adjust type to account for deferred

Author: LukasAud

lib/puppet/provider/base_dsc_lite/powershell.rb

@@ -2,6 +2,11 @@
 
 require 'pathname'
 require 'json'
+require 'erb' # ensure ERB is available
+require 'puppet'
+require 'puppet/node'
+require 'puppet/parser/script_compiler'
+require 'puppet/pops/evaluator/deferred_resolver'
 require_relative '../../../puppet_x/puppetlabs/dsc_lite/powershell_hash_formatter'
 
 Puppet::Type.type(:base_dsc_lite).provide(:powershell) do
@@ -31,6 +36,10 @@
   Puppet (including 3.x), or to a Puppet version newer than 3.x.
   UPGRADE
 
+  # ---------------------------
+  # Class helpers
+  # ---------------------------
+
   def self.upgrade_message
     Puppet.warning DSC_LITE_MODULE_PUPPET_UPGRADE_MSG unless @upgrade_warning_issued
     @upgrade_warning_issued = true
@@ -40,6 +49,200 @@ def self.vendored_modules_path
     File.expand_path(Pathname.new(__FILE__).dirname + '../../../' + 'puppet_x/dsc_resources')
   end
 
+  def self.template_path
+    File.expand_path(Pathname.new(__FILE__).dirname)
+  end
+
+  def self.format_dsc_lite(dsc_value)
+    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
+  end
+
+  def self.escape_quotes(text)
+    text.gsub("'", "''")
+  end
+
+  def self.redact_content(content)
+    # Redact Sensitive unwraps that appear as "'secret' # PuppetSensitive"
+    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
+  end
+
+  # ---------------------------
+  # Deferred value resolution - NEW APPROACH
+  # ---------------------------
+
+  # Resolve deferred values in properties right before PowerShell script generation
+  # This is the correct timing - after catalog application starts but before template rendering
+  def resolve_deferred_values!
+    return unless resource.parameters.key?(:properties)
+
+    current_properties = resource.parameters[:properties].value
+    return unless contains_deferred_values?(current_properties)
+
+    Puppet.notice('DSC PROVIDER → Resolving deferred values in properties')
+
+    begin
+      # Resolve deferred values directly using the properties hash
+      resolved_properties = manually_resolve_deferred_values(current_properties)
+
+      # Update the resource with resolved properties
+      resource.parameters[:properties].value = resolved_properties
+
+      # Verify resolution worked
+      if contains_deferred_values?(resolved_properties)
+        Puppet.warning('DSC PROVIDER → Some deferred values could not be resolved')
+      else
+        Puppet.notice('DSC PROVIDER → All deferred values resolved successfully')
+      end
+    rescue => e
+      Puppet.warning("DSC PROVIDER → Error resolving deferred values: #{e.class}: #{e.message}")
+      Puppet.debug("DSC PROVIDER → Error backtrace: #{e.backtrace.join("\n")}")
+      # Continue with unresolved values - they will be stringified but at least won't crash
+    end
+  end
+
+  # Recursively resolve deferred values in a data structure
+  def manually_resolve_deferred_values(value)
+    case value
+    when Hash
+      resolved_hash = {}
+      value.each do |k, v|
+        resolved_key = manually_resolve_deferred_values(k)
+        resolved_value = manually_resolve_deferred_values(v)
+        resolved_hash[resolved_key] = resolved_value
+      end
+      resolved_hash
+    when Array
+      value.map { |v| manually_resolve_deferred_values(v) }
+    else
+      # Handle different types of deferred objects
+      if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+        # DeferredValue objects have a @proc instance variable we can call
+        proc = value.instance_variable_get(:@proc)
+        return proc.call if proc && proc.respond_to?(:call)
+
+        Puppet.debug('DSC PROVIDER → DeferredValue has no callable proc')
+        return value.to_s
+
+      elsif value && value.class.name.include?('Deferred')
+        # For other Deferred types, try standard resolution
+        if value.respond_to?(:name)
+          begin
+            return Puppet::Pops::Evaluator::DeferredResolver.resolve(value.name, nil, {})
+          rescue => e
+            Puppet.debug("DSC PROVIDER → Failed to resolve Deferred object: #{e.message}")
+            return value.to_s
+          end
+        else
+          Puppet.debug('DSC PROVIDER → Deferred object has no name method')
+          return value.to_s
+        end
+      end
+
+      # Return the value unchanged if it's not deferred
+      value
+    end
+  end
+
+  # Check if a value contains any deferred values (recursively)
+  def contains_deferred_values?(value)
+    case value
+    when Hash
+      value.any? { |k, v| contains_deferred_values?(k) || contains_deferred_values?(v) }
+    when Array
+      value.any? { |v| contains_deferred_values?(v) }
+    else
+      # Check if this is a Deferred object or DeferredValue
+      value && (value.class.name.include?('Deferred') ||
+                value.is_a?(Puppet::Pops::Evaluator::DeferredValue))
+    end
+  end
+
+  # ---------------------------
+  # Legacy deferred resolution methods (keeping for reference but not using)
+  # ---------------------------
+
+  # 1) Catalog-wide resolve: replace all Deferreds/futures in the catalog
+  def force_resolve_catalog_deferred!
+    cat = resource&.catalog
+    return unless cat
+
+    facts = Puppet.lookup(:facts) { nil }
+    env   = if cat.respond_to?(:environment_instance)
+              cat.environment_instance
+            else
+              Puppet.lookup(:current_environment) { nil }
+            end
+
+    begin
+      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, cat, env, true)
+      Puppet.notice('DSC PROVIDER SENTINEL → resolve_and_replace invoked')
+    rescue => e
+      Puppet.notice("DSC PROVIDER resolve_and_replace error: #{e.class}: #{e.message}")
+    end
+  end
+
+  # Build a compiler on the agent for local resolution
+  def build_agent_compiler(env)
+    node_name = Puppet[:node_name_value]
+    node      = Puppet::Node.new(node_name, environment: env)
+
+    # Attaching facts improves function behavior during resolve (best-effort)
+    begin
+      facts = Puppet.lookup(:facts) { nil }
+      node.add_facts(facts) if facts
+    rescue => e
+      Puppet.debug("DSC_lite: could not attach facts to node for local resolve: #{e.class}: #{e.message}")
+    end
+
+    if defined?(Puppet::Parser::ScriptCompiler)
+      Puppet::Parser::ScriptCompiler.new(node, env)
+    else
+      Puppet::Parser::Compiler.new(node)
+    end
+  end
+
+  # 2) Targeted resolve: explicitly resolve the :properties value using a resolver that
+  #    handles both Deferred and evaluator futures, then write it back to the resource.
+  def force_resolve_properties!
+    return unless resource.parameters.key?(:properties)
+
+    cat = resource&.catalog
+    env = if cat&.respond_to?(:environment_instance)
+            cat.environment_instance
+          else
+            Puppet.lookup(:current_environment) { nil }
+          end
+
+    begin
+      compiler = build_agent_compiler(env) if env
+      return unless compiler # without a compiler, local resolve can't proceed
+
+      facts = Puppet.lookup(:facts) { nil }
+
+      resolver = Puppet::Pops::Evaluator::DeferredResolver.new(compiler, true)
+      resolver.set_facts_variable(facts) if facts
+
+      # Read current value, resolve deeply, then write back into the parameter
+      current  = resource.parameters[:properties].value
+      resolved = resolver.resolve(current)
+      resource.parameters[:properties].value = resolved
+
+      # Post-check: what class is properties['Contents'] now?
+      cls = if resolved.is_a?(Hash) && resolved.key?('Contents')
+              resolved['Contents'].class
+            else
+              resolved.class
+            end
+      Puppet.notice("DSC PROVIDER SENTINEL → post-resolve properties.Contents: #{cls}")
+    rescue => e
+      Puppet.debug("DSC_lite: explicit properties resolve failed: #{e.class}: #{e.message}")
+    end
+  end
+
+  # ---------------------------
+  # Existing provider helpers
+  # ---------------------------
+
   def dsc_parameters
     resource.parameters_with_value.select do |p|
       p.name.to_s.include? 'dsc_'
@@ -52,10 +255,6 @@ def dsc_property_param
     end
   end
 
-  def self.template_path
-    File.expand_path(Pathname.new(__FILE__).dirname)
-  end
-
   def set_timeout
     resource[:dsc_timeout] ? resource[:dsc_timeout] * 1000 : 1_200_000
   end
@@ -65,18 +264,32 @@ def ps_manager
     Pwsh::Manager.instance(command(:powershell), Pwsh::Manager.powershell_args, debug: debug_output)
   end
 
+  # Keep for ERBs that call provider.format_for_ps(...)
+  def format_for_ps(value)
+    self.class.format_dsc_lite(value)
+  end
+
+  # ---------------------------
+  # Provider operations
+  # ---------------------------
+
   def exists?
+    Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
+
+    # Resolve deferred values right before we start processing
+    resolve_deferred_values!
+
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
     version = Facter.value(:powershell_version)
     Puppet.debug "PowerShell Version: #{version}"
+
     script_content = ps_script_content('test')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
-
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -95,15 +308,20 @@ def exists?
   end
 
   def create
+    Puppet.notice("DSC PROVIDER SENTINEL → #{__FILE__}")
+
+    # Resolve deferred values right before we start processing
+    resolve_deferred_values!
+
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
+
     script_content = ps_script_content('set')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
     if Pwsh::Manager.windows_powershell_supported?
       output = ps_manager.execute(script_content, timeout)
       raise Puppet::Error, output[:errormessage] if output[:errormessage]&.match?(%r{PowerShell module timeout \(\d+ ms\) exceeded while executing})
-
       output = output[:stdout]
     else
       self.class.upgrade_message
@@ -114,7 +332,6 @@ def create
     data = JSON.parse(output)
 
     raise(data['errormessage']) unless data['errormessage'].empty?
-
     notify_reboot_pending if data['rebootrequired'] == true
 
     data
@@ -138,24 +355,6 @@ def notify_reboot_pending
     end
   end
 
-  def self.format_dsc_lite(dsc_value)
-    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
-  end
-
-  def self.escape_quotes(text)
-    text.gsub("'", "''")
-  end
-
-  def self.redact_content(content)
-    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
-    # This means a redaction of a string not including '= ' before the string value will not redact.
-    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
-    # always inside a hash table to be passed along. This means we can (currently) expect the value to
-    # always come after an equals sign.
-    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
-    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
-  end
-
   def ps_script_content(mode)
     self.class.ps_script_content(mode, resource, self)
   end
@@ -165,6 +364,10 @@ def self.ps_script_content(mode, resource, provider)
     @param_hash = resource
     template_name = resource.generic_dsc ? '/invoke_generic_dsc_resource.ps1.erb' : '/invoke_dsc_resource.ps1.erb'
     file = File.new(template_path + template_name, encoding: Encoding::UTF_8)
+
+    # Make vendored_modules_path visible in ERB if the template uses it
+    vendored_modules_path = self.vendored_modules_path
+
     template = ERB.new(file.read, trim_mode: '-')
     template.result(binding)
   end

lib/puppet/type/dsc.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'pathname'
+require 'puppet/pops/evaluator/deferred_resolver' # ← add: resolver API
 
 Puppet::Type.newtype(:dsc) do
   desc <<-DOC
@@ -17,6 +18,7 @@ module        => 'PSDesiredStateConfiguration',
         }
       }
   DOC
+
   require Pathname.new(__FILE__).dirname + '../../' + 'puppet/type/base_dsc_lite'
   require Pathname.new(__FILE__).dirname + '../../puppet_x/puppetlabs/dsc_lite/dsc_type_helpers'
 
@@ -105,6 +107,11 @@ def change_to_s(currentvalue, newvalue)
     end
 
     munge do |value|
+      # Don't try to resolve deferred values during munge - they should be resolved
+      # on the agent during catalog application, not during catalog compilation.
+      # Just pass them through to the provider for proper resolution timing.
+      Puppet.notice("DSC TYPE SENTINEL → #{__FILE__} - letting deferred values pass through")
+
       PuppetX::DscLite::TypeHelpers.munge_sensitive_hash(value)
     end
   end