

@@ -152,7 +152,7 @@ HELP
   end
 
   def other
-    text = String.new
+    text = ''.dup
     with_contents = options[:references].length <= 1
     exit_code = 0
     require_relative '../../puppet/util/reference'

data/lib/puppet/application/ssl.rb

@@ -60,6 +60,11 @@ ACTIONS
   the CSR. Otherwise a new key pair will be generated. If a CSR has already
   been submitted with the given `certname`, then the operation will fail.
 
+* generate_request:
+  Generate a certificate signing request (CSR). If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated.
+
 * download_cert:
   Download a certificate for this host. If the current private key matches
   the downloaded certificate, then the certificate will be saved and used
@@ -137,9 +142,21 @@ HELP
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'generate_request'
+      generate_request(certname)
     when 'verify'
       verify(certname)
     when 'clean'
+      possible_extra_args = command_line.args.drop(1)
+      unless possible_extra_args.empty?
+        raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
+Extra arguments detected: %{args}
+Did you mean to run:
+  puppetserver ca clean --certname <name>
+Or:
+  puppet ssl clean --target <name>
+END
+      end
       clean(certname)
     when 'bootstrap'
       if !Puppet::Util::Log.sendlevel?(:info)
@@ -163,13 +180,7 @@ HELP
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
-      if Puppet[:key_type] == 'ec'
-        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
-        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
-      else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
-      end
+      key = create_key(Puppet[:certname])
       @cert_provider.save_private_key(Puppet[:certname], key)
     end
 
@@ -188,6 +199,20 @@ HELP
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
+  def generate_request(certname)
+    key = @cert_provider.load_private_key(certname)
+    unless key
+      key = create_key(certname)
+      @cert_provider.save_private_key(certname, key)
+    end
+
+    csr = @cert_provider.create_request(certname, key)
+    @cert_provider.save_request(certname, csr)
+    Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
+  rescue => e
+    raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
+  end
+
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
@@ -286,4 +311,14 @@ END
   def create_route(ssl_context)
     @session.route_to(:ca, ssl_context: ssl_context)
   end
+
+  def create_key(certname)
+    if Puppet[:key_type] == 'ec'
+      Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
+      OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+    else
+      Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
+      OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+    end
+  end
 end

data/lib/puppet/application.rb

@@ -504,8 +504,12 @@ class Application
     runtime_info = {
       'puppet_version' => Puppet.version,
       'ruby_version'   => RUBY_VERSION,
-      'run_mode'       => self.class.run_mode.name,
+      'run_mode'       => self.class.run_mode.name
     }
+    unless Puppet::Util::Platform.jruby_fips?
+      runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
+      runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
+    end
     runtime_info['default_encoding'] = Encoding.default_external
     runtime_info.merge!(extra_info) unless extra_info.nil?
 

data/lib/puppet/defaults.rb

@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
-      ""
-    else
-      "-u"
-    end
+    '-u'
   end
 
   def self.default_digest_algorithm
@@ -1248,6 +1244,22 @@ EOT
          unchanged on the server, then the agent run will continue using the
          local CRL it already has.#{AS_DURATION}",
     },
+    :hostcert_renewal_interval => {
+      :default => "30d",
+      :type    => :duration,
+      :desc    => "When the Puppet agent refreshes its client certificate.
+         By default the client certificate will refresh 30 days before the certificate
+         expires. If a different duration is specified, then the agent will refresh its
+         client certificate whenever it next runs and if the client certificate expires
+         within the duration specified.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to 0 will disable automatic renewal.
+
+         If the agent downloads a new certificate, the agent will use it for subsequent
+         network requests. If the refresh request fails, then the agent run will continue using the
+         certificate it already has. #{AS_DURATION}",
+    },
     :keylength => {
       :default    => 4096,
       :type       => :integer,

data/lib/puppet/face/config.rb

@@ -82,7 +82,7 @@ Puppet::Face.define(:config, '0.0.1') do
     end
 
     when_rendering :console do |to_be_rendered|
-      output = String.new
+      output = ''.dup
       if to_be_rendered.keys.length > 1
         to_be_rendered.keys.sort.each do |setting|
           output << "#{setting} = #{to_be_rendered[setting]}\n"

data/lib/puppet/face/epp.rb

@@ -367,7 +367,7 @@ Puppet::Face.define(:epp, '0.0.1') do
   end
 
   def dump_parse(source, filename, options, show_filename = true)
-    output = String.new
+    output = ''.dup
     evaluating_parser = Puppet::Pops::Parser::EvaluatingParser::EvaluatingEppParser.new
     begin
       if options[:validate]
@@ -451,7 +451,7 @@ Puppet::Face.define(:epp, '0.0.1') do
 
   def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
     template_args = get_values(compiler, options)
-    output = String.new
+    output = ''.dup
     begin
       if show_filename && options[:header]
         output << "\n" unless file_nbr == 1

data/lib/puppet/face/module/list.rb

@@ -74,7 +74,7 @@ Puppet::Face.define(:module, '1.0.0') do
       environment     = result[:environment]
       modules_by_path = result[:modules_by_path]
 
-      output = String.new
+      output = ''.dup
 
       warn_unmet_dependencies(environment)
 
@@ -248,7 +248,7 @@ Puppet::Face.define(:module, '1.0.0') do
   # Returns a Hash
   #
   def list_build_node(mod, parent, params)
-    str = String.new
+    str = ''.dup
     str << (mod.forge_name ? mod.forge_name.tr('/', '-') : mod.name)
     str << ' (' + colorize(:cyan, mod.version ? "v#{mod.version}" : '???') + ')'
 

data/lib/puppet/face/parser.rb

@@ -174,7 +174,7 @@ Puppet::Face.define(:parser, '0.0.1') do
   end
 
   def dump_parse(source, filename, options, show_filename = true)
-    output = String.new
+    output = ''.dup
     evaluating_parser = Puppet::Pops::Parser::EvaluatingParser.new
     begin
       if options[:validate]

data/lib/puppet/functions/split.rb

@@ -36,6 +36,21 @@ Puppet::Functions.create_function(:split) do
     param 'Type[Regexp]', :pattern
   end
 
+  dispatch :split_String_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'String', :pattern
+  end
+
+  dispatch :split_Regexp_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Regexp', :pattern
+  end
+
+  dispatch :split_RegexpType_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Type[Regexp]', :pattern
+  end
+
   def split_String(str, pattern)
     str.split(Regexp.compile(pattern))
   end
@@ -47,4 +62,16 @@ Puppet::Functions.create_function(:split) do
   def split_RegexpType(str, pattern)
     str.split(pattern.regexp)
   end
-end
+
+  def split_String_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
+  end
+
+  def split_Regexp_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
+  end
+
+  def split_RegexpType_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
+  end
+end

data/lib/puppet/http/client.rb

@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
         apply_auth(request, basic_auth) if redirects.zero?
 
         # don't call return within the `request` block
+        close_and_sleep = nil
         http.request(request) do |nethttp|
           response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
           begin
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
               interval = @retry_after_handler.retry_after_interval(request, response, retries)
               retries += 1
               if interval
-                if http.started?
-                  Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
-                  http.finish
+                close_and_sleep = proc do
+                  if http.started?
+                    Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
+                    http.finish
+                  end
+                  Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
+                  ::Kernel.sleep(interval)
                 end
-                Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
-                ::Kernel.sleep(interval)
                 next
               end
             end
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
 
           done = true
         end
+      ensure
+        # If a server responded with a retry, make sure the connection is closed and then
+        # sleep the specified time.
+        close_and_sleep.call if close_and_sleep
       end
     end
 

data/lib/puppet/http/service/ca.rb

@@ -104,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
 
     response
   end
+
+  # Submit a POST request to send a certificate renewal request to the server
+  #
+  # @param [Puppet::SSL::SSLContext] ssl_context
+  #
+  # @return [Array<Puppet::HTTP::Response, String>] The request response
+  #
+  # @api public
+  def post_certificate_renewal(ssl_context)
+    headers = add_puppet_headers(HEADERS)
+    headers['Content-Type'] = 'text/plain'
+
+    response = @client.post(
+      with_base_url('/certificate_renewal'),
+      '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
+      headers: headers,
+      options: {ssl_context: ssl_context}
+    )
+
+    raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
+
+    process_response(response)
+
+    [response, response.body.to_s]
+  end
 end

data/lib/puppet/indirector/facts/facter.rb

@@ -105,7 +105,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
 
   def find_with_options(request)
     options = request.options
-    options_for_facter = String.new
+    options_for_facter = ''.dup
     options_for_facter += options[:user_query].join(' ')
     options_for_facter += " --config #{options[:config_file]}" if options[:config_file]
     options_for_facter += " --show-legacy" if options[:show_legacy]

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -58,7 +58,7 @@ module Puppet::FileBucketFile
       end
       # Setting hash's default value to [], needed by the following loop
       bucket = Hash.new {[]}
-      msg = String.new
+      msg = ''.dup
       # Get all files with mtime between 'from' and 'to'
       Pathname.new(request.options[:bucket_path]).find { |item|
         if item.file? and item.basename.to_s == "paths"

data/lib/puppet/indirector/indirection.rb

@@ -81,7 +81,7 @@ class Puppet::Indirector::Indirection
 
   # Generate the full doc string.
   def doc
-    text = String.new
+    text = ''.dup
 
     text << scrub(@doc) << "\n\n" if @doc
 

data/lib/puppet/info_service/task_information_service.rb

@@ -13,7 +13,7 @@ class Puppet::InfoService::TaskInformationService
           task.validate
           {:module => {:name => task.module.name}, :name => task.name, :metadata => task.metadata}
         rescue Puppet::Module::Task::Error => err
-          Puppet.log_exception(err, 'Failed to validate task')
+          Puppet.log_exception(err)
           nil
         end
       end

data/lib/puppet/module_tool.rb

@@ -70,7 +70,7 @@ module Puppet
     # Builds a formatted tree from a list of node hashes containing +:text+
     # and +:dependencies+ keys.
     def self.format_tree(nodes, level = 0)
-      str = String.new
+      str = ''.dup
       nodes.each_with_index do |node, i|
         last_node = nodes.length - 1 == i
         deps = node[:dependencies] || []

data/lib/puppet/network/formats.rb

@@ -156,7 +156,7 @@ Puppet::Network::FormatHandler.create(:console,
 
     # Simple hash to table
     if datum.is_a?(Hash) && datum.keys.all? { |x| x.is_a?(String) || x.is_a?(Numeric) }
-      output = String.new
+      output = ''.dup
       column_a = datum.empty? ? 2 : datum.map{ |k,v| k.to_s.length }.max + 2
       datum.sort_by { |k,v| k.to_s } .each do |key, value|
         output << key.to_s.ljust(column_a)
@@ -169,7 +169,7 @@ Puppet::Network::FormatHandler.create(:console,
 
     # Print one item per line for arrays
     if datum.is_a? Array
-      output = String.new
+      output = ''.dup
       datum.each do |item|
         output << item.to_s
         output << "\n"
@@ -227,7 +227,7 @@ Puppet::Network::FormatHandler.create(:flat,
   end
 
   def construct_output(data)
-    output = String.new
+    output = ''.dup
     data.each do |key, value|
       output << "#{key}=#{value}"
       output << "\n"

data/lib/puppet/network/http/memory_response.rb

@@ -3,7 +3,7 @@ class Puppet::Network::HTTP::MemoryResponse
   attr_reader :code, :type, :body
 
   def initialize
-    @body = String.new
+    @body = ''.dup
   end
 
   def respond_with(code, type, body)

data/lib/puppet/node/environment.rb

@@ -592,10 +592,12 @@ class Puppet::Node::Environment
       if file == NO_MANIFEST
         empty_parse_result
       elsif File.directory?(file)
-        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
-          parser.file = file_to_parse
-          parser.parse
-          end
+        # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
+        # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
+        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
+                          parser.file = file_to_parse
+                          parser.parse
+                        end
         # Use a parser type specific merger to concatenate the results
         Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
       else