puppet 6.14.0 → 6.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc1216f1f77ee762e957b53119e4b3ece7c58f1bd70c3e0737b9c508a8a81be2
-  data.tar.gz: d24df2321580cf5576069d809557f5ba60668dbd227c1403f602f5d6b99d48f4
+  metadata.gz: b9e741fedb22cc09759911a15e38ec7c05726d6105a6f63cb2d8ab636b62244c
+  data.tar.gz: 85206eb352d11694e203c16725c706a791898f721bff00064833202f3309eef7
 SHA512:
-  metadata.gz: '09c7f51ea3a5d6b9104d04a7409ef44cc77f0199f51ffe00c0daad6ff4a1f844b9f5d3f359d3b686ec68e546a0343b5d52e8307f03c1bf0385fe4b50af081cf4'
-  data.tar.gz: 334425bf5c64658b01588756ee26a2090e8245f4962c16ab31f85f39809e7fadef3d5d95b84ff6a2bc4b0cc2c3f602fad70887007292bf4664e268866c23d7cd
+  metadata.gz: 7eaacd3a269d0f2853b7475e8adf4ca13ee5f865f5c8380be1861095040eb66cd9f443306179291901353e24786409f316b101c333a8255aefc311dec5e1f41e
+  data.tar.gz: dbd894221a877f18e6672ca7696555838d742226f185c559a73b05f16285fb4e842c92dbf5532596cd4c8b6a18911d43d2e241108307c01b3c044efe0614d235

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    puppet (6.14.0)
+    puppet (6.15.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -51,27 +51,27 @@ GEM
       addressable (>= 2.4)
     locale (2.1.3)
     memory_profiler (0.9.14)
-    method_source (0.9.2)
+    method_source (1.0.0)
     minitar (0.9)
     msgpack (1.3.3)
     multi_json (1.14.1)
     mustache (1.1.1)
-    optimist (3.0.0)
-    packaging (0.99.58)
+    optimist (3.0.1)
+    packaging (0.99.61)
       artifactory (~> 2)
       rake (>= 12.3)
       release-metrics
     parallel (1.19.1)
-    parser (2.7.0.4)
+    parser (2.7.1.1)
       ast (~> 2.4.0)
     powerpack (0.1.2)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (4.0.3)
-    puppet-resource_api (1.8.12)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.4)
+    puppet-resource_api (1.8.13)
       hocon (>= 1.0)
-    puppetserver-ca (1.5.0)
+    puppetserver-ca (1.7.0)
       facter (>= 2.0.1, < 4)
     racc (1.4.9)
     rainbow (2.2.2)
@@ -92,7 +92,7 @@ GEM
       rspec-mocks (~> 3.9.0)
     rspec-core (3.9.1)
       rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-expectations (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-its (1.3.0)
@@ -111,14 +111,14 @@ GEM
       unicode-display_width (~> 1.0, >= 1.0.1)
     rubocop-i18n (1.2.0)
       rubocop (~> 0.49.0)
-    ruby-prof (1.3.0)
+    ruby-prof (1.3.2)
     ruby-progressbar (1.10.1)
     safe_yaml (1.0.5)
     semantic_puppet (1.0.2)
     text (1.3.1)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
     vcr (5.1.0)
-    webmock (3.8.2)
+    webmock (3.8.3)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)

data/ext/windows/service/daemon.rb

@@ -160,7 +160,7 @@ class WindowsDaemon < Win32::Daemon
 
   def parse_runinterval(puppet_path)
     begin
-      runinterval = %x{ #{puppet_path} agent --configprint runinterval }.to_i
+      runinterval = %x{ #{puppet_path} config --section agent --log_level notice print runinterval }.to_i
       if runinterval == 0
         runinterval = 1800
         log_err("Failed to determine runinterval, defaulting to #{runinterval} seconds")
@@ -175,8 +175,8 @@ class WindowsDaemon < Win32::Daemon
 
   def parse_log_level(puppet_path,cmdline_debug)
     begin
-      loglevel = %x{ #{puppet_path} agent --configprint log_level}.chomp
-      unless loglevel
+      loglevel = %x{ #{puppet_path} config --section agent --log_level notice print log_level }.chomp
+      unless loglevel && respond_to?("log_#{loglevel}")
         loglevel = :notice
         log_err("Failed to determine loglevel, defaulting to #{loglevel}")
       end

data/lib/puppet.rb

@@ -236,7 +236,7 @@ module Puppet
           raise e
         end
       },
-      :ssl_host => proc { Puppet::SSL::Host.localhost },
+      :ssl_host => proc { Puppet::SSL::Host.localhost(true) },
       :http_session => proc { Puppet.runtime["http"].create_session },
       :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
       :rich_data => false

data/lib/puppet/agent.rb

@@ -95,11 +95,9 @@ class Puppet::Agent
         atForkHandler.child
         $0 = _("puppet agent: applying configuration")
         begin
-          exit(yield)
-        rescue SystemExit
-          exit(-1)
+          exit(yield || 1)
         rescue NoMemoryError
-          exit(-2)
+          exit(254)
         end
       end
     ensure
@@ -107,12 +105,6 @@ class Puppet::Agent
     end
 
     exit_code = Process.waitpid2(child_pid)
-    case exit_code[1].exitstatus
-    when -1
-      raise SystemExit
-    when -2
-      raise NoMemoryError
-    end
     exit_code[1].exitstatus
   end
 

data/lib/puppet/application/agent.rb

@@ -39,6 +39,7 @@ class Puppet::Application::Agent < Puppet::Application
       :graph => true,
       :fingerprint => false,
       :sourceaddress => nil,
+      :start_time => Time.now,
     }.each do |opt,val|
       options[opt] = val
     end
@@ -405,7 +406,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
   def onetime(daemon)
     begin
-      exitstatus = daemon.agent.run(:job_id => options[:job_id])
+      exitstatus = daemon.agent.run({:job_id => options[:job_id], :start_time => options[:start_time]})
     rescue => detail
       Puppet.log_exception(detail)
     end

data/lib/puppet/application/filebucket.rb

@@ -292,7 +292,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
       Puppet::Log.level = :info
     end
 
-      exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
+    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
 
     require 'puppet/file_bucket/dipper'
     begin
@@ -300,19 +300,10 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         path = options[:bucket] || Puppet[:clientbucketdir]
         @client = Puppet::FileBucket::Dipper.new(:Path => path)
       else
-        if Puppet[:server_list] && !Puppet[:server_list].empty?
-          server = Puppet[:server_list].first
-          #TRANSLATORS 'server_list' is the name of a setting and should not be translated
-          Puppet.debug _("Selected server from first entry of the `server_list` setting: %{server}:%{port}") % {server: server[0], port: server[1]}
-          @client = Puppet::FileBucket::Dipper.new(
-            :Server => server[0],
-            :Port => server[1]
-          )
-        else
-          #TRANSLATORS 'server' is the name of a setting and should not be translated
-          Puppet.debug _("Selected server from the `server` setting: %{server}") % {server: Puppet[:server]}
-          @client = Puppet::FileBucket::Dipper.new(:Server => Puppet[:server])
-        end
+        session = Puppet.lookup(:http_session)
+        api = session.route_to(:puppet)
+
+        @client = Puppet::FileBucket::Dipper.new(Server: api.url.host, Port: api.url.port)
       end
     rescue => detail
       Puppet.log_exception(detail)

data/lib/puppet/application/ssl.rb

@@ -182,7 +182,7 @@ HELP
     route = create_route(ssl_context)
     Puppet.info _("Downloading certificate '%{name}' from %{url}") % { name: Puppet[:certname], url: route.url }
 
-    x509 = route.get_certificate(Puppet[:certname], ssl_context: ssl_context)
+    _, x509 = route.get_certificate(Puppet[:certname], ssl_context: ssl_context)
     cert = OpenSSL::X509::Certificate.new(x509)
     Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
 
@@ -226,7 +226,7 @@ HELP
       begin
         ssl_context = @machine.ensure_ca_certificates
         route = create_route(ssl_context)
-        cert = route.get_certificate(certname, ssl_context: ssl_context)
+        _, cert = route.get_certificate(certname, ssl_context: ssl_context)
       rescue Puppet::HTTP::ResponseError => e
         if e.response.code.to_i != 404
           raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)

data/lib/puppet/configurer.rb

@@ -199,7 +199,7 @@ class Puppet::Configurer
     # environment and transaction_uuid very early, this is to ensure
     # they are sent regardless of any catalog compilation failures or
     # exceptions.
-    options[:report] ||= Puppet::Transaction::Report.new(nil, @environment, @transaction_uuid, @job_id)
+    options[:report] ||= Puppet::Transaction::Report.new(nil, @environment, @transaction_uuid, @job_id, options[:start_time] || Time.now)
     report = options[:report]
     init_storage
 
@@ -235,9 +235,13 @@ class Puppet::Configurer
   end
 
   def run_internal(options)
-    start = Time.now
     report = options[:report]
 
+    if options[:start_time]
+      startup_time = Time.now - options[:start_time]
+      report.add_times(:startup_time, startup_time)
+    end
+
     # If a cached catalog is explicitly requested, attempt to retrieve it. Skip the node request,
     # don't pluginsync and switch to the catalog's environment if we successfully retrieve it.
     if Puppet[:use_cached_catalog]
@@ -402,7 +406,7 @@ class Puppet::Configurer
     end
 
     report.cached_catalog_status ||= @cached_catalog_status
-    report.add_times(:total, Time.now - start)
+    report.add_times(:total, Time.now - report.time)
     report.finalize_report
     Puppet::Util::Log.close(report)
     send_report(report)

data/lib/puppet/configurer/plugin_handler.rb

@@ -36,7 +36,7 @@ class Puppet::Configurer::PluginHandler
     locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
     unless locales
       session = Puppet.lookup(:http_session)
-      locales = session.supports?(:puppet, 'locales')
+      locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
     end
 
     if locales

data/lib/puppet/defaults.rb

@@ -81,7 +81,10 @@ module Puppet
             begin
               original_facter = Object.const_get(:Facter)
               Object.send(:remove_const, :Facter)
+
               require 'facter-ng'
+              # It is required to re-setup logger for facter-ng
+              Puppet::Util::Logging.setup_facter_logging!
             rescue LoadError
               Object.const_set(:Facter, original_facter)
               raise ArgumentError, 'facter-ng could not be loaded'
@@ -1637,7 +1640,7 @@ EOT
       :default => [],
       :type => :http_extra_headers,
       :desc => "The list of extra headers that will be sent with http requests to the master.
-      The header definition consists of a name and a value separated by a colon." 
+      The header definition consists of a name and a value separated by a colon."
     },
     :ignoreschedules => {
       :default    => false,
@@ -1795,10 +1798,27 @@ EOT
       :type     => :boolean,
       :desc     => "Whether to send reports after every transaction.",
     },
+    :report_include_system_store => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether the 'http' report processor should include the system
+        certificate store when submitting reports to HTTPS URLs. If false, then
+        the 'http' processor will only trust HTTPS report servers whose certificates
+        are issued by the puppet CA or one of its intermediate CAs. If true, the
+        processor will additionally trust CA certificates in the system's
+        certificate store."
+    },
     :resubmit_facts => {
       :default  => false,
       :type     => :boolean,
-      :desc     => "Whether to send updated facts after every transaction.",
+      :desc     => "Whether to send updated facts after every transaction. By default
+        puppet only submits facts at the beginning of the transaction before applying a
+        catalog. Since puppet can modify the state of the system, the value of the facts
+        may change after puppet finishes. Therefore, any facts stored in puppetdb may not
+        be consistent until the agent next runs, typically in 30 minutes. If this feature
+        is enabled, puppet will resubmit facts after applying its catalog, ensuring facts
+        for the node stored in puppetdb are current. However, this will double the fact
+        submission load on puppetdb, so it is disabled by default.",
     },
     :lastrunfile =>  {
       :default  => "$statedir/last_run_summary.yaml",

data/lib/puppet/environments.rb

@@ -247,11 +247,10 @@ module Puppet::Environments
     end
 
     def valid_environment_names
-      if Puppet::FileSystem.directory?(@environment_dir)
-        Puppet::FileSystem.children(@environment_dir).map do |child|
-          Puppet::FileSystem.basename_string(child).intern if validated_directory(child)
-        end.compact
-      end
+      return [] unless Puppet::FileSystem.directory?(@environment_dir)
+      Puppet::FileSystem.children(@environment_dir).map do |child|
+        Puppet::FileSystem.basename_string(child).intern if validated_directory(child)
+      end.compact
     end
   end
 

data/lib/puppet/face/plugin.rb

@@ -44,7 +44,7 @@ Puppet::Face.define(:plugin, '0.0.1') do
       pool = Puppet.runtime['http'].pool
       Puppet.override(:http_pool => pool) do
         begin
-          handler = Puppet::Configurer::PluginHandler.new()
+          handler = Puppet::Configurer::PluginHandler.new
           handler.download_plugins(remote_environment_for_plugins)
         ensure
           pool.close

data/lib/puppet/file_system/file_impl.rb

@@ -80,7 +80,7 @@ class Puppet::FileSystem::FileImpl
   end
 
   def read(path, opts = {})
-    path.read(opts)
+    path.read(**opts)
   end
 
   def read_preserve_line_endings(path)
@@ -156,12 +156,14 @@ class Puppet::FileSystem::FileImpl
   end
 
   def replace_file(path, mode = nil)
-    mode ||= begin
-               stat = Puppet::FileSystem.lstat(path)
-               stat.mode & 07777
-             rescue Errno::ENOENT
-               0640
-             end
+    begin
+      stat = Puppet::FileSystem.lstat(path)
+      gid = stat.gid
+      uid = stat.uid
+      mode ||= stat.mode & 07777
+    rescue Errno::ENOENT
+      mode ||= 0640
+    end
 
     tempfile = Puppet::FileSystem::Uniquefile.new(Puppet::FileSystem.basename_string(path), Puppet::FileSystem.dir_string(path))
     begin
@@ -173,8 +175,10 @@ class Puppet::FileSystem::FileImpl
         tempfile.close
       end
 
-      chmod(mode, tempfile.path)
-      File.rename(tempfile.path, Puppet::FileSystem.path_string(path))
+      tempfile_path = tempfile.path
+      FileUtils.chown(uid, gid, tempfile_path) if uid && gid
+      chmod(mode, tempfile_path)
+      File.rename(tempfile_path, Puppet::FileSystem.path_string(path))
     ensure
       tempfile.close!
     end

data/lib/puppet/forge/repository.rb

@@ -48,7 +48,7 @@ class Puppet::Forge
         end
 
         http = Puppet.runtime['http']
-        response = http.get(uri, headers: headers, user: user, password: password, ssl_context: @ssl_context)
+        response = http.get(uri, headers: headers, options: {user: user, password: password, ssl_context: @ssl_context})
         io.write(response.body) if io.respond_to?(:write)
         response
       rescue Puppet::SSL::CertVerifyError => e

data/lib/puppet/functions/call.rb

@@ -51,7 +51,7 @@
 #
 # Would notice the value of `$facts['processors']['count']` at the time when the `call` is made.
 #
-# * Deferred values supported since Puppet 5.6.0
+# * Deferred values supported since Puppet 6.0
 #
 # @since 5.0.0
 #

data/lib/puppet/functions/reduce.rb

@@ -39,11 +39,9 @@
 # values to the lambda.
 #
 # Puppet calls the lambda for each of the data structure's remaining values. For each
-# call, it passes the result of the previous call as the first parameter ($memo in the
+# call, it passes the result of the previous call as the first parameter (`$memo` in the
 # above examples) and the next value from the data structure as the second parameter
-# ($value).
-#
-# If the structure has one value, Puppet returns the value and does not call the lambda.
+# (`$value`).
 #
 # @example Using the `reduce` function
 #

data/lib/puppet/http.rb

@@ -11,6 +11,7 @@ module Puppet
     end
   end
 
+  # @api private
   module HTTP
     ACCEPT_ENCODING = "gzip;q=1.0,deflate;q=0.6,identity;q=0.3".freeze
     HEADER_PUPPET_VERSION = "X-Puppet-Version".freeze
@@ -30,5 +31,6 @@ module Puppet
     require 'puppet/http/client'
     require 'puppet/http/redirector'
     require 'puppet/http/retry_after_handler'
+    require 'puppet/http/external_client'
   end
 end

data/lib/puppet/http/client.rb

@@ -1,7 +1,34 @@
+#
+# @api private
+#
+# The client contains a pool of persistent HTTP connections and creates HTTP
+# sessions.
+#
 class Puppet::HTTP::Client
+
+  # @api private
+  # @return [Puppet::Network::HTTP::Pool] the pool instance associated with
+  #   this client
   attr_reader :pool
 
-  def initialize(pool: Puppet::Network::HTTP::Pool.new, ssl_context: nil, system_ssl_context: nil, redirect_limit: 10, retry_limit: 100)
+  #
+  # @api private
+  #
+  # Create a new http client instance. The client contains a pool of persistent
+  # HTTP connections and creates HTTP sessions.
+  #
+  # @param [Puppet::Network::HTTP::Pool] pool pool of persistent Net::HTTP
+  #   connections
+  # @param [Puppet::SSL::SSLContext] ssl_context ssl context to be used for
+  #   connections
+  # @param [Puppet::SSL::SSLContext] system_ssl_context the system ssl context
+  #   used if :include_system_store is set to true
+  # @param [Integer] redirect_limit number of HTTP redirections to allow in a
+  #   given request
+  # @param [Integer] retry_limit number of HTTP reties allowed in a given
+  #   request
+  #
+  def initialize(pool: Puppet::Network::HTTP::Pool.new(Puppet[:http_keepalive_timeout]), ssl_context: nil, system_ssl_context: nil, redirect_limit: 10, retry_limit: 100)
     @pool = pool
     @default_headers = {
       'X-Puppet-Version' => Puppet.version,
@@ -11,24 +38,48 @@ class Puppet::HTTP::Client
     @default_system_ssl_context = system_ssl_context
     @redirector = Puppet::HTTP::Redirector.new(redirect_limit)
     @retry_after_handler = Puppet::HTTP::RetryAfterHandler.new(retry_limit, Puppet[:runinterval])
-    @resolvers = build_resolvers
   end
 
+  #
+  # @api private
+  #
+  # Create a new HTTP session. A session is the object through which services
+  # may be connected to and accessed.
+  #
+  # @return [Puppet::HTTP::Session] the newly created HTTP session
+  #
   def create_session
-    Puppet::HTTP::Session.new(self, @resolvers)
+    Puppet::HTTP::Session.new(self, build_resolvers)
   end
 
-  def connect(uri, ssl_context: nil, include_system_store: false, &block)
+  #
+  # @api private
+  #
+  # Open a connection to the given URI
+  #
+  # @param [URI] uri the connection destination
+  # @param [Hash] options
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @yield [Net::HTTP] If a block is given, yields an active http connection
+  #   from the pool
+  #
+  def connect(uri, options: {}, &block)
     start = Time.now
-    ctx = resolve_ssl_context(ssl_context, include_system_store)
-    site = Puppet::Network::HTTP::Site.from_uri(uri)
-    verifier = if site.use_ssl?
-                 Puppet::SSL::Verifier.new(site.host, ctx)
-               else
-                 nil
-               end
+    verifier = nil
     connected = false
 
+    site = Puppet::Network::HTTP::Site.from_uri(uri)
+    if site.use_ssl?
+      ssl_context = options.fetch(:ssl_context, nil)
+      include_system_store = options.fetch(:include_system_store, false)
+      ctx = resolve_ssl_context(ssl_context, include_system_store)
+      verifier = Puppet::SSL::Verifier.new(site.host, ctx)
+    end
+
     @pool.with_connection(site, verifier) do |http|
       connected = true
       if block_given?
@@ -50,16 +101,30 @@ class Puppet::HTTP::Client
                 {uri: uri, elapsed: elapsed(start), message: e.message}, e, connected)
   end
 
-  def get(url, headers: {}, params: {}, user: nil, password: nil, ssl_context: nil, include_system_store: false, &block)
-    query = encode_params(params)
-    unless query.empty?
-      url = url.dup
-      url.query = query
-    end
+  #
+  # @api private
+  #
+  # Submits a GET HTTP request to the given url
+  #
+  # @param [URI] url the location to submit the http request
+  # @param [Hash] headers merged with the default headers defined by the client
+  # @param [Hash] params encoded and set as the url query
+  # @param [Hash] options passed through to the request execution
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @yield [Puppet::HTTP::Response] if a block is given yields the response
+  #
+  # @return [String] if a block is not given, returns the response body
+  #
+  def get(url, headers: {}, params: {}, options: {}, &block)
+    url = encode_query(url, params)
 
     request = Net::HTTP::Get.new(url, @default_headers.merge(headers))
 
-    execute_streaming(request, user: user, password: password, ssl_context: ssl_context, include_system_store: include_system_store) do |response|
+    execute_streaming(request, options: options) do |response|
       if block_given?
         yield response
       else
@@ -68,50 +133,94 @@ class Puppet::HTTP::Client
     end
   end
 
-  def head(url, headers: {}, params: {}, user: nil, password: nil, ssl_context: nil, include_system_store: false)
-    query = encode_params(params)
-    unless query.empty?
-      url = url.dup
-      url.query = query
-    end
+  #
+  # @api private
+  #
+  # Submits a HEAD HTTP request to the given url
+  #
+  # @param [URI] url the location to submit the http request
+  # @param [Hash] headers merged with the default headers defined by the client
+  # @param [Hash] params encoded and set as the url query
+  # @param [Hash] options passed through to the request execution
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @return [String] the body of the request response
+  #
+  def head(url, headers: {}, params: {}, options: {})
+    url = encode_query(url, params)
 
     request = Net::HTTP::Head.new(url, @default_headers.merge(headers))
 
-    execute_streaming(request, user: user, password: password, ssl_context: ssl_context, include_system_store: include_system_store) do |response|
+    execute_streaming(request, options: options) do |response|
       response.body
     end
   end
 
-  def put(url, headers: {}, params: {}, content_type:, body:, user: nil, password: nil, ssl_context: nil, include_system_store: false)
-    query = encode_params(params)
-    unless query.empty?
-      url = url.dup
-      url.query = query
-    end
+  #
+  # @api private
+  #
+  # Submits a PUT HTTP request to the given url
+  #
+  # @param [URI] url the location to submit the http request
+  # @param [String] body the body of the PUT request
+  # @param [Hash] headers merged with the default headers defined by the client
+  # @param [Hash] params encoded and set as the url query
+  # @param [Hash] options passed through to the request execution
+  # @option options [String] :content_type the type of the body content
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @return [String] the body of the request response
+  #
+  def put(url, body, headers: {}, params: {}, options: {})
+    raise ArgumentError, "'put' requires a string 'body' argument" unless body.is_a?(String)
+    url = encode_query(url, params)
 
     request = Net::HTTP::Put.new(url, @default_headers.merge(headers))
     request.body = body
-    request['Content-Length'] = body.bytesize
-    request['Content-Type'] = content_type
+    request.content_length = body.bytesize
+
+    raise ArgumentError, "'put' requires a 'content-type' header" unless request['Content-Type']
 
-    execute_streaming(request, user: user, password: password, ssl_context: ssl_context, include_system_store: include_system_store) do |response|
+    execute_streaming(request, options: options) do |response|
       response.body
     end
   end
 
-  def post(url, headers: {}, params: {}, content_type:, body:, user: nil, password: nil, ssl_context: nil, include_system_store: false, &block)
-    query = encode_params(params)
-    unless query.empty?
-      url = url.dup
-      url.query = query
-    end
+  #
+  # @api private
+  #
+  # Submits a POST HTTP request to the given url
+  #
+  # @param [URI] url the location to submit the http request
+  # @param [String] body the body of the POST request
+  # @param [Hash] headers merged with the default headers defined by the client
+  # @param [Hash] params encoded and set as the url query
+  # @param [Hash] options passed through to the request execution
+  # @option options [String] :content_type the type of the body content
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @return [String] the body of the request response
+  #
+  def post(url, body, headers: {}, params: {}, options: {}, &block)
+    raise ArgumentError, "'post' requires a string 'body' argument" unless body.is_a?(String)
+    url = encode_query(url, params)
 
     request = Net::HTTP::Post.new(url, @default_headers.merge(headers))
     request.body = body
-    request['Content-Length'] = body.bytesize
-    request['Content-Type'] = content_type
+    request.content_length = body.bytesize
+
+    raise ArgumentError, "'post' requires a 'content-type' header" unless request['Content-Type']
 
-    execute_streaming(request, user: user, password: password, ssl_context: ssl_context, include_system_store: include_system_store) do |response|
+    execute_streaming(request, options: options) do |response|
       if block_given?
         yield response
       else
@@ -120,34 +229,64 @@ class Puppet::HTTP::Client
     end
   end
 
-  def delete(url, headers: {}, params: {}, user: nil, password: nil, ssl_context: nil, include_system_store: false)
-    query = encode_params(params)
-    unless query.empty?
-      url = url.dup
-      url.query = query
-    end
+  #
+  # @api private
+  #
+  # Submits a DELETE HTTP request to the given url
+  #
+  # @param [URI] url the location to submit the http request
+  # @param [Hash] headers merged with the default headers defined by the client
+  # @param [Hash] params encoded and set as the url query
+  # @param [Hash] options options hash passed through to the request execution
+  # @option options [Puppet::SSL::SSLContext] :ssl_context (nil) ssl context to
+  #   be used for connections
+  # @option options [Boolean] :include_system_store (false) if we should include
+  #   the system store for connection
+  #
+  # @return [String] the body of the request response
+  #
+  def delete(url, headers: {}, params: {}, options: {})
+    url = encode_query(url, params)
 
     request = Net::HTTP::Delete.new(url, @default_headers.merge(headers))
 
-    execute_streaming(request, user: user, password: password, ssl_context: ssl_context, include_system_store: include_system_store) do |response|
+    execute_streaming(request, options: options) do |response|
       response.body
     end
   end
 
+  #
+  # @api private
+  #
+  # Close persistent connections in the pool
+  #
   def close
     @pool.close
   end
 
+  protected
+
+  def encode_query(url, params)
+    return url if params.empty?
+
+    url = url.dup
+    url.query = encode_params(params)
+    url
+  end
+
   private
 
-  def execute_streaming(request, user: nil, password: nil, ssl_context:, include_system_store:, &block)
+  def execute_streaming(request, options: {}, &block)
+    user = options.fetch(:user, nil)
+    password = options.fetch(:password, nil)
+
     redirects = 0
     retries = 0
     response = nil
     done = false
 
     while !done do
-      connect(request.uri, ssl_context: ssl_context, include_system_store: include_system_store) do |http|
+      connect(request.uri, options: options) do |http|
         apply_auth(request, user, password)
 
         # don't call return within the `request` block