puppet 8.1.0-x86-mingw32 → 8.3.0-x86-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be8d0f3acbccbdbcc42ccdc852633974adcc94199e3872d7d5a189905af12f71
-  data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
+  metadata.gz: 02f7c5b50ea31cb17063ffc54649291e2e9a17255a840b0f89a46bd9e5abace2
+  data.tar.gz: b24126f5caad879cd67b9218be6920a3f00cf8c7037d6897909ea6fcbf67a809
 SHA512:
-  metadata.gz: d1d5badebf5f9352e802c8737be7b8956c8ab0e6f8f4d04c5a27fdb8170de7abed37789db311d45f17fda5e7974280fe099f2d67be98ec6d520435bbcdd59e28
-  data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
+  metadata.gz: 5b19656a7ed8bdd4645b078c27d9b1f611b1ef45b7d7a92bb4c3c236f248bb3cbdda2528b7032096bbb64540468e1039b3e9b3df5db68a36765e24a92ff2bc83
+  data.tar.gz: ff847955208a64f5860e557a41d43e73cf7ca5fa87769e396235a3f314baa456d9481dd78524b440ea8f36cada20a306547eabae0c6c67ca852e4373f651612a

data/Gemfile

@@ -36,7 +36,7 @@ group(:features) do
 end
 
 group(:test) do
-  gem "ffi", require: false
+  gem "ffi", '1.15.5', require: false
   gem "json-schema", "~> 2.0", require: false
   gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
   gem "rspec", "~> 3.1", require: false

data/Gemfile.lock

@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
+  revision: 8adf33f59cc443c311c5d5d70c6ba2084625ceea
   branch: 1.0.x
   specs:
     packaging (0)
@@ -15,7 +15,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (8.1.0)
+    puppet (8.3.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -31,35 +31,37 @@ GEM
   remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     apt_stage_artifacts (0.11.0)
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
+    base64 (0.1.1)
     coderay (1.1.3)
     concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
-    csv (3.2.6)
+    csv (3.2.7)
     declarative (0.0.20)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
-    digest-crc (0.6.4)
+    digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
     erubi (1.12.0)
-    facter (4.4.0)
+    facter (4.5.0)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.6)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     fast_gettext (2.3.0)
     ffi (1.15.5)
     forwardable (1.3.3)
-    gettext (3.4.4)
+    gettext (3.4.9)
       erubi
       locale (>= 2.0.5)
       prime
@@ -69,7 +71,7 @@ GEM
       fast_gettext (~> 2.1)
       gettext (~> 3.4)
       locale
-    google-apis-core (0.11.0)
+    google-apis-core (0.11.1)
       addressable (~> 2.5, >= 2.5.1)
       googleauth (>= 0.16.2, < 2.a)
       httpclient (>= 2.8.1, < 3.a)
@@ -96,10 +98,9 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.5.2)
+    googleauth (1.8.1)
       faraday (>= 0.17.3, < 3.a)
       jwt (>= 1.4, < 3.0)
-      memoist (~> 0.16)
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
@@ -115,18 +116,17 @@ GEM
       addressable (>= 2.4)
     jwt (2.7.1)
     locale (2.1.3)
-    memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
-    mini_mime (1.1.2)
+    mini_mime (1.1.5)
     minitar (0.9)
-    msgpack (1.7.1)
+    msgpack (1.7.2)
     multi_json (1.15.0)
     mustache (1.1.1)
-    optimist (3.0.1)
+    optimist (3.1.0)
     os (1.1.4)
     parallel (1.23.0)
-    parser (3.2.2.3)
+    parser (3.2.2.4)
       ast (~> 2.4.1)
       racc
     prime (0.1.2)
@@ -135,17 +135,17 @@ GEM
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
-    puppet-resource_api (1.8.14)
+    public_suffix (5.0.3)
+    puppet-resource_api (1.9.0)
       hocon (>= 1.0)
     puppetserver-ca (2.6.0)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (3.1.1)
     rake (13.0.6)
-    rdiscount (2.2.7)
+    rdiscount (2.2.7.1)
     rdoc (6.3.3)
-    regexp_parser (2.8.1)
+    regexp_parser (2.8.2)
     release-metrics (1.1.0)
       csv
       docopt
@@ -154,7 +154,7 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.2.5)
+    rexml (3.2.6)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -171,10 +171,10 @@ GEM
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
     rubocop (1.28.0)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
@@ -193,19 +193,19 @@ GEM
     ruby2_keywords (0.0.5)
     scanf (1.0.0)
     semantic_puppet (1.1.0)
-    signet (0.17.0)
+    signet (0.18.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
     singleton (0.1.1)
     text (1.3.1)
-    thor (1.2.2)
+    thor (1.3.0)
     trailblazer-option (0.1.2)
     uber (0.1.0)
-    unicode-display_width (2.4.2)
-    vcr (6.1.0)
-    webmock (3.18.1)
+    unicode-display_width (2.5.0)
+    vcr (6.2.0)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -218,7 +218,7 @@ PLATFORMS
 DEPENDENCIES
   diff-lcs (~> 1.3)
   facter (~> 4.3)
-  ffi
+  ffi (= 1.15.5)
   gettext-setup (~> 1.0)
   hiera-eyaml
   hocon (~> 1.0)
@@ -248,4 +248,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.4.12
+   2.4.20

data/ext/project_data.yaml

@@ -39,11 +39,11 @@ gem_platform_dependencies:
       CFPropertyList: '~> 2.2'
   x86-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
   x64-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
 bundle_platforms:
   universal-darwin: all

data/lib/puppet/application/doc.rb

@@ -152,7 +152,7 @@ HELP
   end
 
   def other
-    text = String.new
+    text = ''.dup
     with_contents = options[:references].length <= 1
     exit_code = 0
     require_relative '../../puppet/util/reference'

data/lib/puppet/application/ssl.rb

@@ -60,6 +60,11 @@ ACTIONS
   the CSR. Otherwise a new key pair will be generated. If a CSR has already
   been submitted with the given `certname`, then the operation will fail.
 
+* generate_request:
+  Generate a certificate signing request (CSR). If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated.
+
 * download_cert:
   Download a certificate for this host. If the current private key matches
   the downloaded certificate, then the certificate will be saved and used
@@ -137,9 +142,21 @@ HELP
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'generate_request'
+      generate_request(certname)
     when 'verify'
       verify(certname)
     when 'clean'
+      possible_extra_args = command_line.args.drop(1)
+      unless possible_extra_args.empty?
+        raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
+Extra arguments detected: %{args}
+Did you mean to run:
+  puppetserver ca clean --certname <name>
+Or:
+  puppet ssl clean --target <name>
+END
+      end
       clean(certname)
     when 'bootstrap'
       if !Puppet::Util::Log.sendlevel?(:info)
@@ -163,13 +180,7 @@ HELP
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
-      if Puppet[:key_type] == 'ec'
-        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
-        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
-      else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
-      end
+      key = create_key(Puppet[:certname])
       @cert_provider.save_private_key(Puppet[:certname], key)
     end
 
@@ -188,6 +199,20 @@ HELP
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
+  def generate_request(certname)
+    key = @cert_provider.load_private_key(certname)
+    unless key
+      key = create_key(certname)
+      @cert_provider.save_private_key(certname, key)
+    end
+
+    csr = @cert_provider.create_request(certname, key)
+    @cert_provider.save_request(certname, csr)
+    Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
+  rescue => e
+    raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
+  end
+
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
@@ -286,4 +311,14 @@ END
   def create_route(ssl_context)
     @session.route_to(:ca, ssl_context: ssl_context)
   end
+
+  def create_key(certname)
+    if Puppet[:key_type] == 'ec'
+      Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
+      OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+    else
+      Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
+      OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+    end
+  end
 end

data/lib/puppet/application.rb

@@ -504,8 +504,12 @@ class Application
     runtime_info = {
       'puppet_version' => Puppet.version,
       'ruby_version'   => RUBY_VERSION,
-      'run_mode'       => self.class.run_mode.name,
+      'run_mode'       => self.class.run_mode.name
     }
+    unless Puppet::Util::Platform.jruby_fips?
+      runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
+      runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
+    end
     runtime_info['default_encoding'] = Encoding.default_external
     runtime_info.merge!(extra_info) unless extra_info.nil?
 

data/lib/puppet/defaults.rb

@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
-      ""
-    else
-      "-u"
-    end
+    '-u'
   end
 
   def self.default_digest_algorithm
@@ -1248,6 +1244,22 @@ EOT
          unchanged on the server, then the agent run will continue using the
          local CRL it already has.#{AS_DURATION}",
     },
+    :hostcert_renewal_interval => {
+      :default => "30d",
+      :type    => :duration,
+      :desc    => "When the Puppet agent refreshes its client certificate.
+         By default the client certificate will refresh 30 days before the certificate
+         expires. If a different duration is specified, then the agent will refresh its
+         client certificate whenever it next runs and if the client certificate expires
+         within the duration specified.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to 0 will disable automatic renewal.
+
+         If the agent downloads a new certificate, the agent will use it for subsequent
+         network requests. If the refresh request fails, then the agent run will continue using the
+         certificate it already has. #{AS_DURATION}",
+    },
     :keylength => {
       :default    => 4096,
       :type       => :integer,

data/lib/puppet/face/config.rb

@@ -82,7 +82,7 @@ Puppet::Face.define(:config, '0.0.1') do
     end
 
     when_rendering :console do |to_be_rendered|
-      output = String.new
+      output = ''.dup
       if to_be_rendered.keys.length > 1
         to_be_rendered.keys.sort.each do |setting|
           output << "#{setting} = #{to_be_rendered[setting]}\n"

data/lib/puppet/face/epp.rb

@@ -367,7 +367,7 @@ Puppet::Face.define(:epp, '0.0.1') do
   end
 
   def dump_parse(source, filename, options, show_filename = true)
-    output = String.new
+    output = ''.dup
     evaluating_parser = Puppet::Pops::Parser::EvaluatingParser::EvaluatingEppParser.new
     begin
       if options[:validate]
@@ -451,7 +451,7 @@ Puppet::Face.define(:epp, '0.0.1') do
 
   def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
     template_args = get_values(compiler, options)
-    output = String.new
+    output = ''.dup
     begin
       if show_filename && options[:header]
         output << "\n" unless file_nbr == 1

data/lib/puppet/face/module/list.rb

@@ -74,7 +74,7 @@ Puppet::Face.define(:module, '1.0.0') do
       environment     = result[:environment]
       modules_by_path = result[:modules_by_path]
 
-      output = String.new
+      output = ''.dup
 
       warn_unmet_dependencies(environment)
 
@@ -248,7 +248,7 @@ Puppet::Face.define(:module, '1.0.0') do
   # Returns a Hash
   #
   def list_build_node(mod, parent, params)
-    str = String.new
+    str = ''.dup
     str << (mod.forge_name ? mod.forge_name.tr('/', '-') : mod.name)
     str << ' (' + colorize(:cyan, mod.version ? "v#{mod.version}" : '???') + ')'
 

data/lib/puppet/face/parser.rb

@@ -174,7 +174,7 @@ Puppet::Face.define(:parser, '0.0.1') do
   end
 
   def dump_parse(source, filename, options, show_filename = true)
-    output = String.new
+    output = ''.dup
     evaluating_parser = Puppet::Pops::Parser::EvaluatingParser.new
     begin
       if options[:validate]

data/lib/puppet/functions/split.rb

@@ -36,6 +36,21 @@ Puppet::Functions.create_function(:split) do
     param 'Type[Regexp]', :pattern
   end
 
+  dispatch :split_String_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'String', :pattern
+  end
+
+  dispatch :split_Regexp_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Regexp', :pattern
+  end
+
+  dispatch :split_RegexpType_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Type[Regexp]', :pattern
+  end
+
   def split_String(str, pattern)
     str.split(Regexp.compile(pattern))
   end
@@ -47,4 +62,16 @@ Puppet::Functions.create_function(:split) do
   def split_RegexpType(str, pattern)
     str.split(pattern.regexp)
   end
-end
+
+  def split_String_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
+  end
+
+  def split_Regexp_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
+  end
+
+  def split_RegexpType_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
+  end
+end

data/lib/puppet/http/client.rb

@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
         apply_auth(request, basic_auth) if redirects.zero?
 
         # don't call return within the `request` block
+        close_and_sleep = nil
         http.request(request) do |nethttp|
           response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
           begin
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
               interval = @retry_after_handler.retry_after_interval(request, response, retries)
               retries += 1
               if interval
-                if http.started?
-                  Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
-                  http.finish
+                close_and_sleep = proc do
+                  if http.started?
+                    Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
+                    http.finish
+                  end
+                  Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
+                  ::Kernel.sleep(interval)
                 end
-                Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
-                ::Kernel.sleep(interval)
                 next
               end
             end
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
 
           done = true
         end
+      ensure
+        # If a server responded with a retry, make sure the connection is closed and then
+        # sleep the specified time.
+        close_and_sleep.call if close_and_sleep
       end
     end
 

data/lib/puppet/http/service/ca.rb

@@ -104,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
 
     response
   end
+
+  # Submit a POST request to send a certificate renewal request to the server
+  #
+  # @param [Puppet::SSL::SSLContext] ssl_context
+  #
+  # @return [Array<Puppet::HTTP::Response, String>] The request response
+  #
+  # @api public
+  def post_certificate_renewal(ssl_context)
+    headers = add_puppet_headers(HEADERS)
+    headers['Content-Type'] = 'text/plain'
+
+    response = @client.post(
+      with_base_url('/certificate_renewal'),
+      '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
+      headers: headers,
+      options: {ssl_context: ssl_context}
+    )
+
+    raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
+
+    process_response(response)
+
+    [response, response.body.to_s]
+  end
 end

data/lib/puppet/indirector/facts/facter.rb

@@ -105,7 +105,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
 
   def find_with_options(request)
     options = request.options
-    options_for_facter = String.new
+    options_for_facter = ''.dup
     options_for_facter += options[:user_query].join(' ')
     options_for_facter += " --config #{options[:config_file]}" if options[:config_file]
     options_for_facter += " --show-legacy" if options[:show_legacy]

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -58,7 +58,7 @@ module Puppet::FileBucketFile
       end
       # Setting hash's default value to [], needed by the following loop
       bucket = Hash.new {[]}
-      msg = String.new
+      msg = ''.dup
       # Get all files with mtime between 'from' and 'to'
       Pathname.new(request.options[:bucket_path]).find { |item|
         if item.file? and item.basename.to_s == "paths"

data/lib/puppet/indirector/indirection.rb

@@ -81,7 +81,7 @@ class Puppet::Indirector::Indirection
 
   # Generate the full doc string.
   def doc
-    text = String.new
+    text = ''.dup
 
     text << scrub(@doc) << "\n\n" if @doc
 

data/lib/puppet/info_service/task_information_service.rb

@@ -13,7 +13,7 @@ class Puppet::InfoService::TaskInformationService
           task.validate
           {:module => {:name => task.module.name}, :name => task.name, :metadata => task.metadata}
         rescue Puppet::Module::Task::Error => err
-          Puppet.log_exception(err, 'Failed to validate task')
+          Puppet.log_exception(err)
           nil
         end
       end

data/lib/puppet/module_tool.rb

@@ -70,7 +70,7 @@ module Puppet
     # Builds a formatted tree from a list of node hashes containing +:text+
     # and +:dependencies+ keys.
     def self.format_tree(nodes, level = 0)
-      str = String.new
+      str = ''.dup
       nodes.each_with_index do |node, i|
         last_node = nodes.length - 1 == i
         deps = node[:dependencies] || []

data/lib/puppet/network/formats.rb

@@ -156,7 +156,7 @@ Puppet::Network::FormatHandler.create(:console,
 
     # Simple hash to table
     if datum.is_a?(Hash) && datum.keys.all? { |x| x.is_a?(String) || x.is_a?(Numeric) }
-      output = String.new
+      output = ''.dup
       column_a = datum.empty? ? 2 : datum.map{ |k,v| k.to_s.length }.max + 2
       datum.sort_by { |k,v| k.to_s } .each do |key, value|
         output << key.to_s.ljust(column_a)
@@ -169,7 +169,7 @@ Puppet::Network::FormatHandler.create(:console,
 
     # Print one item per line for arrays
     if datum.is_a? Array
-      output = String.new
+      output = ''.dup
       datum.each do |item|
         output << item.to_s
         output << "\n"
@@ -227,7 +227,7 @@ Puppet::Network::FormatHandler.create(:flat,
   end
 
   def construct_output(data)
-    output = String.new
+    output = ''.dup
     data.each do |key, value|
       output << "#{key}=#{value}"
       output << "\n"

data/lib/puppet/network/http/memory_response.rb

@@ -3,7 +3,7 @@ class Puppet::Network::HTTP::MemoryResponse
   attr_reader :code, :type, :body
 
   def initialize
-    @body = String.new
+    @body = ''.dup
   end
 
   def respond_with(code, type, body)

data/lib/puppet/node/environment.rb

@@ -592,10 +592,12 @@ class Puppet::Node::Environment
       if file == NO_MANIFEST
         empty_parse_result
       elsif File.directory?(file)
-        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
-          parser.file = file_to_parse
-          parser.parse
-          end
+        # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
+        # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
+        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
+                          parser.file = file_to_parse
+                          parser.parse
+                        end
         # Use a parser type specific merger to concatenate the results
         Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
       else

data/lib/puppet/parameter/value_collection.rb

@@ -31,7 +31,7 @@ class Puppet::Parameter::ValueCollection
   #
   def doc
     unless defined?(@doc)
-      @doc = String.new
+      @doc = ''.dup
       unless values.empty?
         @doc << "Valid values are "
         @doc << @strings.collect do |value|

data/lib/puppet/parser/files.rb

@@ -29,9 +29,10 @@ module Puppet::Parser::Files
   #   * modulename/filename selector: a file is found in the file directory
   #     of the named module.
   #
-  # In the second case a nil is returned if there isn't a file found. In the
-  # first case (absolute path), there is no existence check done and so the
-  # path will be returned even if there isn't a file available.
+  # The check for file existence is performed on the node compiling the
+  # manifest. A node running "puppet apply" compiles its own manifest, but
+  # a node running "puppet agent" depends on the configured puppetserver
+  # for compiling. In either case, a nil is returned if no file is found.
   #
   # @param template [String] the file selector
   # @param environment [Puppet::Node::Environment] the environment in which to search