cleanup

Author: LukasAud

lib/puppet/provider/base_dsc_lite/powershell.rb

@@ -2,11 +2,6 @@
 
 require 'pathname'
 require 'json'
-require 'erb' # ensure ERB is available
-require 'puppet'
-require 'puppet/node'
-require 'puppet/parser/script_compiler'
-require 'puppet/pops/evaluator/deferred_resolver'
 require_relative '../../../puppet_x/puppetlabs/dsc_lite/powershell_hash_formatter'
 
 Puppet::Type.type(:base_dsc_lite).provide(:powershell) do
@@ -36,10 +31,6 @@
   Puppet (including 3.x), or to a Puppet version newer than 3.x.
   UPGRADE
 
-  # ---------------------------
-  # Class helpers
-  # ---------------------------
-
   def self.upgrade_message
     Puppet.warning DSC_LITE_MODULE_PUPPET_UPGRADE_MSG unless @upgrade_warning_issued
     @upgrade_warning_issued = true
@@ -49,53 +40,20 @@ def self.vendored_modules_path
     File.expand_path(Pathname.new(__FILE__).dirname + '../../../' + 'puppet_x/dsc_resources')
   end
 
-  def self.template_path
-    File.expand_path(Pathname.new(__FILE__).dirname)
-  end
-
-  def self.format_dsc_lite(dsc_value)
-    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
-  end
-
-  def self.escape_quotes(text)
-    text.gsub("'", "''")
-  end
-
-  def self.redact_content(content)
-    # Redact Sensitive unwraps that appear as "'secret' # PuppetSensitive"
-    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
-  end
-
-  # ---------------------------
-  # Deferred value resolution - NEW APPROACH
-  # ---------------------------
-
   # Resolve deferred values in properties right before PowerShell script generation
-  # This is the correct timing - after catalog application starts but before template rendering
   def resolve_deferred_values!
     return unless resource.parameters.key?(:properties)
 
     current_properties = resource.parameters[:properties].value
     return unless contains_deferred_values?(current_properties)
 
-    Puppet.notice('DSC PROVIDER → Resolving deferred values in properties')
-
     begin
       # Resolve deferred values directly using the properties hash
       resolved_properties = manually_resolve_deferred_values(current_properties)
-
       # Update the resource with resolved properties
       resource.parameters[:properties].value = resolved_properties
-
-      # Verify resolution worked
-      if contains_deferred_values?(resolved_properties)
-        Puppet.warning('DSC PROVIDER → Some deferred values could not be resolved')
-      else
-        Puppet.notice('DSC PROVIDER → All deferred values resolved successfully')
-      end
     rescue => e
       Puppet.warning("DSC PROVIDER → Error resolving deferred values: #{e.class}: #{e.message}")
-      Puppet.debug("DSC PROVIDER → Error backtrace: #{e.backtrace.join("\n")}")
       # Continue with unresolved values - they will be stringified but at least won't crash
     end
   end
@@ -119,25 +77,17 @@ def manually_resolve_deferred_values(value)
         # DeferredValue objects have a @proc instance variable we can call
         proc = value.instance_variable_get(:@proc)
         return proc.call if proc && proc.respond_to?(:call)
-
-        Puppet.debug('DSC PROVIDER → DeferredValue has no callable proc')
         return value.to_s
-
       elsif value && value.class.name.include?('Deferred')
         # For other Deferred types, try standard resolution
-        if value.respond_to?(:name)
-          begin
-            return Puppet::Pops::Evaluator::DeferredResolver.resolve(value.name, nil, {})
-          rescue => e
-            Puppet.debug("DSC PROVIDER → Failed to resolve Deferred object: #{e.message}")
-            return value.to_s
-          end
-        else
-          Puppet.debug('DSC PROVIDER → Deferred object has no name method')
+        return value.to_s unless value.respond_to?(:name)
+        begin
+          return Puppet::Pops::Evaluator::DeferredResolver.resolve(value.name, nil, {})
+        rescue
           return value.to_s
         end
-      end
 
+      end
       # Return the value unchanged if it's not deferred
       value
     end
@@ -157,92 +107,6 @@ def contains_deferred_values?(value)
     end
   end
 
-  # ---------------------------
-  # Legacy deferred resolution methods (keeping for reference but not using)
-  # ---------------------------
-
-  # 1) Catalog-wide resolve: replace all Deferreds/futures in the catalog
-  def force_resolve_catalog_deferred!
-    cat = resource&.catalog
-    return unless cat
-
-    facts = Puppet.lookup(:facts) { nil }
-    env   = if cat.respond_to?(:environment_instance)
-              cat.environment_instance
-            else
-              Puppet.lookup(:current_environment) { nil }
-            end
-
-    begin
-      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, cat, env, true)
-      Puppet.notice('DSC PROVIDER SENTINEL → resolve_and_replace invoked')
-    rescue => e
-      Puppet.notice("DSC PROVIDER resolve_and_replace error: #{e.class}: #{e.message}")
-    end
-  end
-
-  # Build a compiler on the agent for local resolution
-  def build_agent_compiler(env)
-    node_name = Puppet[:node_name_value]
-    node      = Puppet::Node.new(node_name, environment: env)
-
-    # Attaching facts improves function behavior during resolve (best-effort)
-    begin
-      facts = Puppet.lookup(:facts) { nil }
-      node.add_facts(facts) if facts
-    rescue => e
-      Puppet.debug("DSC_lite: could not attach facts to node for local resolve: #{e.class}: #{e.message}")
-    end
-
-    if defined?(Puppet::Parser::ScriptCompiler)
-      Puppet::Parser::ScriptCompiler.new(node, env)
-    else
-      Puppet::Parser::Compiler.new(node)
-    end
-  end
-
-  # 2) Targeted resolve: explicitly resolve the :properties value using a resolver that
-  #    handles both Deferred and evaluator futures, then write it back to the resource.
-  def force_resolve_properties!
-    return unless resource.parameters.key?(:properties)
-
-    cat = resource&.catalog
-    env = if cat&.respond_to?(:environment_instance)
-            cat.environment_instance
-          else
-            Puppet.lookup(:current_environment) { nil }
-          end
-
-    begin
-      compiler = build_agent_compiler(env) if env
-      return unless compiler # without a compiler, local resolve can't proceed
-
-      facts = Puppet.lookup(:facts) { nil }
-
-      resolver = Puppet::Pops::Evaluator::DeferredResolver.new(compiler, true)
-      resolver.set_facts_variable(facts) if facts
-
-      # Read current value, resolve deeply, then write back into the parameter
-      current  = resource.parameters[:properties].value
-      resolved = resolver.resolve(current)
-      resource.parameters[:properties].value = resolved
-
-      # Post-check: what class is properties['Contents'] now?
-      cls = if resolved.is_a?(Hash) && resolved.key?('Contents')
-              resolved['Contents'].class
-            else
-              resolved.class
-            end
-      Puppet.notice("DSC PROVIDER SENTINEL → post-resolve properties.Contents: #{cls}")
-    rescue => e
-      Puppet.debug("DSC_lite: explicit properties resolve failed: #{e.class}: #{e.message}")
-    end
-  end
-
-  # ---------------------------
-  # Existing provider helpers
-  # ---------------------------
-
   def dsc_parameters
     resource.parameters_with_value.select do |p|
       p.name.to_s.include? 'dsc_'
@@ -255,6 +119,10 @@ def dsc_property_param
     end
   end
 
+  def self.template_path
+    File.expand_path(Pathname.new(__FILE__).dirname)
+  end
+
   def set_timeout
     resource[:dsc_timeout] ? resource[:dsc_timeout] * 1000 : 1_200_000
   end
@@ -264,32 +132,21 @@ def ps_manager
     Pwsh::Manager.instance(command(:powershell), Pwsh::Manager.powershell_args, debug: debug_output)
   end
 
-  # Keep for ERBs that call provider.format_for_ps(...)
-  def format_for_ps(value)
-    self.class.format_dsc_lite(value)
-  end
-
-  # ---------------------------
-  # Provider operations
-  # ---------------------------
-
   def exists?
-    Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
-
     # Resolve deferred values right before we start processing
     resolve_deferred_values!
 
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
     version = Facter.value(:powershell_version)
     Puppet.debug "PowerShell Version: #{version}"
-
     script_content = ps_script_content('test')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
+
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -308,20 +165,18 @@ def exists?
   end
 
   def create
-    Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
-
     # Resolve deferred values right before we start processing
     resolve_deferred_values!
 
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
-
     script_content = ps_script_content('set')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
+
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -332,6 +187,7 @@ def create
     data = JSON.parse(output)
 
     raise(data['errormessage']) unless data['errormessage'].empty?
+
     notify_reboot_pending if data['rebootrequired'] == true
 
     data
@@ -355,19 +211,32 @@ def notify_reboot_pending
     end
   end
 
+  def self.format_dsc_lite(dsc_value)
+    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
+  end
+
+  def self.escape_quotes(text)
+    text.gsub("'", "''")
+  end
+
+  def self.redact_content(content)
+    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
+    # This means a redaction of a string not including '= ' before the string value will not redact.
+    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
+    # always inside a hash table to be passed along. This means we can (currently) expect the value to
+    # always come after an equals sign.
+    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
+    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
+  end
+
   def ps_script_content(mode)
     self.class.ps_script_content(mode, resource, self)
   end
 
   def self.ps_script_content(mode, resource, provider)
-    dsc_invoke_method = mode
     @param_hash = resource
     template_name = resource.generic_dsc ? '/invoke_generic_dsc_resource.ps1.erb' : '/invoke_dsc_resource.ps1.erb'
     file = File.new(template_path + template_name, encoding: Encoding::UTF_8)
-
-    # Make vendored_modules_path visible in ERB if the template uses it
-    vendored_modules_path = self.vendored_modules_path
-
     template = ERB.new(file.read, trim_mode: '-')
     template.result(binding)
   end

lib/puppet/type/dsc.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'pathname'
-require 'puppet/pops/evaluator/deferred_resolver' # ← add: resolver API
 
 Puppet::Type.newtype(:dsc) do
   desc <<-DOC
@@ -109,9 +108,6 @@ def change_to_s(currentvalue, newvalue)
     munge do |value|
       # Don't try to resolve deferred values during munge - they should be resolved
       # on the agent during catalog application, not during catalog compilation.
-      # Just pass them through to the provider for proper resolution timing.
-      Puppet.notice("DSC TYPE SENTINEL → #{__FILE__} - letting deferred values pass through")
-
       PuppetX::DscLite::TypeHelpers.munge_sensitive_hash(value)
     end
   end