puppet 8.7.0 → 8.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8e483c759c33f8dbfa7ba2e922b401920dbf3b0db1f0187bb52314246ef41f6
-  data.tar.gz: 9bf39c096815fd0e104600c4a0f66e428bfafb882eb15acfc118a9cca4c4c04f
+  metadata.gz: f89da386754e99d82576c50391217640d9d740f5aa41df6d0a091aafd35377b1
+  data.tar.gz: bfb37d9f9f20cc9607976f782622fb16ff6146cdef2642ad5cd46e55b31d7f40
 SHA512:
-  metadata.gz: 5070ae0faf1d73683ba1720b295223165b361e42115cb15b14440c02256e2a4d4c0c2b453fe2f4c3ac1cc82e47027e2b2727642618cfa133900fb2eddb6bf627
-  data.tar.gz: 3dc3525bd0c280c21d017f9fbfff2dd5e91dd059e0ee6061a4866f3164ff49a2daf09d823cf3c2b148b4763b60b13a65b778b667f6ed1889a5fda2003edf759c
+  metadata.gz: 43d308cfe325c7985ff9d0a6310ee36a7d23f3c4080bd97445375d0d01ed59ed9cbed104efd5a40824b0cef277b2934976df028a827965612eac1c2a97659b9c
+  data.tar.gz: 87293cc2c9f04ec783873109a65d30162d02698ddc5947287a71a3662c53041e5b6eefbc166595fc3a014f18025311d3117ef93bd8cc07fa5f4c1d5da73082da

data/Gemfile

@@ -35,6 +35,7 @@ group(:features) do
   # requires native ldap headers/libs
   # gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
   gem 'puppetserver-ca', '~> 2.0', require: false
+  gem 'syslog', '~> 0.1.1', require: false, platforms: [:ruby]
   gem 'CFPropertyList', ['>= 3.0.6', '< 4'], require: false
 end
 

data/Gemfile.lock

@@ -1,11 +1,12 @@
 PATH
   remote: .
   specs:
-    puppet (8.7.0)
+    puppet (8.8.1)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
       facter (>= 4.3.0, < 5)
-      fast_gettext (>= 2.1, < 3)
+      fast_gettext (>= 2.1, < 4)
+      getoptlong (~> 0.2.0)
       locale (~> 2.1)
       multi_json (~> 1.13)
       puppet-resource_api (~> 1.5)
@@ -19,14 +20,14 @@ GEM
       base64
       nkf
       rexml
-    addressable (2.8.6)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     artifactory (3.0.17)
     ast (2.4.2)
     base64 (0.2.0)
     bigdecimal (3.1.8)
     coderay (1.1.3)
-    concurrent-ruby (1.3.1)
+    concurrent-ruby (1.3.3)
     crack (1.0.0)
       bigdecimal
       rexml
@@ -37,18 +38,20 @@ GEM
     digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
-    erubi (1.12.0)
-    facter (4.7.0)
+    erubi (1.13.0)
+    facter (4.8.0)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 1.3)
-    faraday (2.9.1)
+    faraday (2.10.0)
       faraday-net_http (>= 2.0, < 3.2)
+      logger
     faraday-net_http (3.1.0)
       net-http
     fast_gettext (2.4.0)
       prime
     ffi (1.16.3)
     forwardable (1.3.3)
+    getoptlong (0.2.1)
     gettext (3.4.9)
       erubi
       locale (>= 2.0.5)
@@ -69,7 +72,7 @@ GEM
       rexml
     google-apis-iamcredentials_v1 (0.21.0)
       google-apis-core (>= 0.15.0, < 2.a)
-    google-apis-storage_v1 (0.39.0)
+    google-apis-storage_v1 (0.40.0)
       google-apis-core (>= 0.15.0, < 2.a)
     google-cloud-core (1.7.0)
       google-cloud-env (>= 1.0, < 3.a)
@@ -104,11 +107,12 @@ GEM
     json (2.7.2)
     json-schema (2.8.1)
       addressable (>= 2.4)
-    jwt (2.8.1)
+    jwt (2.8.2)
       base64
     language_server-protocol (3.17.0.3)
     locale (2.1.4)
-    memory_profiler (1.0.1)
+    logger (1.6.0)
+    memory_profiler (1.0.2)
     method_source (1.1.0)
     mini_mime (1.1.5)
     minitar (0.9)
@@ -127,8 +131,8 @@ GEM
       googleauth
       rake (>= 12.3)
       release-metrics
-    parallel (1.24.0)
-    parser (3.3.2.0)
+    parallel (1.25.1)
+    parser (3.3.4.0)
       ast (~> 2.4.1)
       racc
     prime (0.1.2)
@@ -137,7 +141,7 @@ GEM
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.5)
+    public_suffix (6.0.1)
     puppet-resource_api (1.9.0)
       hocon (>= 1.0)
     puppetserver-ca (2.7.0)
@@ -156,8 +160,8 @@ GEM
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.2.8)
-      strscan (>= 3.0.9)
+    rexml (3.3.2)
+      strscan
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -168,7 +172,7 @@ GEM
       rspec-mocks (~> 3.13.0)
     rspec-core (3.13.0)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.0)
+    rspec-expectations (3.13.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-its (1.3.0)
@@ -178,37 +182,37 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.1)
-    rubocop (1.64.1)
+    rubocop (1.65.0)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
+      regexp_parser (>= 2.4, < 3.0)
       rexml (>= 3.2.5, < 4.0)
       rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.31.3)
       parser (>= 3.3.1.0)
-    rubocop-capybara (2.20.0)
-      rubocop (~> 1.41)
-    rubocop-factory_bot (2.25.1)
+    rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
+    rubocop-factory_bot (2.26.1)
+      rubocop (~> 1.61)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
-    rubocop-performance (1.21.0)
+    rubocop-performance (1.21.1)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-    rubocop-rspec (2.30.0)
+    rubocop-rspec (2.31.0)
       rubocop (~> 1.40)
       rubocop-capybara (~> 2.17)
       rubocop-factory_bot (~> 2.22)
       rubocop-rspec_rails (~> 2.28)
-    rubocop-rspec_rails (2.28.3)
-      rubocop (~> 1.40)
+    rubocop-rspec_rails (2.29.1)
+      rubocop (~> 1.61)
     ruby-prof (1.7.0)
     ruby-progressbar (1.13.0)
     scanf (1.0.0)
@@ -220,6 +224,7 @@ GEM
       multi_json (~> 1.10)
     singleton (0.2.0)
     strscan (3.1.0)
+    syslog (0.1.2)
     text (1.3.1)
     thor (1.2.2)
     trailblazer-option (0.1.2)
@@ -268,6 +273,7 @@ DEPENDENCIES
   rubocop-rspec (~> 2.0)
   ruby-prof (>= 0.16.0)
   semantic_puppet (~> 1.0)
+  syslog (~> 0.1.1)
   vcr (~> 6.1)
   webmock (~> 3.0)
   webrick (~> 1.7)

data/ext/windows/service/daemon.rb

@@ -155,12 +155,19 @@ class WindowsDaemon < Puppet::Util::Windows::Daemon
     end
   end
 
+  # Parses runinterval.
+  #
+  # @param puppet_path [String] The file path for the Puppet executable.
+  # @return runinterval [Integer] How often to do a Puppet run, in seconds.
   def parse_runinterval(puppet_path)
     begin
-      runinterval = %x(#{puppet_path} config --section agent --log_level notice print runinterval).to_i
-      if runinterval == 0
+      runinterval = %x(#{puppet_path} config --section agent --log_level notice print runinterval).chomp
+      if runinterval == ''
         runinterval = 1800
         log_err("Failed to determine runinterval, defaulting to #{runinterval} seconds")
+      else
+        # Use Kernel#Integer because to_i will return 0 with non-numeric strings.
+        runinterval = Integer(runinterval)
       end
     rescue Exception => e
       log_exception(e)

data/lib/puppet/application/doc.rb

@@ -173,11 +173,7 @@ class Puppet::Application::Doc < Puppet::Application
 
     text += Puppet::Util::Reference.footer unless with_contents # We've only got one reference
 
-    if options[:mode] == :pdf
-      Puppet::Util::Reference.pdf(text)
-    else
-      puts text
-    end
+    puts text
 
     exit exit_code
   end

data/lib/puppet/application/lookup.rb

@@ -3,6 +3,7 @@
 require_relative '../../puppet/application'
 require_relative '../../puppet/pops'
 require_relative '../../puppet/node'
+require_relative '../../puppet/node/server_facts'
 require_relative '../../puppet/parser/compiler'
 
 class Puppet::Application::Lookup < Puppet::Application
@@ -403,6 +404,7 @@ class Puppet::Application::Lookup < Puppet::Application
       end
     end
     node.environment = Puppet[:environment] if Puppet.settings.set_by_cli?(:environment)
+    node.add_server_facts(Puppet::Node::ServerFacts.load)
     Puppet[:code] = 'undef' unless options[:compile]
     compiler = Puppet::Parser::Compiler.new(node)
     if options[:node]

data/lib/puppet/daemon.rb

@@ -165,7 +165,6 @@ class Puppet::Daemon
     reparse_run = Puppet::Scheduler.create_job(Puppet[:filetimeout]) do
       Puppet.settings.reparse_config_files
       agent_run.run_interval = Puppet[:runinterval]
-      agent_run.splay_limit = Puppet[:splaylimit] if Puppet[:splay]
       if Puppet[:filetimeout] == 0
         reparse_run.disable
       else

data/lib/puppet/defaults.rb

@@ -47,29 +47,15 @@ module Puppet
   end
 
   def self.default_basemodulepath
-    if Puppet::Util::Platform.windows?
-      path = ['$codedir/modules']
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        path << "#{installdir}/puppet/modules"
-      end
-      path.join(File::PATH_SEPARATOR)
-    else
-      '$codedir/modules:/opt/puppetlabs/puppet/modules'
+    path = ['$codedir/modules']
+    if (run_mode_dir = Puppet.run_mode.common_module_dir)
+      path << run_mode_dir
     end
+    path.join(File::PATH_SEPARATOR)
   end
 
   def self.default_vendormoduledir
-    if Puppet::Util::Platform.windows?
-      installdir = ENV.fetch("FACTER_env_windows_installdir", nil)
-      if installdir
-        "#{installdir}\\puppet\\vendor_modules"
-      else
-        nil
-      end
-    else
-      '/opt/puppetlabs/puppet/vendor_modules'
-    end
+    Puppet.run_mode.vendor_module_dir
   end
 
   ############################################################################################

data/lib/puppet/file_serving/http_metadata.rb

@@ -51,6 +51,8 @@ class Puppet::FileServing::HttpMetadata < Puppet::FileServing::Metadata
     # Prefer the checksum_type from the indirector request options
     # but fall back to the alternative otherwise
     [@checksum_type, :sha256, :sha1, :md5, :mtime].each do |type|
+      next if type == :md5 && Puppet::Util::Platform.fips_enabled?
+
       @checksum_type = type
       @checksum = @checksums[type]
       break if @checksum

data/lib/puppet/functions/regsubst.rb

@@ -20,13 +20,10 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
   # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
+  #      Deprecated and ignored parameter, only here for compatibility.
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
+  # @deprecated
+  #   This method has the optional encoding parameter, which is ignored.
   # @example Get the third octet from the node's IP address:
   #   ```puppet
   #   $i3 = regsubst($ipaddress,'^(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)$','\\3')
@@ -56,13 +53,6 @@ Puppet::Functions.create_function(:regsubst) do
   #        - *I*         Ignore case in regexps
   #        - *M*         Multiline regexps
   #        - *G*         Global replacement; all occurrences of the regexp in each target string will be replaced.  Without this, only the first occurrence will be replaced.
-  # @param encoding [Enum['N','E','S','U']]
-  #      Optional. How to handle multibyte characters when compiling the regexp (must not be used when pattern is a
-  #      precompiled regexp). A single-character string with the following values:
-  #        - *N*         None
-  #        - *E*         EUC
-  #        - *S*         SJIS
-  #        - *U*         UTF-8
   # @return [Array[String], String] The result of the substitution. Result type is the same as for the target parameter.
   # @example Put angle brackets around each octet in the node's IP address:
   #   ```puppet
@@ -76,6 +66,13 @@ Puppet::Functions.create_function(:regsubst) do
   end
 
   def regsubst_string(target, pattern, replacement, flags = nil, encoding = nil)
+    if encoding
+      Puppet.warn_once(
+        'deprecations', 'regsubst_function_encoding',
+        _("The regsubst() function's encoding argument has been ignored since Ruby 1.9 and will be removed in a future release")
+      )
+    end
+
     re_flags = 0
     operation = :sub
     unless flags.nil?
@@ -88,7 +85,7 @@ Puppet::Functions.create_function(:regsubst) do
         end
       end
     end
-    inner_regsubst(target, Regexp.compile(pattern, re_flags, encoding), replacement, operation)
+    inner_regsubst(target, Regexp.compile(pattern, re_flags), replacement, operation)
   end
 
   def regsubst_regexp(target, pattern, replacement, flags = nil)

data/lib/puppet/indirector/catalog/compiler.rb

@@ -2,6 +2,7 @@
 
 require_relative '../../../puppet/environments'
 require_relative '../../../puppet/node'
+require_relative '../../../puppet/node/server_facts'
 require_relative '../../../puppet/resource/catalog'
 require_relative '../../../puppet/indirector/code'
 require_relative '../../../puppet/util/profiler'
@@ -426,40 +427,6 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   #
   # See also set_server_facts in Puppet::Server::Compiler in puppetserver.
   def set_server_facts
-    @server_facts = {}
-
-    # Add our server Puppet Enterprise version, if available.
-    pe_version_file = '/opt/puppetlabs/server/pe_version'
-    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
-      @server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
-    end
-
-    # Add our server version to the fact list
-    @server_facts["serverversion"] = Puppet.version.to_s
-
-    # And then add the server name and IP
-    { "servername" => "networking.fqdn",
-      "serverip" => "networking.ip",
-      "serverip6" => "networking.ip6" }.each do |var, fact|
-      value = Puppet.runtime[:facter].value(fact)
-      unless value.nil?
-        @server_facts[var] = value
-      end
-    end
-
-    if @server_facts["servername"].nil?
-      host = Puppet.runtime[:facter].value('networking.hostname')
-      if host.nil?
-        Puppet.warning _("Could not retrieve fact servername")
-      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
-        @server_facts["servername"] = [host, domain].join(".")
-      else
-        @server_facts["servername"] = host
-      end
-    end
-
-    if @server_facts["serverip"].nil? && @server_facts["serverip6"].nil?
-      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
-    end
+    @server_facts = Puppet::Node::ServerFacts.load
   end
 end

data/lib/puppet/module_tool/tar/gnu.rb

@@ -4,18 +4,20 @@ require 'shellwords'
 
 class Puppet::ModuleTool::Tar::Gnu
   def unpack(sourcefile, destdir, owner)
-    sourcefile = File.expand_path(sourcefile)
+    safe_sourcefile = Shellwords.shellescape(File.expand_path(sourcefile))
     destdir = File.expand_path(destdir)
+    safe_destdir = Shellwords.shellescape(destdir)
 
-    Dir.chdir(destdir) do
-      Puppet::Util::Execution.execute("gzip -dc #{Shellwords.shellescape(sourcefile)} | tar xof -")
-      Puppet::Util::Execution.execute("find . -type d -exec chmod 755 {} +")
-      Puppet::Util::Execution.execute("find . -type f -exec chmod u+rw,g+r,a-st {} +")
-      Puppet::Util::Execution.execute("chown -R #{owner} .")
-    end
+    Puppet::Util::Execution.execute("gzip -dc #{safe_sourcefile} | tar --extract --no-same-owner --directory #{safe_destdir} --file -")
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'd', '-exec', 'chmod', '755', '{}', '+'])
+    Puppet::Util::Execution.execute(['find', destdir, '-type', 'f', '-exec', 'chmod', 'u+rw,g+r,a-st', '{}', '+'])
+    Puppet::Util::Execution.execute(['chown', '-R', owner, destdir])
   end
 
   def pack(sourcedir, destfile)
-    Puppet::Util::Execution.execute("tar cf - #{sourcedir} | gzip -c > #{File.basename(destfile)}")
+    safe_sourcedir = Shellwords.shellescape(sourcedir)
+    safe_destfile = Shellwords.shellescape(File.basename(destfile))
+
+    Puppet::Util::Execution.execute("tar cf - #{safe_sourcedir} | gzip -c > #{safe_destfile}")
   end
 end

data/lib/puppet/node/server_facts.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Puppet::Node::ServerFacts
+  def self.load
+    server_facts = {}
+
+    # Add our server Puppet Enterprise version, if available.
+    pe_version_file = '/opt/puppetlabs/server/pe_version'
+    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
+      server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
+    end
+
+    # Add our server version to the fact list
+    server_facts["serverversion"] = Puppet.version.to_s
+
+    # And then add the server name and IP
+    { "servername" => "networking.fqdn",
+      "serverip" => "networking.ip",
+      "serverip6" => "networking.ip6" }.each do |var, fact|
+      value = Puppet.runtime[:facter].value(fact)
+      unless value.nil?
+        server_facts[var] = value
+      end
+    end
+
+    if server_facts["servername"].nil?
+      host = Puppet.runtime[:facter].value('networking.hostname')
+      if host.nil?
+        Puppet.warning _("Could not retrieve fact servername")
+      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
+        server_facts["servername"] = [host, domain].join(".")
+      else
+        server_facts["servername"] = host
+      end
+    end
+
+    if server_facts["serverip"].nil? && server_facts["serverip6"].nil?
+      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
+    end
+
+    server_facts
+  end
+end

data/lib/puppet/parser/functions/generate.rb

@@ -31,7 +31,8 @@ Puppet::Parser::Functions.newfunction(:generate, :arity => -2, :type => :rvalue,
   end
 
   begin
-    Dir.chdir(File.dirname(args[0])) { Puppet::Util::Execution.execute(args).to_str }
+    dir = File.dirname(args[0])
+    Puppet::Util::Execution.execute(args, failonfail: true, combine: true, cwd: dir).to_str
   rescue Puppet::ExecutionFailure => detail
     raise Puppet::ParseError, _("Failed to execute generator %{generator}: %{detail}") % { generator: args[0], detail: detail }, detail.backtrace
   end

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -89,17 +89,25 @@ class DeferredResolver
       overrides = {}
       r.parameters.each_pair do |k, v|
         resolved = resolve(v)
-        # If the value is instance of Sensitive - assign the unwrapped value
-        # and mark it as sensitive if not already marked
-        #
         case resolved
         when Puppet::Pops::Types::PSensitiveType::Sensitive
+          # If the resolved value is instance of Sensitive - assign the unwrapped value
+          # and mark it as sensitive if not already marked
+          #
           resolved = resolved.unwrap
           mark_sensitive_parameters(r, k)
-        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
-        # The DeferredValue.resolve method will unwrap it during catalog application
+
         when Puppet::Pops::Evaluator::DeferredValue
-          if v.arguments.any? { |arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType) }
+          # If the resolved value is a DeferredValue and it has an argument of type
+          # PSensitiveType, mark it as sensitive. Since DeferredValues can nest,
+          # we must walk all arguments, e.g. the DeferredValue may call the `epp`
+          # function, where one of its arguments is a DeferredValue to call the
+          # `vault:lookup` function.
+          #
+          # The DeferredValue.resolve method will unwrap the sensitive during
+          # catalog application
+          #
+          if contains_sensitive_args?(v)
             mark_sensitive_parameters(r, k)
           end
         end
@@ -109,6 +117,33 @@ class DeferredResolver
     end
   end
 
+  # Return true if x contains an argument that is an instance of PSensitiveType:
+  #
+  #   Deferred('new', [Sensitive, 'password'])
+  #
+  # Or an instance of PSensitiveType::Sensitive:
+  #
+  #   Deferred('join', [['a', Sensitive('b')], ':'])
+  #
+  # Since deferred values can nest, descend into Arrays and Hash keys and values,
+  # short-circuiting when the first occurrence is found.
+  #
+  def contains_sensitive_args?(x)
+    case x
+    when @deferred_class
+      contains_sensitive_args?(x.arguments)
+    when Array
+      x.any? { |v| contains_sensitive_args?(v) }
+    when Hash
+      x.any? { |k, v| contains_sensitive_args?(k) || contains_sensitive_args?(v) }
+    when Puppet::Pops::Types::PSensitiveType, Puppet::Pops::Types::PSensitiveType::Sensitive
+      true
+    else
+      false
+    end
+  end
+  private :contains_sensitive_args?
+
   def mark_sensitive_parameters(r, k)
     unless r.sensitive_parameters.include?(k.to_sym)
       r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze

data/lib/puppet/pops/evaluator/runtime3_resource_support.rb

@@ -76,7 +76,8 @@ module Runtime3ResourceSupport
   end
 
   def self.resource_to_ptype(resource)
-    nil if resource.nil?
+    return nil if resource.nil?
+
     # inference returns the meta type since the 3x Resource is an alternate way to describe a type
     Puppet::Pops::Types::TypeCalculator.singleton().infer(resource).type
   end

data/lib/puppet/pops/evaluator/runtime3_support.rb

@@ -443,12 +443,6 @@ module Runtime3Support
     resource.valid_parameter?(name)
   end
 
-  def resource_to_ptype(resource)
-    nil if resource.nil?
-    # inference returns the meta type since the 3x Resource is an alternate way to describe a type
-    type_calculator.infer(resource).type
-  end
-
   # This is the same type of "truth" as used in the current Puppet DSL.
   #
   def is_true?(value, o)

data/lib/puppet/provider/file/posix.rb

@@ -12,8 +12,22 @@ Puppet::Type.type(:file).provide :posix do
   require 'etc'
   require_relative '../../../puppet/util/selinux'
 
-  def self.post_resource_eval
-    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  class << self
+    def selinux_handle
+      return nil unless Puppet::Util::SELinux.selinux_support?
+
+      # selabel_open takes 3 args: backend, options, and nopt. The backend param
+      # is a constant, SELABEL_CTX_FILE, which happens to be 0. Since options is
+      # nil, nopt can be 0 since nopt represents the # of options specified.
+      @selinux_handle ||= Selinux.selabel_open(Selinux::SELABEL_CTX_FILE, nil, 0)
+    end
+
+    def post_resource_eval
+      if @selinux_handle
+        Selinux.selabel_close(@selinux_handle)
+        @selinux_handle = nil
+      end
+    end
   end
 
   def uid2name(id)

data/lib/puppet/provider/package/gem.rb

@@ -83,6 +83,7 @@ Puppet::Type.type(:package).provide :gem, :parent => Puppet::Provider::Package::
       custom_environment[:PATH] = windows_path_without_puppet_bin
     end
 
+    # This uses an unusual form of passing the command and args as [<cmd>, [<arg1>, <arg2>, ...]]
     execute(cmd, { :failonfail => true, :combine => true, :custom_environment => custom_environment })
   end
 

data/lib/puppet/provider/package/pkgutil.rb

@@ -115,11 +115,12 @@ Puppet::Type.type(:package).provide :pkgutil, :parent => :sun, :source => :sun d
 
   # Identify common types of pkgutil noise as it downloads catalogs etc
   def self.noise?(line)
-    true if line =~ /^#/
-    true if line =~ /^Checking integrity / # use_gpg
-    true if line =~ /^gpg: /               # gpg verification
-    true if line =~ /^=+> /                # catalog fetch
-    true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+    return true if line =~ /^#/
+    return true if line =~ /^Checking integrity / # use_gpg
+    return true if line =~ /^gpg: /               # gpg verification
+    return true if line =~ /^=+> /                # catalog fetch
+    return true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+
     false
   end