Allow file content that looks like a checksum.

Jérémie Pierson · jeremie-pierson · commit 5b353b37d8c0 · 2025-09-01T13:42:07.000+02:00
Currently, if a file has a content attribute set to something that looks
like a checksum, it will display a deprecation warning and then probably
throw an error, as the checksum-link string won't match anything in
filebuckets.

This code is apparently intended to allow a checksum to be passed instead
of actual content, with the effect of replacing file content if it
doesn't match the checksum. It appears that this mecanism is replaced by
"static catalogs" and was scheduled for removal in Puppet 7.

As it is no longer documented (because deprecated), it is surprising to
stumble upon the behavior by just having file content that looks like a
checksum. I had to work around this in a real usecase involving some
proprietary software that uses the same syntax for value to be encrypted
at startup.

This commit introduces a new setting "use_checksum_in_file_content" that
default to true, preserving current behavior. If set to false, it will
never look for checksums in file contents.

This setting should probably be set to false by default in the next
major release.
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
@@ -1114,6 +1114,13 @@ def self.initialize_default_settings!(settings)
       # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
       # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
       # settings are initialized as they test what gets logged during settings initialization.
+    },
+    :use_checksum_in_file_content => {
+      :default => true,
+      :type    => :boolean,
+      :desc    => "Whether to allow specifying checksums in file content attributes; this is
+      deprecated, the checksum retrieval functionality is being replaced by the use of
+      static catalogs."
     }
   )
 
diff --git a/lib/puppet/type/file/content.rb b/lib/puppet/type/file/content.rb
@@ -48,23 +48,43 @@ module Puppet
       if value == :absent
         value
       elsif value.is_a?(String) && checksum?(value)
-        # XXX This is potentially dangerous because it means users can't write a file whose
-        # entire contents are a plain checksum unless it is a Binary content.
-        Puppet.puppet_deprecation_warning([
-          # TRANSLATORS "content" is an attribute and should not be translated
-          _('Using a checksum in a file\'s "content" property is deprecated.'),
-          # TRANSLATORS "filebucket" is a resource type and should not be translated. The quoted occurrence of "content" is an attribute and should not be translated.
-          _('The ability to use a checksum to retrieve content from the filebucket using the "content" property will be removed in a future release.'),
-          # TRANSLATORS "content" is an attribute and should not be translated.
-          _('The literal value of the "content" property will be written to the file.'),
-          # TRANSLATORS "static catalogs" should not be translated.
-          _('The checksum retrieval functionality is being replaced by the use of static catalogs.'),
-          _('See https://puppet.com/docs/puppet/latest/static_catalogs.html for more information.')
-        ].join(" "),
-                                          :file => @resource.file,
-                                          :line => @resource.line) if !@actual_content && !resource.parameter(:source)
-        value
+        # Our argument looks like a checksum. Is it the value of the content
+        # attribute in Puppet code, that happens to look like a checksum, or is
+        # it an actual checksum computed on the actual content?
+        if @actual_content || resource.parameter(:source)
+          # Actual content is already set, value contains it's checksum
+          value
+        else
+          # The value passed in the "content" attribute of this file looks like a checksum.
+          if Puppet[:use_checksum_in_file_content]
+            # Assume user wants the deprecated behavior; display a warning though.
+            # XXX This is potentially dangerous because it means users can't write a file whose
+            # entire contents are a plain checksum unless it is a Binary content.
+            Puppet.puppet_deprecation_warning([
+              # TRANSLATORS "content" is an attribute and should not be translated
+              _('Using a checksum in a file\'s "content" property is deprecated.'),
+              # TRANSLATORS "filebucket" is a resource type and should not be translated. The quoted occurrence of "content" is an attribute and should not be translated.
+              _('The ability to use a checksum to retrieve content from the filebucket using the "content" property will be removed in a future release.'),
+              # TRANSLATORS "content" is an attribute and should not be translated.
+              _('The literal value of the "content" property will be written to the file.'),
+              # TRANSLATORS "static catalogs" should not be translated.
+              _('The checksum retrieval functionality is being replaced by the use of static catalogs.'),
+              _('See https://puppet.com/docs/puppet/latest/static_catalogs.html for more information.')
+            ].join(" "),
+                                              :file => @resource.file,
+                                              :line => @resource.line) if !@actual_content && !resource.parameter(:source)
+            # We return the value assuming it really is the checksum of the
+            # actual content we want. It should be fetched from filebucket
+            # later on.
+            value
+          else
+            # The content only happens to look like a checksum by chance.
+            @actual_content = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
+            resource.parameter(:checksum).sum(@actual_content)
+          end
+        end
       else
+        # Our argument is definitely not a checksum: set actual_value and return calculated checksum.
         @actual_content = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
         resource.parameter(:checksum).sum(@actual_content)
       end
@@ -163,6 +183,8 @@ def each_chunk_from
     end
 
     def content_is_really_a_checksum?
+      return false unless Puppet[:use_checksum_in_file_content]
+
       checksum?(should)
     end
 

Original file line number	Diff line number	Diff line change
`@@ -1114,6 +1114,13 @@ def self.initialize_default_settings!(settings)`
`1114`	`1114`	`# Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,`
`1115`	`1115`	`# unfortunately we have a large number of tests that rely on the logging not resetting itself when the`
`1116`	`1116`	`# settings are initialized as they test what gets logged during settings initialization.`
	`1117`	`+ },`
	`1118`	`+ :use_checksum_in_file_content => {`
	`1119`	`+ :default => true,`
	`1120`	`+ :type => :boolean,`
	`1121`	`+ :desc => "Whether to allow specifying checksums in file content attributes; this is`
	`1122`	`+ deprecated, the checksum retrieval functionality is being replaced by the use of`
	`1123`	`+ static catalogs."`
`1117`	`1124`	`}`
`1118`	`1125`	`)`
`1119`	`1126`