Previously, the random number generator was seeded with the array or
string to be rotated in addition to any values specifically provided for
seeding. This behavior is potentially insecure in that it allows an
attacker who can modify the source data to choose the post-shuffle
order.
Without this, the global seed is reseeded on every use
of fqdn_rotate, which is a waste. Older rubies might even use a
time-base seed which adversly impacts the quality of the RNG.
As per puppetlabs/puppet@292233c, this leaves the global seed in a
deterministic state, which is bad. Puppet::Util.deterministic_rand()
exists to avoid running into this issue, but is only present starting in
Puppet 3.2.0.
We need to use
unless value.is_a?(String) || value.is_a?(Array)
rather than
klass = value.class
unless [String, Array].include?(klass)
because the klass version enforces type checking which is too strict, and does
not allow us to accept objects wich have extended String (or Array).
For example, generate() function now returns Puppet::Util::Execution::ProcessOutput
which is just a very simple extension of String. While this in it's self was
not intentional (PUP-2306) it is not unreasonable to cope with objects which
extend Strings