powershell adjustment

LukasAud · LukasAud · commit 08b69bfefb81 · 2025-10-31T12:52:48.000Z
diff --git a/lib/puppet/provider/base_dsc_lite/powershell.rb b/lib/puppet/provider/base_dsc_lite/powershell.rb
@@ -2,6 +2,10 @@
 
 require 'pathname'
 require 'json'
+require 'erb' # ensure ERB is available
+require 'puppet'
+require 'puppet/node'
+require 'puppet/parser/script_compiler'
 require 'puppet/pops/evaluator/deferred_resolver'
 require_relative '../../../puppet_x/puppetlabs/dsc_lite/powershell_hash_formatter'
 
@@ -41,9 +45,13 @@ def self.vendored_modules_path
     File.expand_path(Pathname.new(__FILE__).dirname + '../../../' + 'puppet_x/dsc_resources')
   end
 
+  # ---------- Resolution helpers (Option 2) ----------
+
+  # 1) Catalog-wide resolve: replace all Deferreds/futures in the catalog
   def force_resolve_catalog_deferred!
     cat = resource&.catalog
     return unless cat
+
     facts = Puppet.lookup(:facts) { nil }
     env   = if cat.respond_to?(:environment_instance)
               cat.environment_instance
@@ -58,6 +66,59 @@ def force_resolve_catalog_deferred!
     end
   end
 
+  # Build a compiler on the agent for local resolution (ScriptCompiler on Puppet 8)
+  def build_agent_compiler(env)
+    node_name = Puppet[:node_name_value]
+    node      = Puppet::Node.new(node_name, environment: env)
+
+    # If you can attach facts, do so—it can influence function behavior during resolve
+    begin
+      facts = Puppet.lookup(:facts) { nil }
+      node.add_facts(facts) if facts
+    rescue => e
+      Puppet.debug("DSC_lite: could not attach facts to node for local resolve: #{e.class}: #{e.message}")
+    end
+
+    if defined?(Puppet::Parser::ScriptCompiler)
+      Puppet::Parser::ScriptCompiler.new(node, env)
+    else
+      Puppet::Parser::Compiler.new(node)
+    end
+  end
+
+  # 2) Targeted resolve: explicitly resolve the :properties value using a resolver that
+  #    can handle both Deferred and evaluator futures, then write it back to the resource.
+  def force_resolve_properties!
+    return unless resource.parameters.key?(:properties)
+
+    cat = resource&.catalog
+    env = if cat&.respond_to?(:environment_instance)
+            cat.environment_instance
+          else
+            Puppet.lookup(:current_environment) { nil }
+          end
+
+    begin
+      compiler = build_agent_compiler(env) if env
+      return unless compiler # without a compiler, local resolve can't proceed
+
+      facts = Puppet.lookup(:facts) { nil }
+
+      resolver = Puppet::Pops::Evaluator::DeferredResolver.new(compiler, true)
+      resolver.set_facts_variable(facts) if facts
+
+      props = resource.parameters[:properties].value
+      resolved = resolver.resolve(props) # handles nested Deferred and futures
+      resource.parameters[:properties].value = resolved
+
+      Puppet.debug('DSC_lite: explicitly resolved resource[:properties] on agent')
+    rescue => e
+      Puppet.debug("DSC_lite: explicit properties resolve failed: #{e.class}: #{e.message}")
+    end
+  end
+
+  # ---------- Existing provider helpers ----------
+
   def dsc_parameters
     resource.parameters_with_value.select do |p|
       p.name.to_s.include? 'dsc_'
@@ -83,20 +144,31 @@ def ps_manager
     Pwsh::Manager.instance(command(:powershell), Pwsh::Manager.powershell_args, debug: debug_output)
   end
 
+  # If your ERBs call provider.format_for_ps(...), keep this minimal helper
+  def format_for_ps(value)
+    self.class.format_dsc_lite(value)
+  end
+
+  # ---------- Provider operations ----------
+
   def exists?
     Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
+
+    # Two-stage resolve before we render ERB
     force_resolve_catalog_deferred!
+    force_resolve_properties!
+
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
     version = Facter.value(:powershell_version)
     Puppet.debug "PowerShell Version: #{version}"
+
     script_content = ps_script_content('test')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
-
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -116,16 +188,20 @@ def exists?
 
   def create
     Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
+
+    # Two-stage resolve before we render ERB
     force_resolve_catalog_deferred!
+    force_resolve_properties!
+
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
+
     script_content = ps_script_content('set')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
-
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -136,7 +212,6 @@ def create
     data = JSON.parse(output)
 
     raise(data['errormessage']) unless data['errormessage'].empty?
-
     notify_reboot_pending if data['rebootrequired'] == true
 
     data
@@ -169,12 +244,7 @@ def self.escape_quotes(text)
   end
 
   def self.redact_content(content)
-    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
-    # This means a redaction of a string not including '= ' before the string value will not redact.
-    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
-    # always inside a hash table to be passed along. This means we can (currently) expect the value to
-    # always come after an equals sign.
-    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
+    # NOTE: match after '=' so we redact the value being passed, but not the key
     content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
   end
 
@@ -187,6 +257,10 @@ def self.ps_script_content(mode, resource, provider)
     @param_hash = resource
     template_name = resource.generic_dsc ? '/invoke_generic_dsc_resource.ps1.erb' : '/invoke_dsc_resource.ps1.erb'
     file = File.new(template_path + template_name, encoding: Encoding::UTF_8)
+
+    # Make vendored_modules_path visible in ERB if the template uses it
+    vendored_modules_path = self.vendored_modules_path
+
     template = ERB.new(file.read, trim_mode: '-')
     template.result(binding)
   end
