puppet 8.7.0-universal-darwin → 8.9.0-universal-darwin

data/lib/puppet/defaults.rb

@@ -7,6 +7,7 @@ module Puppet
     '-u'
   end
 
+  # If you modify this, update puppet/type/file/checksum.rb too
   def self.default_digest_algorithm
     'sha256'
   end
@@ -47,29 +48,15 @@ module Puppet
   end
 
   def self.default_basemodulepath
-    if Puppet::Util::Platform.windows?
-      path = ['$codedir/modules']
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        path << "#{installdir}/puppet/modules"
-      end
-      path.join(File::PATH_SEPARATOR)
-    else
-      '$codedir/modules:/opt/puppetlabs/puppet/modules'
+    path = ['$codedir/modules']
+    if (run_mode_dir = Puppet.run_mode.common_module_dir)
+      path << run_mode_dir
     end
+    path.join(File::PATH_SEPARATOR)
   end
 
   def self.default_vendormoduledir
-    if Puppet::Util::Platform.windows?
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        "#{installdir}\\puppet\\vendor_modules"
-      else
-        nil
-      end
-    else
-      '/opt/puppetlabs/puppet/vendor_modules'
-    end
+    Puppet.run_mode.vendor_module_dir
   end
 
   ############################################################################################
@@ -175,8 +162,8 @@ module Puppet
     :skip_logging_catalog_request_destination => {
       :default => false,
       :type    => :boolean,
-      :desc    => "If you wish to suppress the notice of which compiler supplied the
-        catalog",
+      :desc => "Specifies whether to suppress the notice of which compiler
+        supplied the catalog. A value of `true` suppresses the notice.",
     },
     :merge_dependency_warnings => {
       :default => false,
@@ -431,13 +418,15 @@ module Puppet
       :type     => :boolean,
       :default  => true,
       :desc     => <<-'EOT'
-      When versioned_environment_dirs is `true` Puppet will readlink the environmentpath
-      when constructing the environment's modulepath. The full readlinked path is referred
-      to as the "resolved path" and the configured path potentially containing symlinks is
-      the "configured path". When reporting where resources come from users may choose
-      between the configured or resolved path.
-
-      When set to false, the resolved paths are reported instead of the configured paths.
+      Specifies how environment paths are reported. When the value of
+      `versioned_environment_dirs` is `true`, Puppet applies the readlink function to
+      the `environmentpath` setting when constructing the environment's modulepath. The
+      full readlinked path is referred to as the "resolved path," and the configured
+      path potentially containing symlinks is the "configured path." When reporting
+      where resources come from, users may choose between the configured and resolved
+      path.
+
+      When set to `false`, the resolved paths are reported instead of the configured paths.
       EOT
     },
     :use_last_environment => {
@@ -1218,17 +1207,18 @@ EOT
     :ca_refresh_interval => {
       :default    => "1d",
       :type       => :duration,
-      :desc       => "How often the Puppet agent refreshes its local CA certs. By
-         default the CA certs are refreshed once every 24 hours. If a different
-         duration is specified, then the agent will refresh its CA certs whenever
-         it next runs and the elapsed time since the certs were last refreshed
-         exceeds the duration.
-
-         In general, the duration should be greater than the `runinterval`.
-         Setting it to 0 or an equal or lesser value than `runinterval`,
-         will cause the CA certs to be refreshed on every run.
-
-         If the agent downloads new CA certs, the agent will use it for subsequent
+      :desc       => "How often the Puppet agent refreshes its local CA
+         certificates. By default, CA certificates are refreshed every 24 hours. If a
+         different interval is specified, the agent refreshes its CA certificates during
+         the next agent run if the elapsed time since the certificates were last
+         refreshed exceeds the specified duration.
+
+         In general, the interval should be greater than the `runinterval`
+         value. Setting the `ca_refresh_interval` value to 0 or an equal or
+         lesser value than `runinterval` causes the CA certificates to be
+         refreshed on every run.
+
+         If the agent downloads new CA certs, the agent uses those for subsequent
          network requests. If the refresh request fails or if the CA certs are
          unchanged on the server, then the agent run will continue using the
          local CA certs it already has. #{AS_DURATION}",
@@ -1236,15 +1226,15 @@ EOT
     :crl_refresh_interval => {
       :default    => "1d",
       :type       => :duration,
-      :desc       => "How often the Puppet agent refreshes its local CRL. By
-         default the CRL is refreshed once every 24 hours. If a different
-         duration is specified, then the agent will refresh its CRL whenever
-         it next runs and the elapsed time since the CRL was last refreshed
-         exceeds the duration.
+      :desc       => "How often the Puppet agent refreshes its local Certificate
+         Revocation List (CRL). By default, the CRL is refreshed every 24 hours. If
+         a different interval is specified, the agent refreshes its CRL on the next
+         Puppet agent run if the elapsed time since the CRL was last refreshed
+         exceeds the specified interval.
 
-         In general, the duration should be greater than the `runinterval`.
-         Setting it to 0 or an equal or lesser value than `runinterval`,
-         will cause the CRL to be refreshed on every run.
+         In general, the interval should be greater than the `runinterval` value.
+         Setting the `crl_refresh_interval` value to 0 or an equal or lesser value
+         than `runinterval` causes the CRL to be refreshed on every run.
 
          If the agent downloads a new CRL, the agent will use it for subsequent
          network requests. If the refresh request fails or if the CRL is
@@ -1254,18 +1244,19 @@ EOT
     :hostcert_renewal_interval => {
       :default => "30d",
       :type    => :duration,
-      :desc    => "When the Puppet agent refreshes its client certificate.
-         By default the client certificate will refresh 30 days before the certificate
-         expires. If a different duration is specified, then the agent will refresh its
-         client certificate whenever it next runs and if the client certificate expires
-         within the duration specified.
+      :desc => "How often the Puppet agent renews its client certificate. By
+         default, the client certificate is renewed 30 days before the certificate
+         expires. If a different interval is specified, the agent renews its client
+         certificate during the next agent run, assuming that the client certificate has
+         expired within the specified duration.
 
-         In general, the duration should be greater than the `runinterval`.
-         Setting it to 0 will disable automatic renewal.
+         In general, the `hostcert_renewal_interval` value should be greater than the
+         `runinterval` value. Setting the `hostcert_renewal_interval` value to 0 disables
+         automatic renewal.
 
-         If the agent downloads a new certificate, the agent will use it for subsequent
-         network requests. If the refresh request fails, then the agent run will continue using the
-         certificate it already has. #{AS_DURATION}",
+         If the agent downloads a new certificate, the agent will use it
+         for subsequent network requests. If the refresh request fails, the agent run
+         continues to use its existing certificate. #{AS_DURATION}",
     },
     :keylength => {
       :default    => 4096,
@@ -1506,8 +1497,10 @@ EOT
     :exclude_unchanged_resources => {
       :default => true,
       :type => :boolean,
-      :desc => 'When set to true, resources that have had no changes after catalog application
-        will not have corresponding unchanged resource status updates listed in the report.'
+      :desc => "Specifies how unchanged resources are listed in reports. When
+        set to `true`, resources that have had no changes after catalog application
+        will not have corresponding unchanged resource status updates listed in a
+        report."
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1759,11 +1752,12 @@ EOT
     :allow_pson_serialization => {
       :default    => false,
       :type       => :boolean,
-      :desc       => "Whether when unable to serialize to JSON or other formats,
-        Puppet falls back to PSON. This option affects both puppetserver's
-        configuration management service responses and when the agent saves its
-        cached catalog. This option is useful in preventing the loss of data because
-        rich data cannot be serialized via PSON.",
+      :desc => "Whether to allow PSON serialization. When unable to serialize to
+        JSON or other formats, Puppet falls back to PSON. This option affects the
+        configuration management service responses of Puppet Server and the process by
+        which the agent saves its cached catalog. With a default value of `false`, this
+        option is useful in preventing the loss of data because rich data cannot be
+        serialized via PSON.",
     },
     :agent_catalog_run_lockfile => {
       :default    => "$statedir/agent_catalog_run.lock",
@@ -1789,7 +1783,7 @@ EOT
       :type       => :boolean,
       :default    => false,
       :desc       => "Whether to include legacy facts when requesting a catalog. This
-        option can be set to false provided all puppet manifests, hiera.yaml and hiera
+        option can be set to `false` if all puppet manifests, hiera.yaml, and hiera
         configuration layers no longer access legacy facts, such as `$osfamily`, and
         instead access structured facts, such as `$facts['os']['family']`."
     },
@@ -2105,12 +2099,12 @@ EOT
     :preprocess_deferred => {
       :default => false,
       :type => :boolean,
-      :desc => "Whether puppet should call deferred functions before applying
-        the catalog. If set to `true`, then all prerequisites needed for the
-        deferred function must be satisfied prior to puppet running. If set to
-        `false`, then deferred functions will follow puppet relationships and
-        ordering. This allows puppet to install prerequisites needed for a
-        deferred function and call the deferred function in the same run."
+      :desc => "Whether Puppet should call deferred functions before applying
+        the catalog. If set to `true`, all prerequisites required for the
+        deferred function must be satisfied before the Puppet run. If set to
+        `false`, deferred functions follow Puppet relationships and
+        ordering. In this way, Puppet can install the prerequisites required for a
+        deferred function and call the deferred function in the same run.",
     },
     :summarize => {
         :default  => false,
@@ -2132,10 +2126,12 @@ EOT
           can produce node information. The command must:
 
           * Take the name of a node as a command-line argument.
+
           * Return a YAML hash with up to three keys:
             * `classes` --- A list of classes, as an array or hash.
             * `environment` --- A string.
             * `parameters` --- A list of top-scope variables to set, as a hash.
+
           * For unknown nodes, exit with a non-zero exit code.
 
           Generally, an ENC script makes requests to an external data source.

data/lib/puppet/face/catalog.rb

@@ -25,13 +25,27 @@ Puppet::Indirector::Face.define(:catalog, '0.0.1') do
 
   deactivate_action(:destroy)
   deactivate_action(:search)
-  find = get_action(:find)
-  find.summary "Retrieve the catalog for the node from which the command is run."
-  find.arguments "<certname>"
-  find.returns <<-'EOT'
-    A serialized catalog. When used from the Ruby API, returns a
-    Puppet::Resource::Catalog object.
-  EOT
+  action(:find) do
+    summary _("Retrieve the catalog for the node from which the command is run.")
+    arguments "<certname>, <facts>"
+    option("--facts_for_catalog") do
+      summary _("Not implemented for the CLI; facts are collected internally.")
+    end
+    returns <<-'EOT'
+      A serialized catalog. When used from the Ruby API, returns a
+      Puppet::Resource::Catalog object.
+    EOT
+
+    when_invoked do |*args|
+      # Default the key to Puppet[:certname] if none is supplied
+      if args.length == 1
+        key = Puppet[:certname]
+      else
+        key = args.shift
+      end
+      call_indirection_method :find, key, args.first
+    end
+  end
 
   action(:apply) do
     summary "Find and apply a catalog."
@@ -135,9 +149,11 @@ Puppet::Indirector::Face.define(:catalog, '0.0.1') do
     when_invoked do |_options|
       Puppet::Resource::Catalog.indirection.terminus_class = :rest
       Puppet::Resource::Catalog.indirection.cache_class = nil
+      facts = Puppet::Face[:facts, '0.0.1'].find(Puppet[:certname])
       catalog = nil
       retrieval_duration = thinmark do
-        catalog = Puppet::Face[:catalog, '0.0.1'].find(Puppet[:certname])
+        catalog = Puppet::Face[:catalog, '0.0.1'].find(Puppet[:certname],
+                                                       { facts_for_catalog: facts })
       end
       catalog.retrieval_duration = retrieval_duration
       catalog.write_class_file

data/lib/puppet/face/help.rb

@@ -151,6 +151,33 @@ Puppet::Face.define(:help, '0.0.1') do
     end.sort
   end
 
+  def generate_summary(appname)
+    if is_face_app?(appname)
+      begin
+        face = Puppet::Face[appname, :current]
+        # Add deprecation message to summary if the face is deprecated
+        summary = face.deprecated? ? face.summary + ' ' + _("(Deprecated)") : face.summary
+        [appname, summary, '  ']
+      rescue StandardError, LoadError
+        error_message = _("!%{sub_command}! Subcommand unavailable due to error.") % { sub_command: appname }
+        error_message += ' ' + _("Check error logs.")
+        [error_message, '', '  ']
+      end
+    else
+      begin
+        summary = Puppet::Application[appname].summary
+        if summary.empty?
+          summary = horribly_extract_summary_from(appname)
+        end
+        [appname, summary, '  ']
+      rescue StandardError, LoadError
+        error_message = _("!%{sub_command}! Subcommand unavailable due to error.") % { sub_command: appname }
+        error_message += ' ' + _("Check error logs.")
+        [error_message, '', '  ']
+      end
+    end
+  end
+
   # Return a list of all applications (both legacy and Face applications), along with a summary
   #  of their functionality.
   # @return [Array] An Array of Arrays.  The outer array contains one entry per application; each
@@ -162,29 +189,8 @@ Puppet::Face.define(:help, '0.0.1') do
 
       if appname == COMMON || appname == SPECIALIZED || appname == BLANK
         result << appname
-      elsif is_face_app?(appname)
-        begin
-          face = Puppet::Face[appname, :current]
-          # Add deprecation message to summary if the face is deprecated
-          summary = face.deprecated? ? face.summary + ' ' + _("(Deprecated)") : face.summary
-          result << [appname, summary, '  ']
-        rescue StandardError, LoadError
-          error_message = _("!%{sub_command}! Subcommand unavailable due to error.") % { sub_command: appname }
-          error_message += ' ' + _("Check error logs.")
-          result << [error_message, '', '  ']
-        end
       else
-        begin
-          summary = Puppet::Application[appname].summary
-          if summary.empty?
-            summary = horribly_extract_summary_from(appname)
-          end
-          result << [appname, summary, '  ']
-        rescue StandardError, LoadError
-          error_message = _("!%{sub_command}! Subcommand unavailable due to error.") % { sub_command: appname }
-          error_message += ' ' + _("Check error logs.")
-          result << [error_message, '', '  ']
-        end
+        result << generate_summary(appname)
       end
     end
   end
@@ -192,15 +198,29 @@ Puppet::Face.define(:help, '0.0.1') do
   COMMON = 'Common:'
   SPECIALIZED = 'Specialized:'
   BLANK = "\n"
+  COMMON_APPS = %w[apply agent config help lookup module resource]
   def available_application_names_special_sort
     full_list = Puppet::Application.available_application_names
-    a_list = full_list & %w[apply agent config help lookup module resource]
+    a_list = full_list & COMMON_APPS
     a_list = a_list.sort
     also_ran = full_list - a_list
     also_ran = also_ran.sort
     [[COMMON], a_list, [BLANK], [SPECIALIZED], also_ran].flatten(1)
   end
 
+  def common_app_summaries
+    COMMON_APPS.map do |appname|
+      generate_summary(appname)
+    end
+  end
+
+  def specialized_app_summaries
+    specialized_apps = Puppet::Application.available_application_names - COMMON_APPS
+    specialized_apps.filter_map do |appname|
+      generate_summary(appname) unless exclude_from_docs?(appname)
+    end
+  end
+
   def horribly_extract_summary_from(appname)
     help = Puppet::Application[appname].help.split("\n")
     # Now we find the line with our summary, extract it, and return it.  This

data/lib/puppet/file_serving/http_metadata.rb

@@ -51,6 +51,8 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
     # Prefer the checksum_type from the indirector request options
     # but fall back to the alternative otherwise
     [@checksum_type, :sha256, :sha1, :md5, :mtime].each do |type|
+      next if type == :md5 && Puppet::Util::Platform.fips_enabled?
+
       @checksum_type = type
       @checksum = @checksums[type]
       break if @checksum

data/lib/puppet/functions/capitalize.rb

@@ -5,7 +5,7 @@
 # This function is compatible with the stdlib function with the same name.
 #
 # The function does the following:
-# * For a `String`, a string with its first character in upper case version is returned.
+# * For a `String`, a string is returned in which the first character is uppercase.
 #   This is done using Ruby system locale which handles some, but not all
 #   special international up-casing rules (for example German double-s ß is capitalized to "Ss").
 # * For an `Iterable[Variant[String, Numeric]]` (for example an `Array`) each value is capitalized and the conversion is not recursive.

data/lib/puppet/functions/find_file.rb

@@ -7,6 +7,10 @@
 # directory. (For example, the reference `mysql/mysqltuner.pl` will search for the
 # file `<MODULES DIRECTORY>/mysql/files/mysqltuner.pl`.)
 #
+# If this function is run via puppet agent, it checks for file existence on the
+# Puppet Primary server. If run via puppet apply, it checks on the local host.
+# In both cases, the check is performed before any resources are changed.
+#
 # This function can also accept:
 #
 # * An absolute String path, which checks for the existence of a file from anywhere on disk.

data/lib/puppet/functions/hiera.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'hiera/puppet_function'
+
 # Performs a standard priority lookup of the hierarchy and returns the most specific value
 # for a given key. The returned value can be any type of data.
 #

data/lib/puppet/functions/index.rb

@@ -40,8 +40,8 @@
 # Note that the lambda gets the value and not an array with `[key, value]` as in other
 # iterative functions.
 #
-# Using a lambda that accepts two values works the same way, it simply gets the index/key
-# as the first parameter, and the value as the second.
+# Using a lambda that accepts two values works the same way. The lambda gets the index/key
+# as the first parameter and the value as the second parameter.
 #
 # @example Using the `index` function with an Array and a two-parameter lambda
 #

data/lib/puppet/functions/lookup.rb

@@ -97,7 +97,7 @@
 # or `{'strategy' => 'hash'}` --- Same as the string versions of these merge behaviors.
 # * `{'strategy' => 'deep', <DEEP OPTION> => <VALUE>, ...}` --- Same as `'deep'`,
 # but can adjust the merge with additional options. The available options are:
-#     * `'knockout_prefix'` (string or undef) --- A string prefix to indicate a
+#     * `'knockout_prefix'` (string) --- A string prefix to indicate a
 #     value should be _removed_ from the final result. If a value is exactly equal
 #     to the prefix, it will knockout the entire element. Defaults to `undef`, which
 #     disables this feature.

data/lib/puppet/functions/new.rb

@@ -557,7 +557,7 @@
 # @example Simple Conversion to String specifying the format for the given value directly
 #
 # ```puppet
-# $str = String(10, "%#x")    # produces '0x10'
+# $str = String(10, "%#x")    # produces '0xa'
 # $str = String([10], "%(a")  # produces '("10")'
 # ```
 #

data/lib/puppet/functions/regsubst.rb

@@ -20,13 +20,10 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
   # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
+  #      Deprecated and ignored parameter, included only for compatibility.
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
+  # @deprecated
+  #   This method has the optional encoding parameter, which is ignored.
   # @example Get the third octet from the node's IP address:
   #   ```puppet
   #   $i3 = regsubst($ipaddress,'^(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)$','\\3')
@@ -56,13 +53,6 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *I*         Ignore case in regexps
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
-  # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
   # @example Put angle brackets around each octet in the node's IP address:
   #   ```puppet
@@ -76,6 +66,13 @@ Puppet::Functions.create_function(:regsubst) do
   end
 
   def regsubst_string(target, pattern, replacement, flags = nil, encoding = nil)
+    if encoding
+      Puppet.warn_once(
+        'deprecations', 'regsubst_function_encoding',
+        _("The regsubst() function's encoding argument has been ignored since Ruby 1.9 and will be removed in a future release")
+      )
+    end
+
     re_flags = 0
     operation = :sub
     unless flags.nil?
@@ -88,7 +85,7 @@ Puppet::Functions.create_function(:regsubst) do
         end
       end
     end
-    inner_regsubst(target, Regexp.compile(pattern, re_flags, encoding), replacement, operation)
+    inner_regsubst(target, Regexp.compile(pattern, re_flags), replacement, operation)
   end
 
   def regsubst_regexp(target, pattern, replacement, flags = nil)

data/lib/puppet/functions/unique.rb

@@ -65,8 +65,9 @@
 # *first-found* unique value, but for `Hash` it contains associations from a set of keys to the set of values clustered by the
 # equality lambda (or the default value equality if no lambda was given). This makes the `unique` function more versatile for hashes
 # in general, while requiring that the simple computation of "hash's unique set of values" is performed as `$hsh.map |$k, $v| { $v }.unique`.
-# (A unique set of hash keys is in general meaningless (since they are unique by definition) - although if processed with a different
-# lambda for equality that would be different. First map the hash to an array of its keys if such a unique computation is wanted).
+# (Generally, it's meaningless to compute the unique set of hash keys because they are unique by definition. However, the
+# situation can change if the hash keys are processed with a different lambda for equality. For this unique computation,
+# first map the hash to an array of its keys.)
 # If the more advanced clustering is wanted for one of the other data types, simply transform it into a `Hash` as shown in the
 # following example.
 #

data/lib/puppet/functions/yaml_data.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'yaml'
+
 # The `yaml_data` is a hiera 5 `data_hash` data provider function.
 # See [the configuration guide documentation](https://puppet.com/docs/puppet/latest/hiera_config_yaml_5.html#configuring-a-hierarchy-level-built-in-backends) for
 # how to use this function.

data/lib/puppet/indirector/catalog/compiler.rb

@@ -2,6 +2,7 @@
 
 require_relative '../../../puppet/environments'
 require_relative '../../../puppet/node'
+require_relative '../../../puppet/node/server_facts'
 require_relative '../../../puppet/resource/catalog'
 require_relative '../../../puppet/indirector/code'
 require_relative '../../../puppet/util/profiler'
@@ -426,40 +427,6 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   #
   # See also set_server_facts in Puppet::Server::Compiler in puppetserver.
   def set_server_facts
-    @server_facts = {}
-
-    # Add our server Puppet Enterprise version, if available.
-    pe_version_file = '/opt/puppetlabs/server/pe_version'
-    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
-      @server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
-    end
-
-    # Add our server version to the fact list
-    @server_facts["serverversion"] = Puppet.version.to_s
-
-    # And then add the server name and IP
-    { "servername" => "networking.fqdn",
-      "serverip" => "networking.ip",
-      "serverip6" => "networking.ip6" }.each do |var, fact|
-      value = Puppet.runtime[:facter].value(fact)
-      unless value.nil?
-        @server_facts[var] = value
-      end
-    end
-
-    if @server_facts["servername"].nil?
-      host = Puppet.runtime[:facter].value('networking.hostname')
-      if host.nil?
-        Puppet.warning _("Could not retrieve fact servername")
-      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
-        @server_facts["servername"] = [host, domain].join(".")
-      else
-        @server_facts["servername"] = host
-      end
-    end
-
-    if @server_facts["serverip"].nil? && @server_facts["serverip6"].nil?
-      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
-    end
+    @server_facts = Puppet::Node::ServerFacts.load
   end
 end

data/lib/puppet/interface/action_manager.rb

@@ -19,7 +19,7 @@ module Puppet::Interface::ActionManager
   # @dsl Faces
   def action(name, &block)
     @actions ||= {}
-    Puppet.warning _("Redefining action %{name} for %{self}") % { name: name, self: self } if action?(name)
+    Puppet.debug _("Redefining action %{name} for %{self}") % { name: name, self: self } if action?(name)
 
     action = Puppet::Interface::ActionBuilder.build(self, name, &block)
 

data/lib/puppet/module_tool/tar/gnu.rb

@@ -4,18 +4,20 @@ require 'shellwords'
 
 class Puppet::ModuleTool::Tar::Gnu
   def unpack(sourcefile, destdir, owner)
-    sourcefile = File.expand_path(sourcefile)
+    safe_sourcefile = Shellwords.shellescape(File.expand_path(sourcefile))
     destdir = File.expand_path(destdir)
+    safe_destdir = Shellwords.shellescape(destdir)
 
-    Dir.chdir(destdir) do
-      Puppet::Util::Execution.execute("gzip -dc #{Shellwords.shellescape(sourcefile)} | tar xof -")
-      Puppet::Util::Execution.execute("find . -type d -exec chmod 755 {} +")
-      Puppet::Util::Execution.execute("find . -type f -exec chmod u+rw,g+r,a-st {} +")
-      Puppet::Util::Execution.execute("chown -R #{owner} .")
-    end
+    Puppet::Util::Execution.execute("gzip -dc #{safe_sourcefile} | tar --extract --no-same-owner --directory #{safe_destdir} --file -")
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'd', '-exec', 'chmod', '755', '{}', '+'])
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'f', '-exec', 'chmod', 'u+rw,g+r,a-st', '{}', '+'])
+    Puppet::Util::Execution.execute(['chown', '-R', owner, destdir])
   end
 
   def pack(sourcedir, destfile)
-    Puppet::Util::Execution.execute("tar cf - #{sourcedir} | gzip -c > #{File.basename(destfile)}")
+    safe_sourcedir = Shellwords.shellescape(sourcedir)
+    safe_destfile = Shellwords.shellescape(File.basename(destfile))
+
+    Puppet::Util::Execution.execute("tar cf - #{safe_sourcedir} | gzip -c > #{safe_destfile}")
   end
 end