From e056cb4af9b7992b7d40507a92b8739943e0e6e6 Mon Sep 17 00:00:00 2001
From: OpenStack Release Bot <infra-root@openstack.org>
Date: Thu, 18 Apr 2024 10:49:14 +0000
Subject: [PATCH 1/4] Update .gitreview for stable/2024.1

Change-Id: I1cfb02cf1ad3f4a10d00e7cc7b9b45348de7c039
---
 .gitreview | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitreview b/.gitreview
index 19b5cb4f..c691a28e 100644
--- a/.gitreview
+++ b/.gitreview
@@ -2,3 +2,4 @@
 host=review.opendev.org
 port=29418
 project=openstack/puppet-openstacklib.git
+defaultbranch=stable/2024.1

From 3ac4f4849df215a727c11032f079a9ca931987da Mon Sep 17 00:00:00 2001
From: OpenStack Release Bot <infra-root@openstack.org>
Date: Thu, 18 Apr 2024 10:49:16 +0000
Subject: [PATCH 2/4] Update TOX_CONSTRAINTS_FILE for stable/2024.1

Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.

Until the requirements repository has as stable/2024.1 branch, tests will
continue to use the upper-constraints list on master.

Change-Id: I315006a6658d932911811900914711777b3ad296
---
 tox.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index 5bf76d23..c5a4eca1 100644
--- a/tox.ini
+++ b/tox.ini
@@ -8,6 +8,6 @@ ignore_basepython_conflict = True
 basepython = python3
 
 [testenv:releasenotes]
-deps = -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
+deps = -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2024.1}
        -r{toxinidir}/doc/requirements.txt
 commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html

From 2abaab7e54a7932bc4e3e621c90df6d15773c332 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Tue, 18 Feb 2025 09:42:29 +0900
Subject: [PATCH 3/4] Replace remaining use of legacy facts

... because these are no longer available in Puppet 8.

Change-Id: Ic1f11b7e12d35f7381d621c6f28636a34ca14e0e
(cherry picked from commit ee48d7a366f2bfb820c7f5d30919b20d8f19d329)
(cherry picked from commit a1f3e5a7702ff12f3dc8af9a4399020542d4d6aa)
---
 spec/acceptance/mysql_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/acceptance/mysql_spec.rb b/spec/acceptance/mysql_spec.rb
index 8286782f..4b3b4ca4 100644
--- a/spec/acceptance/mysql_spec.rb
+++ b/spec/acceptance/mysql_spec.rb
@@ -10,7 +10,7 @@
 
       class { 'mysql::server': }
 
-      $charset = $::operatingsystem ? {
+      $charset = $facts['os']['name'] ? {
         'Ubuntu' => 'utf8mb3',
         default  => 'utf8',
       }

From 9f3e877bbeb084395264d9855230f06c02a7b2d9 Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.com>
Date: Thu, 6 Nov 2025 16:53:24 +0100
Subject: [PATCH 4/4] Replace Puppet::Util::withenv with custom version

... that filters out OS_* environment variables
from the existing copied ENV and then set the
passed environment variables to ENV and yield
to the openstack CLI call.

This has been a problem for a very long this
where if you source OS_* environment in your
shell and try to run Puppet the openstack CLI
calls executed by the Puppet modules will
pick up these environment variables causing
side effects such as `openstack token issue`
commands failing to test password for keystone_user
resources causing a `openstack uset set` command
even though the password has not changed.

Depends-On: https://review.opendev.org/c/openstack/puppet-openstack-integration/+/967058
Change-Id: Ic4f9d7f7e8faf5ba5caaade49f10789aa8dba864
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
(cherry picked from commit 864f02dda63a0bb566643302b561b2dc04eb8530)
(cherry picked from commit 4f2bdb5d8025fa8fa78a65b419bd95421fabeeb2)
(cherry picked from commit e9d195ed66f43d984b8306437bcc1be398554636)
(cherry picked from commit e97454336b299a52a4f57a7a2f7968fb6300a3df)
---
 lib/puppet/provider/openstack.rb              | 19 +++++++-
 .../notes/os-withenv-3ca466fde75f6441.yaml    |  6 +++
 spec/unit/provider/openstack_spec.rb          | 43 ++++++++++++++++++-
 3 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/os-withenv-3ca466fde75f6441.yaml

diff --git a/lib/puppet/provider/openstack.rb b/lib/puppet/provider/openstack.rb
index 5c261e3d..9a403fe3 100644
--- a/lib/puppet/provider/openstack.rb
+++ b/lib/puppet/provider/openstack.rb
@@ -78,6 +78,23 @@ def self.request_without_retry(&block)
     rc
   end
 
+  # Copy of Puppet::Util::withenv but that filters out
+  # env variables starting with OS_ from the existing
+  # environment.
+  #
+  # @param hash [Hash] Hash of environment variables
+  def self.os_withenv(hash)
+    saved = ENV.to_hash
+    begin
+      cleaned_env = ENV.to_hash.reject { |k, _| k.start_with?('OS_') }
+      ENV.replace(cleaned_env)
+      ENV.merge!(hash.transform_keys(&:to_s))
+      yield
+    ensure
+      ENV.replace(saved)
+    end
+  end
+
   # Returns an array of hashes, where the keys are the downcased CSV headers
   # with underscores instead of spaces
   #
@@ -87,7 +104,7 @@ def self.request(service, action, properties, credentials=nil, options={})
     env = credentials ? credentials.to_env : {}
     no_retry = options[:no_retry_exception_msgs]
 
-    Puppet::Util.withenv(env) do
+    os_withenv(env) do
       rv = nil
       end_time = current_time + request_timeout
       start_time = current_time
diff --git a/releasenotes/notes/os-withenv-3ca466fde75f6441.yaml b/releasenotes/notes/os-withenv-3ca466fde75f6441.yaml
new file mode 100644
index 00000000..e381ca63
--- /dev/null
+++ b/releasenotes/notes/os-withenv-3ca466fde75f6441.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    The ``Puppet::Provider::Openstack.request`` now filters out all external
+    ``OS_*`` environment variables to prevent collisions with environment
+    variables in the shell where Puppet is running.
diff --git a/spec/unit/provider/openstack_spec.rb b/spec/unit/provider/openstack_spec.rb
index 81b636aa..37aa005c 100644
--- a/spec/unit/provider/openstack_spec.rb
+++ b/spec/unit/provider/openstack_spec.rb
@@ -80,7 +80,7 @@
     end
 
     it 'uses provided credentials' do
-      expect(Puppet::Util).to receive(:withenv).with(credentials.to_env)
+      expect(provider.class).to receive(:os_withenv).with(credentials.to_env)
       Puppet::Provider::Openstack.request('project', 'list', ['--long'], credentials)
     end
 
@@ -210,4 +210,45 @@
       end
     end
   end
+
+  describe '#os_withenv' do
+    around do |example|
+      @original_env = ENV.to_hash
+      example.run
+      ENV.replace(@original_env)
+    end
+
+    it 'removes environment variables starting with OS_' do
+      ENV['OS_FOO'] = 'should be removed'
+      ENV['OTHER']  = 'should stay'
+
+      Puppet::Provider::Openstack.os_withenv({}) do
+        expect(ENV.key?('OS_FOO')).to be false
+        expect(ENV['OTHER']).to eq('should stay')
+      end
+    end
+
+    it 'merges the given environment variables' do
+      Puppet::Provider::Openstack.os_withenv({'MY_VAR' => '123'}) do
+        expect(ENV['MY_VAR']).to eq('123')
+      end
+    end
+
+    it 'restores the original environment after the block' do
+      original = ENV.to_hash
+      Puppet::Provider::Openstack.os_withenv({'TEMP_VAR' => 'test'}) do
+        ENV['INSIDE_BLOCK'] = 'yep'
+      end
+
+      expect(ENV.key?('TEMP_VAR')).to be false
+      expect(ENV.key?('INSIDE_BLOCK')).to be false
+      expect(ENV.to_hash).to eq(original)
+    end
+
+    it 'handles string and symbol keys in the input hash' do
+      Puppet::Provider::Openstack.os_withenv({:FOO => 'bar'}) do
+        expect(ENV['FOO']).to eq('bar')
+      end
+    end
+  end
 end