puppet 8.1.0-x64-mingw32 → 8.3.1-x64-mingw32

data/lib/puppet/parameter/value_collection.rb

@@ -31,7 +31,7 @@ class Puppet::Parameter::ValueCollection
   #
   def doc
     unless defined?(@doc)
-      @doc = String.new
+      @doc = ''.dup
       unless values.empty?
         @doc << "Valid values are "
         @doc << @strings.collect do |value|

data/lib/puppet/parser/files.rb

@@ -29,9 +29,10 @@ module Puppet::Parser::Files
   #   * modulename/filename selector: a file is found in the file directory
   #     of the named module.
   #
-  # In the second case a nil is returned if there isn't a file found. In the
-  # first case (absolute path), there is no existence check done and so the
-  # path will be returned even if there isn't a file available.
+  # The check for file existence is performed on the node compiling the
+  # manifest. A node running "puppet apply" compiles its own manifest, but
+  # a node running "puppet agent" depends on the configured puppetserver
+  # for compiling. In either case, a nil is returned if no file is found.
   #
   # @param template [String] the file selector
   # @param environment [Puppet::Node::Environment] the environment in which to search

data/lib/puppet/parser/functions.rb

@@ -258,7 +258,7 @@ module Puppet::Parser::Functions
   def self.functiondocs(environment = Puppet.lookup(:current_environment))
     autoloader.delegatee.loadall(environment)
 
-    ret = String.new
+    ret = ''.dup
 
     merged_functions(environment).sort { |a,b| a[0].to_s <=> b[0].to_s }.each do |name, hash|
       ret << "#{name}\n#{"-" * name.to_s.length}\n"

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -10,7 +10,13 @@ class DeferredValue
   end
 
   def resolve
-    @proc.call
+    val = @proc.call
+    # Deferred sensitive values will be marked as such in resolve_futures()
+    if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      val.unwrap
+    else
+      val
+    end
   end
 end
 
@@ -88,8 +94,12 @@ class DeferredResolver
         #
         if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
           resolved = resolved.unwrap
-          unless r.sensitive_parameters.include?(k.to_sym)
-            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+          mark_sensitive_parameters(r, k)
+        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
+        # The DeferredValue.resolve method will unwrap it during catalog application
+        elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+          if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
+            mark_sensitive_parameters(r, k)
           end
         end
         overrides[ k ] = resolved
@@ -98,6 +108,13 @@ class DeferredResolver
     end
   end
 
+  def mark_sensitive_parameters(r, k)
+    unless r.sensitive_parameters.include?(k.to_sym)
+      r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+    end
+  end
+  private :mark_sensitive_parameters
+
   def resolve(x)
     if x.class == @deferred_class
       resolve_future(x)

data/lib/puppet/pops/loader/loader_paths.rb

@@ -88,7 +88,7 @@ module LoaderPaths
 
     def typed_name(type, name_authority, relative_path, module_name)
       # Module name is assumed to be included in the path and therefore not added here
-      n = String.new
+      n = ''.dup
       unless extension.empty?
         # Remove extension
         relative_path = relative_path[0..-(extension.length+1)]
@@ -153,7 +153,7 @@ module LoaderPaths
     end
 
     def typed_name(type, name_authority, relative_path, module_name)
-      n = String.new
+      n = ''.dup
       n << module_name unless module_name.nil?
       unless extension.empty?
         # Remove extension
@@ -249,7 +249,7 @@ module LoaderPaths
     end
 
     def typed_name(type, name_authority, relative_path, module_name)
-      n = String.new
+      n = ''.dup
       n << module_name unless module_name.nil?
 
       # Remove the file extension, defined as everything after the *last* dot.
@@ -351,7 +351,7 @@ module LoaderPaths
       if @init_filenames.include?(relative_path) && !(module_name.nil? || module_name.empty?)
         TypedName.new(type, module_name, name_authority)
       else
-        n = String.new
+        n = ''.dup
         n << module_name unless module_name.nil?
         ext = @extensions.find { |extension| relative_path.end_with?(extension) }
         relative_path = relative_path[0..-(ext.length+1)]

data/lib/puppet/pops/lookup/explainer.rb

@@ -20,7 +20,7 @@ module Lookup
     end
 
     def explain
-      io = String.new
+      io = ''.dup
       dump_on(io, '', '')
       io
     end

data/lib/puppet/pops/lookup/hiera_config.rb

@@ -228,7 +228,7 @@ class HieraConfig
       line_number += 1
       next if line_number < start_line
       quote = nil
-      stripped = String.new
+      stripped = ''.dup
       line.each_codepoint do |cp|
         if cp == 0x22 || cp == 0x27 # double or single quote
           if quote == cp

data/lib/puppet/pops/model/factory.rb

@@ -1112,7 +1112,7 @@ class Factory
   end
 
   def self.concat(*args)
-    result = String.new
+    result = ''.dup
     args.each do |e|
       if e.instance_of?(Factory) && e.model_class <= LiteralString
         result << e[KEY_VALUE]

data/lib/puppet/pops/model/tree_dumper.rb

@@ -21,7 +21,7 @@ class Puppet::Pops::Model::TreeDumper
   end
 
   def format(x)
-    result = String.new
+    result = ''.dup
     parts = format_r(x)
     parts.each_index do |i|
       if i > 0

data/lib/puppet/pops/parser/epp_support.rb

@@ -183,7 +183,7 @@ module EppSupport
       @skip_leading = skip_leading
 
       return nil if scanner.eos?
-      s = String.new
+      s = ''.dup
       until scanner.eos?
         part = @scanner.scan_until(/(<%)|\z/)
         if @skip_leading

data/lib/puppet/pops/parser/evaluating_parser.rb

@@ -125,7 +125,7 @@ class EvaluatingParser
   # @return [String] The quoted string
   #
   def self.quote(x)
-    escaped = String.new('"')
+    escaped = '"'.dup
     p = nil
     x.each_char do |c|
       case p

data/lib/puppet/pops/parser/pn_parser.rb

@@ -218,7 +218,7 @@ class PNParser
 
   def consume_string
     s = @pos
-    b = String.new
+    b = ''.dup
     loop do
       c = next_cp
       case c

data/lib/puppet/pops/pn.rb

@@ -20,7 +20,7 @@ module PN
   end
 
   def to_s
-    s = String.new
+    s = ''.dup
     format(nil, s)
     s
   end

data/lib/puppet/pops/serialization/json_path.rb

@@ -11,7 +11,7 @@ module JsonPath
   #
   # @api private
   def self.to_json_path(path)
-    p = String.new('$')
+    p = '$'.dup
     path.each do |seg|
       if seg.nil?
         p << '[null]'

data/lib/puppet/pops/time/timespan.rb

@@ -545,7 +545,7 @@ module Time
       end
 
       def format(timespan)
-        bld = String.new(timespan.negative? ? '-' : '')
+        bld = timespan.negative? ? '-'.dup : ''.dup
         @segments.each { |segment| segment.append_to(bld, timespan) }
         bld
       end
@@ -575,7 +575,7 @@ module Time
       end
 
       def build_regexp
-        bld = String.new('\A-?')
+        bld = '\A-?'.dup
         @segments.each { |segment| segment.append_regexp(bld) }
         bld << '\z'
         Regexp.new(bld)
@@ -613,7 +613,7 @@ module Time
 
       def append_literal(bld, codepoint)
         if bld.empty? || !bld.last.is_a?(Format::LiteralSegment)
-          bld << Format::LiteralSegment.new(String.new.concat(codepoint))
+          bld << Format::LiteralSegment.new(''.dup.concat(codepoint))
         else
           bld.last.concat(codepoint)
         end
@@ -634,7 +634,7 @@ module Time
         position = -1
         fstart = 0
 
-        str.codepoints do |codepoint|
+        str.each_codepoint do |codepoint|
           position += 1
           if state == STATE_LITERAL
             if codepoint == 0x25 # '%'

data/lib/puppet/pops/types/ruby_generator.rb

@@ -60,7 +60,7 @@ class RubyGenerator < TypeFormatter
       if cls.nil?
         rp = key.resolved_parent
         parent_class = rp.is_a?(PObjectType) ? rp.implementation_class : Object
-        class_def = String.new
+        class_def = ''.dup
         class_body(key, EMPTY_ARRAY, class_def)
         cls = Class.new(parent_class)
         cls.class_eval(class_def)
@@ -109,7 +109,7 @@ class RubyGenerator < TypeFormatter
     end
 
     # Create class definition of all contained types
-    bld = String.new
+    bld = ''.dup
     start_module(common_prefix, comment, bld)
     class_names = []
     names_by_prefix.each_pair do |seg_array, index_and_name_array|

data/lib/puppet/pops/types/string_converter.rb

@@ -701,7 +701,7 @@ class StringConverter
   # Performs post-processing of literals to apply width and precision flags
   def apply_string_flags(f, literal_str)
     if f.left || f.width || f.prec
-      fmt = String.new('%')
+      fmt = '%'.dup
       fmt << '-' if f.left
       fmt << f.width.to_s if f.width
       fmt << '.' << f.prec.to_s if f.prec
@@ -853,7 +853,7 @@ class StringConverter
     end
 
     # Assume that the string can be single quoted
-    bld = String.new('\'')
+    bld = "'".dup
     bld.force_encoding(str.encoding)
     escaped = false
     str.each_codepoint do |codepoint|
@@ -879,12 +879,12 @@ class StringConverter
     # If string ended with a backslash, then that backslash must be escaped
     bld << 0x5c if escaped
 
-    bld << '\''
+    bld << "'"
     bld
   end
 
   def puppet_double_quote(str)
-    bld = String.new('"')
+    bld = '"'.dup
     str.each_codepoint do |codepoint|
       case codepoint
       when 0x09
@@ -940,7 +940,7 @@ class StringConverter
 
     case format.format
     when :a, :s, :p
-      buf = String.new
+      buf = ''.dup
       if indentation.breaks?
         buf << "\n"
         buf << indentation.padding
@@ -1055,7 +1055,7 @@ class StringConverter
 
     when :h, :s, :p
       indentation = indentation.indenting(format.alt? || indentation.is_indenting?)
-      buf = String.new
+      buf = ''.dup
       if indentation.breaks?
         buf << "\n"
         buf << indentation.padding

data/lib/puppet/pops/types/type_formatter.rb

@@ -50,7 +50,7 @@ class TypeFormatter
   # @api public
   #
   def string(t)
-    @bld = String.new
+    @bld = ''.dup
     append_string(t)
     @bld
   end
@@ -64,7 +64,7 @@ class TypeFormatter
   #
   # @api public
   def indented_string(t, indent = 0, indent_width = 2)
-    @bld = String.new
+    @bld = ''.dup
     append_indented_string(t, indent, indent_width)
     @bld
   end

data/lib/puppet/pops/types/types.rb

@@ -1713,7 +1713,7 @@ class PRegexpType < PScalarType
     if options == 0
       rx_string
     else
-      bld = String.new('(?')
+      bld = '(?'.dup
       bld << 'i' if (options & Regexp::IGNORECASE) != 0
       bld << 'm' if (options & Regexp::MULTILINE) != 0
       bld << 'x' if (options & Regexp::EXTENDED) != 0

data/lib/puppet/provider/nameservice/directoryservice.rb

@@ -218,8 +218,8 @@ class Puppet::Provider::NameService::DirectoryService < Puppet::Provider::NameSe
         password_hash_plist = users_plist['ShadowHashData'][0]
         converted_hash_plist = convert_binary_to_hash(password_hash_plist)
       else
-        users_plist['ShadowHashData'] = String.new
-        converted_hash_plist = {'SALTED-SHA512' => String.new}
+        users_plist['ShadowHashData'] = ''.dup
+        converted_hash_plist = {'SALTED-SHA512' => ''.dup}
       end
 
       # converted_hash_plist['SALTED-SHA512'] expects a Base64 encoded

data/lib/puppet/provider/package/apt.rb

@@ -13,7 +13,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     These options should be specified as an array where each element is either a
      string or a hash."
 
-  has_feature :versionable, :install_options, :virtual_packages
+  has_feature :versionable, :install_options, :virtual_packages, :version_ranges
 
   commands :aptget => "/usr/bin/apt-get"
   commands :aptcache => "/usr/bin/apt-cache"

data/lib/puppet/provider/package/dnf.rb

@@ -10,7 +10,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   These options should be specified as an array where each element is either
    a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages, :install_only
+  has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
 
   commands :cmd => "dnf", :rpm => "rpm"
 

data/lib/puppet/provider/package/yum.rb

@@ -16,7 +16,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
   This provider supports the `install_options` attribute, which allows command-line flags to be passed to yum.
   These options should be specified as an array where each element is either a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages, :install_only
+  has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
 
   RPM_VERSION       = Puppet::Util::Package::Version::Rpm
   RPM_VERSION_RANGE = Puppet::Util::Package::Version::Range

data/lib/puppet/provider/user/directoryservice.rb

@@ -637,7 +637,7 @@ Puppet::Type.type(:user).provide :directoryservice do
   def set_salted_sha512(users_plist, shadow_hash_data, value)
     unless shadow_hash_data
       shadow_hash_data = Hash.new
-      shadow_hash_data['SALTED-SHA512'] = String.new
+      shadow_hash_data['SALTED-SHA512'] = ''.dup
     end
     shadow_hash_data['SALTED-SHA512'] = base64_decode_string(value)
     binary_plist = self.class.convert_hash_to_binary(shadow_hash_data)

data/lib/puppet/reference/configuration.rb

@@ -5,7 +5,7 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
     docs[name] = object
   end
 
-  str = String.new
+  str = ''.dup
   docs.sort { |a, b|
     a[0].to_s <=> b[0].to_s
   }.each do |name, object|

data/lib/puppet/reference/indirection.rb

@@ -5,7 +5,7 @@ require_relative '../../puppet/file_serving/content'
 require_relative '../../puppet/file_serving/metadata'
 
 reference = Puppet::Util::Reference.newreference :indirection, :doc => "Indirection types and their terminus classes" do
-  text = String.new
+  text = ''.dup
   Puppet::Indirector::Indirection.instances.sort_by(&:to_s).each do |indirection|
     ind = Puppet::Indirector::Indirection.instance(indirection)
     name = indirection.to_s.capitalize

data/lib/puppet/reports.rb

@@ -71,7 +71,7 @@ class Puppet::Reports
   # Collects the docs for all reports.
   # @api private
   def self.reportdocs
-    docs = String.new
+    docs = ''.dup
 
     # Use this method so they all get loaded
     instance_loader(:report).loadall(Puppet.lookup(:current_environment))

data/lib/puppet/ssl/oids.rb

@@ -71,7 +71,9 @@ module Puppet::SSL::Oids
     ["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],
 
     ["1.3.6.1.4.1.34380.1.3.1",  'pp_authorization', 'Certificate Extension Authorization'],
+    ["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Attribute'],
     ["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
+    ["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
   ]
 
   @did_register_puppet_oids = false

data/lib/puppet/ssl/ssl_provider.rb

@@ -225,7 +225,7 @@ class Puppet::SSL::SSLProvider
       ssl_context.crls.each do |crl|
         oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
         crlNumber = oid_values['crlNumber'] || 'unknown'
-        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
+        authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp
         Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
       end
     end

data/lib/puppet/ssl/state_machine.rb

@@ -59,9 +59,6 @@ class Puppet::SSL::StateMachine
         now = Time.now
         last_update = @cert_provider.ca_last_update
         if needs_refresh?(now, last_update)
-          # set last updated time first, then make a best effort to refresh
-          @cert_provider.ca_last_update = now
-
           # If we refresh the CA, then we need to force the CRL to be refreshed too,
           # since if there is a new CA in the chain, then we need its CRL to check
           # the full chain for revocation status.
@@ -114,7 +111,12 @@ class Puppet::SSL::StateMachine
       Puppet.info(_("Refreshing CA certificate"))
 
       # return the next_ctx containing the updated ca
-      [download_ca(ssl_ctx, last_update), true]
+      next_ctx = [download_ca(ssl_ctx, last_update), true]
+
+      # After a successful refresh, update ca_last_update
+      @cert_provider.ca_last_update = Time.now
+
+      next_ctx
     rescue Puppet::HTTP::ResponseError => e
       if e.response.code == 304
         Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
@@ -171,8 +173,6 @@ class Puppet::SSL::StateMachine
           now = Time.now
           last_update = @cert_provider.crl_last_update
           if needs_refresh?(now, last_update)
-            # set last updated time first, then make a best effort to refresh
-            @cert_provider.crl_last_update = now
             next_ctx = refresh_crl(next_ctx, last_update)
           end
         else
@@ -209,7 +209,12 @@ class Puppet::SSL::StateMachine
       Puppet.info(_("Refreshing CRL"))
 
       # return the next_ctx containing the updated crl
-      download_crl(ssl_ctx, last_update)
+      next_ctx = download_crl(ssl_ctx, last_update)
+
+      # After a successful refresh, update crl_last_update
+      @cert_provider.crl_last_update = Time.now
+
+      next_ctx
     rescue Puppet::HTTP::ResponseError => e
       if e.response.code == 304
         Puppet.info(_("CRL is unmodified, using existing CRL"))
@@ -257,7 +262,11 @@ class Puppet::SSL::StateMachine
           next_ctx = @ssl_provider.create_context(
             cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: key, client_cert: cert
           )
-          return Done.new(@machine, next_ctx)
+          if needs_refresh?(cert)
+            return NeedRenewedCert.new(@machine, next_ctx, key)
+          else
+            return Done.new(@machine, next_ctx)
+          end
         end
       else
         if Puppet[:key_type] == 'ec'
@@ -273,6 +282,15 @@ class Puppet::SSL::StateMachine
 
       NeedSubmitCSR.new(@machine, @ssl_context, key)
     end
+
+    private
+
+    def needs_refresh?(cert)
+      cert_ttl = Puppet[:hostcert_renewal_interval]
+      return false unless cert_ttl
+
+      Time.now.to_i >= (cert.not_after.to_i - cert_ttl)
+    end
   end
 
   # Base class for states with a private key.
@@ -344,6 +362,39 @@ class Puppet::SSL::StateMachine
     end
   end
 
+  # Class to renew a client/host certificate automatically.
+  #
+  class NeedRenewedCert < KeySSLState
+    def next_state
+      Puppet.debug(_("Renewing client certificate"))
+
+      route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
+      cert = OpenSSL::X509::Certificate.new(
+        route.post_certificate_renewal(@ssl_context)[1]
+      )
+
+      # verify client cert before saving
+      next_ctx = @ssl_provider.create_context(
+        cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
+      )
+      @cert_provider.save_client_cert(Puppet[:certname], cert)
+
+      Puppet.info(_("Renewed client certificate: %{cert_digest}, not before '%{not_before}', not after '%{not_after}'") % { cert_digest: @machine.digest_as_hex(cert.to_pem), not_before: cert.not_before, not_after: cert.not_after })
+      
+      Done.new(@machine, next_ctx)
+    rescue Puppet::HTTP::ResponseError => e
+      if e.response.code == 404
+        Puppet.info(_("Certificate autorenewal has not been enabled on the server."))
+      else
+        Puppet.warning(_("Failed to automatically renew certificate: %{code} %{reason}") % { code: e.response.code, reason: e.response.reason })
+      end
+      Done.new(@machine, @ssl_context)
+    rescue => e
+      Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e })
+      Done.new(@machine, @ssl_context)
+    end
+  end
+
   # We cannot make progress, so wait if allowed to do so, or exit.
   #
   class Wait < SSLState
@@ -495,7 +546,7 @@ class Puppet::SSL::StateMachine
     final_state.ssl_context
   end
 
-  # Run the state machine for CA certs and CRLs.
+  # Run the state machine for client certs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext

data/lib/puppet/transaction/report.rb

@@ -369,7 +369,7 @@ class Puppet::Transaction::Report
   def summary
     report = raw_summary
 
-    ret = String.new
+    ret = ''.dup
     report.keys.sort_by(&:to_s).each do |key|
       ret += "#{Puppet::Util::Metric.labelize(key)}:\n"
 

data/lib/puppet/type/filebucket.rb

@@ -4,7 +4,7 @@ module Puppet
 
   Type.newtype(:filebucket) do
     @doc = <<-EOT
-      A repository for storing and retrieving file content by MD5 checksum. Can
+      A repository for storing and retrieving file content by cryptographic checksum. Can
       be local to each agent node, or centralized on a primary Puppet server. All
       puppet servers provide a filebucket service that agent nodes can access
       via HTTP, but you must declare a filebucket resource before any agents

data/lib/puppet/util/diff.rb

@@ -34,7 +34,7 @@ module Puppet::Util::Diff
     data_old = data_old.split(/\n/).map! { |e| e.chomp }
     data_new = data_new.split(/\n/).map! { |e| e.chomp }
 
-    output = String.new
+    output = ''.dup
 
     diffs = ::Diff::LCS.diff(data_old, data_new)
     return output if diffs.empty?

data/lib/puppet/util/execution.rb

@@ -162,7 +162,7 @@ module Puppet::Util::Execution
     # do this after processing 'command' array or string
     command_str = '[redacted]' if options[:sensitive]
 
-    user_log_s = String.new
+    user_log_s = ''.dup
     if options[:uid]
       user_log_s << " uid=#{options[:uid]}"
     end
@@ -202,7 +202,7 @@ module Puppet::Util::Execution
       stderr = options[:combine] ? stdout : Puppet::FileSystem.open(null_file, nil, 'w')
 
       exec_args = [command, options, stdin, stdout, stderr]
-      output = String.new
+      output = ''.dup
 
       # We close stdin/stdout/stderr immediately after fork/exec as they're no longer needed by
       # this process. In most cases they could be closed later, but when `stdout` is the "writer"
@@ -223,8 +223,12 @@ module Puppet::Util::Execution
             # Use non-blocking read to check for data. After each attempt,
             # check whether the child is done. This is done in case the child
             # forks and inherits stdout, as happens in `foo &`.
-            
-            until results = Process.waitpid2(child_pid, Process::WNOHANG) #rubocop:disable Lint/AssignmentInCondition
+            # If we encounter EOF, though, then switch to a blocking wait for
+            # the child; after EOF, IO.select will never block and the loop
+            # below will use maximum CPU available.
+
+            wait_flags = Process::WNOHANG
+            until results = Process.waitpid2(child_pid, wait_flags) #rubocop:disable Lint/AssignmentInCondition
 
               # If not done, wait for data to read with a timeout
               # This timeout is selected to keep activity low while waiting on
@@ -235,6 +239,7 @@ module Puppet::Util::Execution
                 output << reader.read_nonblock(4096) if ready
               rescue Errno::EAGAIN
               rescue EOFError
+                wait_flags = 0
               end
             end