puppet 8.7.0-universal-darwin → 8.9.0-universal-darwin

data/lib/puppet/node/server_facts.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Puppet::Node::ServerFacts
+  def self.load
+    server_facts = {}
+
+    # Add our server Puppet Enterprise version, if available.
+    pe_version_file = '/opt/puppetlabs/server/pe_version'
+    if File.readable?(pe_version_file) and !File.zero?(pe_version_file)
+      server_facts['pe_serverversion'] = File.read(pe_version_file).chomp
+    end
+
+    # Add our server version to the fact list
+    server_facts["serverversion"] = Puppet.version.to_s
+
+    # And then add the server name and IP
+    { "servername" => "networking.fqdn",
+      "serverip" => "networking.ip",
+      "serverip6" => "networking.ip6" }.each do |var, fact|
+      value = Puppet.runtime[:facter].value(fact)
+      unless value.nil?
+        server_facts[var] = value
+      end
+    end
+
+    if server_facts["servername"].nil?
+      host = Puppet.runtime[:facter].value('networking.hostname')
+      if host.nil?
+        Puppet.warning _("Could not retrieve fact servername")
+      elsif domain = Puppet.runtime[:facter].value('networking.domain') # rubocop:disable Lint/AssignmentInCondition
+        server_facts["servername"] = [host, domain].join(".")
+      else
+        server_facts["servername"] = host
+      end
+    end
+
+    if server_facts["serverip"].nil? && server_facts["serverip6"].nil?
+      Puppet.warning _("Could not retrieve either serverip or serverip6 fact")
+    end
+
+    server_facts
+  end
+end

data/lib/puppet/parser/functions/generate.rb

@@ -31,7 +31,8 @@ Puppet::Parser::Functions.newfunction(:generate, :arity => -2, :type => :rvalue,
   end
 
   begin
-    Dir.chdir(File.dirname(args[0])) { Puppet::Util::Execution.execute(args).to_str }
+    dir = File.dirname(args[0])
+    Puppet::Util::Execution.execute(args, failonfail: true, combine: true, cwd: dir).to_str
   rescue Puppet::ExecutionFailure => detail
     raise Puppet::ParseError, _("Failed to execute generator %{generator}: %{detail}") % { generator: args[0], detail: detail }, detail.backtrace
   end

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -89,17 +89,25 @@ class DeferredResolver
       overrides = {}
       r.parameters.each_pair do |k, v|
         resolved = resolve(v)
-        # If the value is instance of Sensitive - assign the unwrapped value
-        # and mark it as sensitive if not already marked
-        #
         case resolved
         when Puppet::Pops::Types::PSensitiveType::Sensitive
+          # If the resolved value is instance of Sensitive - assign the unwrapped value
+          # and mark it as sensitive if not already marked
+          #
           resolved = resolved.unwrap
           mark_sensitive_parameters(r, k)
-        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
-        # The DeferredValue.resolve method will unwrap it during catalog application
+
         when Puppet::Pops::Evaluator::DeferredValue
-          if v.arguments.any? { |arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType) }
+          # If the resolved value is a DeferredValue and it has an argument of type
+          # PSensitiveType, mark it as sensitive. Since DeferredValues can nest,
+          # we must walk all arguments, e.g. the DeferredValue may call the `epp`
+          # function, where one of its arguments is a DeferredValue to call the
+          # `vault:lookup` function.
+          #
+          # The DeferredValue.resolve method will unwrap the sensitive during
+          # catalog application
+          #
+          if contains_sensitive_args?(v)
             mark_sensitive_parameters(r, k)
           end
         end
@@ -109,6 +117,33 @@ class DeferredResolver
     end
   end
 
+  # Return true if x contains an argument that is an instance of PSensitiveType:
+  #
+  #   Deferred('new', [Sensitive, 'password'])
+  #
+  # Or an instance of PSensitiveType::Sensitive:
+  #
+  #   Deferred('join', [['a', Sensitive('b')], ':'])
+  #
+  # Since deferred values can nest, descend into Arrays and Hash keys and values,
+  # short-circuiting when the first occurrence is found.
+  #
+  def contains_sensitive_args?(x)
+    case x
+    when @deferred_class
+      contains_sensitive_args?(x.arguments)
+    when Array
+      x.any? { |v| contains_sensitive_args?(v) }
+    when Hash
+      x.any? { |k, v| contains_sensitive_args?(k) || contains_sensitive_args?(v) }
+    when Puppet::Pops::Types::PSensitiveType, Puppet::Pops::Types::PSensitiveType::Sensitive
+      true
+    else
+      false
+    end
+  end
+  private :contains_sensitive_args?
+
   def mark_sensitive_parameters(r, k)
     unless r.sensitive_parameters.include?(k.to_sym)
       r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze

data/lib/puppet/pops/evaluator/runtime3_resource_support.rb

@@ -76,7 +76,8 @@ module Runtime3ResourceSupport
   end
 
   def self.resource_to_ptype(resource)
-    nil if resource.nil?
+    return nil if resource.nil?
+
     # inference returns the meta type since the 3x Resource is an alternate way to describe a type
     Puppet::Pops::Types::TypeCalculator.singleton().infer(resource).type
   end

data/lib/puppet/pops/evaluator/runtime3_support.rb

@@ -443,12 +443,6 @@ module Runtime3Support
     resource.valid_parameter?(name)
   end
 
-  def resource_to_ptype(resource)
-    nil if resource.nil?
-    # inference returns the meta type since the 3x Resource is an alternate way to describe a type
-    type_calculator.infer(resource).type
-  end
-
   # This is the same type of "truth" as used in the current Puppet DSL.
   #
   def is_true?(value, o)

data/lib/puppet/provider/file/posix.rb

@@ -12,8 +12,22 @@ Puppet::Type.type(:file).provide :posix do
   require 'etc'
   require_relative '../../../puppet/util/selinux'
 
-  def self.post_resource_eval
-    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  class << self
+    def selinux_handle
+      return nil unless Puppet::Util::SELinux.selinux_support?
+
+      # selabel_open takes 3 args: backend, options, and nopt. The backend param
+      # is a constant, SELABEL_CTX_FILE, which happens to be 0. Since options is
+      # nil, nopt can be 0 since nopt represents the # of options specified.
+      @selinux_handle ||= Selinux.selabel_open(Selinux::SELABEL_CTX_FILE, nil, 0)
+    end
+
+    def post_resource_eval
+      if @selinux_handle
+        Selinux.selabel_close(@selinux_handle)
+        @selinux_handle = nil
+      end
+    end
   end
 
   def uid2name(id)

data/lib/puppet/provider/package/gem.rb

@@ -83,6 +83,7 @@ Puppet::Type.type(:package).provide :gem, :parent => Puppet::Provider::Package::
       custom_environment[:PATH] = windows_path_without_puppet_bin
     end
 
+    # This uses an unusual form of passing the command and args as [<cmd>, [<arg1>, <arg2>, ...]]
     execute(cmd, { :failonfail => true, :combine => true, :custom_environment => custom_environment })
   end
 

data/lib/puppet/provider/package/pacman.rb

@@ -29,7 +29,7 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
 
   # Checks if a given name is a group
   def self.group?(name)
-    !pacman("-Sg", name).empty?
+    !pacman('--sync', '--groups', name).empty?
   rescue Puppet::ExecutionFailure
     # pacman returns an expected non-zero exit code when the name is not a group
     false
@@ -74,7 +74,7 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
   # returns a hash package => version of installed packages
   def self.get_installed_packages
     packages = {}
-    execpipe([command(:pacman), "-Q"]) do |pipe|
+    execpipe([command(:pacman), "--query"]) do |pipe|
       # pacman -Q output is 'packagename version-rel'
       regex = /^(\S+)\s(\S+)/
       pipe.each_line do |line|
@@ -96,7 +96,7 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
     groups = {}
     begin
       # Build a hash of group name => list of packages
-      command = [command(:pacman), "-Sgg"]
+      command = [command(:pacman), '--sync', '-gg']
       command << filter if filter
       execpipe(command) do |pipe|
         pipe.each_line do |line|
@@ -134,14 +134,14 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
     resource_name = @resource[:name]
 
     # If target is a group, construct the group version
-    return pacman("-Sp", "--print-format", "%n %v", resource_name).lines.map(&:chomp).sort.join(', ') if self.class.group?(resource_name)
+    return pacman("--sync", "--print", "--print-format", "%n %v", resource_name).lines.map(&:chomp).sort.join(', ') if self.class.group?(resource_name)
 
     # Start by querying with pacman first
     # If that fails, retry using yaourt against the AUR
     pacman_check = true
     begin
       if pacman_check
-        output = pacman "-Sp", "--print-format", "%v", resource_name
+        output = pacman "--sync", "--print", "--print-format", "%v", resource_name
         output.chomp
       else
         output = yaourt "-Qma", resource_name
@@ -210,8 +210,8 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
 
     cmd = %w[--noconfirm --noprogressbar]
     cmd += uninstall_options if @resource[:uninstall_options]
-    cmd << "-R"
-    cmd << '-s' if is_group
+    cmd << "--remove"
+    cmd << '--recursive' if is_group
     cmd << '--nosave' if purge_configs
     cmd << resource_name
 
@@ -248,8 +248,7 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
              else
                fail _("Source %{source} is not supported by pacman") % { source: source }
              end
-    pacman "--noconfirm", "--noprogressbar", "-S"
-    pacman "--noconfirm", "--noprogressbar", "-U", source
+    pacman "--noconfirm", "--noprogressbar", "--update", source
   end
 
   def install_from_repo
@@ -260,7 +259,7 @@ Puppet::Type.type(:package).provide :pacman, :parent => Puppet::Provider::Packag
 
     cmd = %w[--noconfirm --needed --noprogressbar]
     cmd += install_options if @resource[:install_options]
-    cmd << "-S" << resource_name
+    cmd << "--sync" << resource_name
 
     if self.class.yaourt?
       yaourt(*cmd)

data/lib/puppet/provider/package/pkgutil.rb

@@ -115,11 +115,12 @@ Puppet::Type.type(:package).provide :pkgutil, :parent => :sun, :source => :sun d
 
   # Identify common types of pkgutil noise as it downloads catalogs etc
   def self.noise?(line)
-    true if line =~ /^#/
-    true if line =~ /^Checking integrity / # use_gpg
-    true if line =~ /^gpg: /               # gpg verification
-    true if line =~ /^=+> /                # catalog fetch
-    true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+    return true if line =~ /^#/
+    return true if line =~ /^Checking integrity / # use_gpg
+    return true if line =~ /^gpg: /               # gpg verification
+    return true if line =~ /^=+> /                # catalog fetch
+    return true if line =~ /\d+:\d+:\d+ URL:/     # wget without -q
+
     false
   end
 

data/lib/puppet/provider/package/puppet_gem.rb

@@ -8,20 +8,7 @@ Puppet::Type.type(:package).provide :puppet_gem, :parent => :gem do
 
   confine :true => Puppet.runtime[:facter].value(:aio_agent_version)
 
-  def self.windows_gemcmd
-    puppet_dir = ENV.fetch('PUPPET_DIR', nil)
-    if puppet_dir
-      File.join(puppet_dir.to_s, 'bin', 'gem.bat')
-    else
-      File.join(Gem.default_bindir, 'gem.bat')
-    end
-  end
-
-  if Puppet::Util::Platform.windows?
-    commands :gemcmd => windows_gemcmd
-  else
-    commands :gemcmd => "/opt/puppetlabs/puppet/bin/gem"
-  end
+  commands :gemcmd => Puppet.run_mode.gem_cmd
 
   def uninstall
     super
@@ -30,7 +17,9 @@ Puppet::Type.type(:package).provide :puppet_gem, :parent => :gem do
   end
 
   def self.execute_gem_command(command, command_options, custom_environment = {})
-    custom_environment['PKG_CONFIG_PATH'] = '/opt/puppetlabs/puppet/lib/pkgconfig' unless Puppet::Util::Platform.windows?
+    if (pkg_config_path = Puppet.run_mode.pkg_config_path)
+      custom_environment['PKG_CONFIG_PATH'] = pkg_config_path
+    end
     super(command, command_options, custom_environment)
   end
 end

data/lib/puppet/reference/configuration.rb

@@ -41,8 +41,14 @@ config = Puppet::Util::Reference.newreference(:configuration, :depth => 1, :doc
       val = '$confdir/hiera.yaml. However, for backwards compatibility, if a file exists at $codedir/hiera.yaml, Puppet uses that instead.'
     when 'certname'
       val = "the Host's fully qualified domain name, as determined by Facter"
+    when 'hostname'
+      val = "(the system's fully qualified hostname)"
+    when 'domain'
+      val = "(the system's own domain)"
     when 'srv_domain'
       val = 'example.com'
+    when 'http_user_agent'
+      val = 'Puppet/<version> Ruby/<version> (<architecture>)'
     end
 
     # Leave out the section information; it was apparently confusing people.
@@ -95,6 +101,5 @@ config.header = <<~EOT
 
   [confguide]: https://puppet.com/docs/puppet/latest/config_about_settings.html
 
-  * * *
 
 EOT

data/lib/puppet/resource/type.rb

@@ -33,6 +33,16 @@ class Puppet::Resource::Type
   DOUBLE_COLON = '::'
   EMPTY_ARRAY = [].freeze
 
+  LOOKAROUND_OPERATORS = {
+    "(" => 'LP',
+    "?" => "QU",
+    "<" => "LT",
+    ">" => "GT",
+    "!" => "EX",
+    "=" => "EQ",
+    ")" => 'RP'
+  }.freeze
+
   attr_accessor :file, :line, :doc, :code, :parent, :resource_type_collection, :override
   attr_reader :namespace, :arguments, :behaves_like, :module_name
 
@@ -196,7 +206,11 @@ class Puppet::Resource::Type
 
   def name
     if type == :node && name_is_regex?
-      "__node_regexp__#{@name.source.downcase.gsub(/[^-\w:.]/, '').sub(/^\.+/, '')}"
+      # Normalize lookarround regex patthern
+      internal_name = @name.source.downcase.gsub(/\(\?[^)]*\)/) do |str|
+        str.gsub(/./) { |ch| LOOKAROUND_OPERATORS[ch] || ch }
+      end
+      "__node_regexp__#{internal_name.gsub(/[^-\w:.]/, '').sub(/^\.+/, '')}"
     else
       @name
     end

data/lib/puppet/scheduler/splay_job.rb

@@ -25,15 +25,6 @@ module Puppet::Scheduler
       end
     end
 
-    # Recalculates splay.
-    #
-    # @param splay_limit [Integer] the maximum time (in seconds) to delay before an agent's first run.
-    # @return @splay [Integer] a random integer less than or equal to the splay limit that represents the seconds to
-    # delay before next agent run.
-    def splay_limit=(splay_limit)
-      @splay = calculate_splay(splay_limit)
-    end
-
     private
 
     def calculate_splay(limit)

data/lib/puppet/settings.rb

@@ -81,11 +81,11 @@ class Puppet::Settings
   end
 
   def self.hostname_fact
-    Puppet.runtime[:facter].value 'networking.hostname'
+    Puppet.runtime[:facter].value('networking.hostname')
   end
 
   def self.domain_fact
-    Puppet.runtime[:facter].value 'networking.domain'
+    Puppet.runtime[:facter].value('networking.domain')
   end
 
   def self.default_config_file_name

data/lib/puppet/transaction/resource_harness.rb

@@ -235,9 +235,13 @@ class Puppet::Transaction::ResourceHarness
   end
 
   def noop(event, param, current_value, audit_message)
-    event.message = param.format(_("current_value %s, should be %s (noop)"),
-                                 param.is_to_s(current_value),
-                                 param.should_to_s(param.should)) + audit_message.to_s
+    if param.sensitive
+      event.message = param.format(_("current_value %s, should be %s (noop)"),
+                                   param.is_to_s(current_value),
+                                   param.should_to_s(param.should)) + audit_message.to_s
+    else
+      event.message = "#{param.change_to_s(current_value, param.should)} (noop)#{audit_message}"
+    end
     event.status = "noop"
   end
 

data/lib/puppet/type/exec.rb

@@ -437,13 +437,12 @@ module Puppet
         actually contain `myfile`, the exec will keep running every time
         Puppet runs.
 
-        This parameter can also take an array of files and the command will
-        not run if **any** of these files exist. For example:
+        This parameter can also take an array of files, and the command will
+        not run if **any** of these files exist. Consider this example:
 
             creates => ['/tmp/file1', '/tmp/file2'],
 
-        will only run the command if both files don't exist.
-
+        The command is only run if both files don't exist.
       EOT
 
       accept_arrays

data/lib/puppet/type/file/checksum.rb

@@ -7,11 +7,13 @@ require_relative '../../../puppet/util/checksums'
 Puppet::Type.type(:file).newparam(:checksum) do
   include Puppet::Util::Checksums
 
+  # The default is defined in Puppet.default_digest_algorithm
   desc "The checksum type to use when determining whether to replace a file's contents.
 
-    The default checksum type is #{Puppet.default_digest_algorithm}."
+    The default checksum type is sha256."
 
-  newvalues(*Puppet::Util::Checksums.known_checksum_types)
+  # The values are defined in Puppet::Util::Checksums.known_checksum_types
+  newvalues(:sha256, :sha256lite, :md5, :md5lite, :sha1, :sha1lite, :sha512, :sha384, :sha224, :mtime, :ctime, :none)
 
   defaultto do
     Puppet[:digest_algorithm].to_sym

data/lib/puppet/type/file/ctime.rb

@@ -2,9 +2,9 @@
 
 module Puppet
   Puppet::Type.type(:file).newproperty(:ctime) do
-    desc %q(A read-only state to check the file ctime. On most modern \*nix-like
+    desc "A read-only state to check the file ctime. On most modern \*nix-like
       systems, this is the time of the most recent change to the owner, group,
-      permissions, or content of the file.)
+      permissions, or content of the file."
 
     def retrieve
       current_value = :absent

data/lib/puppet/type/file/mtime.rb

@@ -2,8 +2,8 @@
 
 module Puppet
   Puppet::Type.type(:file).newproperty(:mtime) do
-    desc %q(A read-only state to check the file mtime. On \*nix-like systems, this
-      is the time of the most recent change to the content of the file.)
+    desc "A read-only state to check the file mtime. On \*nix-like systems, this
+      is the time of the most recent change to the content of the file."
 
     def retrieve
       current_value = :absent

data/lib/puppet/type/file/selcontext.rb

@@ -40,11 +40,12 @@ module Puppet
     end
 
     def retrieve_default_context(property)
+      return nil if Puppet::Util::Platform.windows?
       if @resource[:selinux_ignore_defaults] == :true
         return nil
       end
 
-      context = get_selinux_default_context(@resource[:path], @resource[:ensure])
+      context = get_selinux_default_context_with_handle(@resource[:path], provider.class.selinux_handle, @resource[:ensure])
       unless context
         return nil
       end
@@ -85,7 +86,7 @@ module Puppet
   end
 
   Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
-    desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to
+    desc "If this is set, Puppet will not call the SELinux function selabel_lookup to
       supply defaults for the SELinux attributes (seluser, selrole,
       seltype, and selrange). In general, you should leave this set at its
       default and only set it to true when you need Puppet to not try to fix
@@ -98,7 +99,7 @@ module Puppet
   Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
     desc "What the SELinux user component of the context of the file should be.
       Any valid SELinux user component is accepted.  For example `user_u`.
-      If not specified it defaults to the value returned by matchpathcon for
+      If not specified, it defaults to the value returned by selabel_lookup for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
@@ -109,7 +110,7 @@ module Puppet
   Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do
     desc "What the SELinux role component of the context of the file should be.
       Any valid SELinux role component is accepted.  For example `role_r`.
-      If not specified it defaults to the value returned by matchpathcon for
+      If not specified, it defaults to the value returned by selabel_lookup for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
@@ -120,7 +121,7 @@ module Puppet
   Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do
     desc "What the SELinux type component of the context of the file should be.
       Any valid SELinux type component is accepted.  For example `tmp_t`.
-      If not specified it defaults to the value returned by matchpathcon for
+      If not specified, it defaults to the value returned by selabel_lookup for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
@@ -131,8 +132,8 @@ module Puppet
   Puppet::Type.type(:file).newproperty(:selrange, :parent => Puppet::SELFileContext) do
     desc "What the SELinux range component of the context of the file should be.
       Any valid SELinux range component is accepted.  For example `s0` or
-      `SystemHigh`.  If not specified it defaults to the value returned by
-      matchpathcon for the file, if any exists.  Only valid on systems with
+      `SystemHigh`.  If not specified, it defaults to the value returned by
+      selabel_lookup for the file, if any exists.  Only valid on systems with
       SELinux support enabled and that have support for MCS (Multi-Category
       Security)."
 

data/lib/puppet/type/file/target.rb

@@ -44,22 +44,20 @@ module Puppet
 
       raise Puppet::Error, "Could not remove existing file" if Puppet::FileSystem.exist?(@resource[:path])
 
-      Dir.chdir(File.dirname(@resource[:path])) do
-        Puppet::Util::SUIDManager.asuser(@resource.asuser) do
-          mode = @resource.should(:mode)
-          if mode
-            Puppet::Util.withumask(0o00) do
-              Puppet::FileSystem.symlink(target, @resource[:path])
-            end
-          else
+      Puppet::Util::SUIDManager.asuser(@resource.asuser) do
+        mode = @resource.should(:mode)
+        if mode
+          Puppet::Util.withumask(0o00) do
             Puppet::FileSystem.symlink(target, @resource[:path])
           end
+        else
+          Puppet::FileSystem.symlink(target, @resource[:path])
         end
+      end
 
-        @resource.send(:property_fix)
+      @resource.send(:property_fix)
 
-        :link_created
-      end
+      :link_created
     end
 
     def insync?(currentvalue)

data/lib/puppet/type/package.rb

@@ -301,12 +301,13 @@ module Puppet
             command  => '/opt/ruby/bin/gem',
           }
 
-        Each provider defines a package management command; and uses the first
+        Each provider defines a package management command and uses the first
         instance of the command found in the PATH.
 
         Providers supporting the targetable feature allow you to specify the
-        absolute path of the package management command; useful when multiple
-        instances of the command are installed, or the command is not in the PATH.
+        absolute path of the package management command. Specifying the absolute
+        path is useful when multiple instances of the command are installed, or
+        the command is not in the PATH.
       EOT
 
       isnamevar

data/lib/puppet/type/user.rb

@@ -231,7 +231,7 @@ module Puppet
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
-        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user
+        * macOS 10.15 and later require the salt to be 32 bytes. Because Puppet's user
           resource requires the value to be hex encoded, the length of the salt's
           string must be 64.
         * Windows passwords can be managed only in cleartext, because there is no Windows

data/lib/puppet/util/checksums.rb

@@ -9,6 +9,7 @@ require 'time'
 module Puppet::Util::Checksums
   module_function
 
+  # If you modify this, update puppet/type/file/checksum.rb too
   KNOWN_CHECKSUMS = [
     :sha256, :sha256lite,
     :md5, :md5lite,

data/lib/puppet/util/execution.rb

@@ -323,7 +323,7 @@ module Puppet::Util::Execution
       unless options[:squelch]
         # if we opened a pipe, we need to clean it up.
         reader.close if reader
-        stdout.close! if Puppet::Util::Platform.windows?
+        stdout.close! if stdout && Puppet::Util::Platform.windows?
       end
     end
 

data/lib/puppet/util/profiler/aggregate.rb

@@ -72,11 +72,11 @@ class Puppet::Util::Profiler::Aggregate < Puppet::Util::Profiler::WallClock
 
   class Timer
     def initialize
-      @start = Time.now
+      @start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second)
     end
 
     def stop
-      Time.now - @start
+      Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second) - @start
     end
   end
 end

data/lib/puppet/util/profiler/wall_clock.rb

@@ -21,11 +21,11 @@ class Puppet::Util::Profiler::WallClock < Puppet::Util::Profiler::Logging
     FOUR_DECIMAL_DIGITS = '%0.4f'
 
     def initialize
-      @start = Time.now
+      @start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second)
     end
 
     def stop
-      @time = Time.now - @start
+      @time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second) - @start
       @time
     end