patch

LukasAud · LukasAud · commit 2b8dbb878896 · 2025-10-28T15:52:15.000Z
diff --git a/lib/puppet/provider/base_dsc_lite/powershell.rb b/lib/puppet/provider/base_dsc_lite/powershell.rb
@@ -2,6 +2,8 @@
 
 require 'pathname'
 require 'json'
+require 'erb' # ensure ERB is available
+require 'puppet/pops/evaluator/deferred_resolver'
 require_relative '../../../puppet_x/puppetlabs/dsc_lite/powershell_hash_formatter'
 
 Puppet::Type.type(:base_dsc_lite).provide(:powershell) do
@@ -31,6 +33,8 @@
   Puppet (including 3.x), or to a Puppet version newer than 3.x.
   UPGRADE
 
+  # ---------- class helpers ----------
+
   def self.upgrade_message
     Puppet.warning DSC_LITE_MODULE_PUPPET_UPGRADE_MSG unless @upgrade_warning_issued
     @upgrade_warning_issued = true
@@ -40,6 +44,25 @@ def self.vendored_modules_path
     File.expand_path(Pathname.new(__FILE__).dirname + '../../../' + 'puppet_x/dsc_resources')
   end
 
+  def self.template_path
+    File.expand_path(Pathname.new(__FILE__).dirname)
+  end
+
+  def self.format_dsc_lite(dsc_value)
+    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
+  end
+
+  def self.escape_quotes(text)
+    text.gsub("'", "''")
+  end
+
+  def self.redact_content(content)
+    # Redact Sensitive unwraps that appear as "'secret' # PuppetSensitive"
+    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
+  end
+
+  # ---------- instance helpers ----------
+
   def dsc_parameters
     resource.parameters_with_value.select do |p|
       p.name.to_s.include? 'dsc_'
@@ -52,10 +75,6 @@ def dsc_property_param
     end
   end
 
-  def self.template_path
-    File.expand_path(Pathname.new(__FILE__).dirname)
-  end
-
   def set_timeout
     resource[:dsc_timeout] ? resource[:dsc_timeout] * 1000 : 1_200_000
   end
@@ -65,11 +84,42 @@ def ps_manager
     Pwsh::Manager.instance(command(:powershell), Pwsh::Manager.powershell_args, debug: debug_output)
   end
 
+  # Minimal provider-side formatter for ERB (keeps patched templates working)
+  def format_for_ps(value)
+    self.class.format_dsc_lite(value)
+  end
+
+  # ---- Option 1: force-resolve all Deferreds in the catalog before rendering ----
+  def force_resolve_catalog_deferred!
+    cat = resource&.catalog
+    return unless cat
+
+    facts = Puppet.lookup(:facts) { nil }
+    env   = if cat.respond_to?(:environment_instance)
+              cat.environment_instance
+            else
+              Puppet.lookup(:current_environment) { nil }
+            end
+
+    begin
+      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, cat, env, true)
+      Puppet.debug('DSC_lite: DeferredResolver.resolve_and_replace() invoked on catalog')
+    rescue StandardError => e
+      Puppet.debug("DSC_lite: resolve_and_replace failed: #{e.class}: #{e.message}")
+    end
+  end
+
+  # ---------- provider operations ----------
+
   def exists?
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
     version = Facter.value(:powershell_version)
     Puppet.debug "PowerShell Version: #{version}"
+
+    # Ensure all Deferreds (including nested) are resolved prior to ERB rendering
+    force_resolve_catalog_deferred!
+
     script_content = ps_script_content('test')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
@@ -97,6 +147,10 @@ def exists?
   def create
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
+
+    # Ensure all Deferreds (including nested) are resolved prior to ERB rendering
+    force_resolve_catalog_deferred!
+
     script_content = ps_script_content('set')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
@@ -138,24 +192,6 @@ def notify_reboot_pending
     end
   end
 
-  def self.format_dsc_lite(dsc_value)
-    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
-  end
-
-  def self.escape_quotes(text)
-    text.gsub("'", "''")
-  end
-
-  def self.redact_content(content)
-    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
-    # This means a redaction of a string not including '= ' before the string value will not redact.
-    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
-    # always inside a hash table to be passed along. This means we can (currently) expect the value to
-    # always come after an equals sign.
-    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
-    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
-  end
-
   def ps_script_content(mode)
     self.class.ps_script_content(mode, resource, self)
   end
@@ -165,6 +201,10 @@ def self.ps_script_content(mode, resource, provider)
     @param_hash = resource
     template_name = resource.generic_dsc ? '/invoke_generic_dsc_resource.ps1.erb' : '/invoke_dsc_resource.ps1.erb'
     file = File.new(template_path + template_name, encoding: Encoding::UTF_8)
+
+    # Make vendored_modules_path available in ERB (used by invoke_dsc_resource.ps1.erb)
+    vendored_modules_path = self.vendored_modules_path
+
     template = ERB.new(file.read, trim_mode: '-')
     template.result(binding)
   end
