patch

LukasAud · LukasAud · commit a62937aab4b9 · 2025-10-28T10:03:50.000Z
diff --git a/lib/puppet/provider/base_dsc_lite/invoke_dsc_resource.ps1.erb b/lib/puppet/provider/base_dsc_lite/invoke_dsc_resource.ps1.erb
@@ -36,11 +36,13 @@ $invokeParams = @{
     if name == 'ensure' && dsc_invoke_method == 'test'
       value = "\'#{resource.parameters[:ensure].default.to_s}\'"
     elsif p.mof_type == 'MSFT_Credential'
-      value = "[PSCustomObject]#{format_dsc_value(p.value)} | new-pscredential"
+      # Route via provider helper so last-chance Deferred resolution can run on agent
+      value = "[PSCustomObject]#{provider.format_for_ps(p.value)} | new-pscredential"
     elsif p.mof_is_embedded? && p.mof_type != 'MSFT_KeyValuePair'
       vals = p.value.is_a?(Hash) ? [p.value] : p.value
       vals = vals.collect do |v|
-        "(New-CimInstance -ClassName '#{p.mof_type.gsub('[]','')}' -ClientOnly -Property #{format_dsc_value(v)})"
+        # Route embedded instance Property hashtable via provider formatter (Deferred-safe)
+        "(New-CimInstance -ClassName '#{p.mof_type.gsub('[]','')}' -ClientOnly -Property #{provider.format_for_ps(v)})"
       end
       # Ensure that we pass a single CimInstance or array correctly based on MOF schema definition
       if p.value.is_a?(Hash)
@@ -49,7 +51,8 @@ $invokeParams = @{
         value = "[CimInstance[]]@(#{vals.join(',')})"
       end
     else
-      value = format_dsc_value(p.value)
+      # Default path: format via provider helper (Deferred-safe)
+      value = provider.format_for_ps(p.value)
     end
     -%>
     <%= name %> = <%= value %>
diff --git a/lib/puppet/provider/base_dsc_lite/invoke_generic_dsc_resource.ps1.erb b/lib/puppet/provider/base_dsc_lite/invoke_generic_dsc_resource.ps1.erb
@@ -22,18 +22,12 @@ $response = @{
 }
 
 $invokeParams = @{
-Name       = '<%= resource.parameters[:resource_name].value %>'
-ModuleName = <% if resource.parameters[:module].value.is_a?(Hash) -%>
-@{
-modulename    = '<%= resource.parameters[:module].value['name'] %>'
-moduleversion = '<%= resource.parameters[:module].value['version'] %>'
-}
-<% else -%>
-'<%= resource.parameters[:module].value %>'
-<% end -%>
-Method     = '<%= dsc_invoke_method %>'
-Property   = <% provider.dsc_property_param.each do |p| -%>
-<%= format_dsc_lite(p.value) %>
+  # Route values through provider helper so last-chance Deferred resolution can run on agent
+  Name       = <%= provider.format_for_ps(resource.parameters[:resource_name].value) %>
+  ModuleName = <%= provider.format_for_ps(resource.parameters[:module].value) %>
+  Method     = <%= provider.format_for_ps(dsc_invoke_method) %>
+  Property   = <% provider.dsc_property_param.each do |p| -%>
+<%= provider.format_for_ps(p.value) %>
 <% end -%>
 }
 
diff --git a/lib/puppet/provider/base_dsc_lite/powershell.rb b/lib/puppet/provider/base_dsc_lite/powershell.rb
@@ -2,6 +2,7 @@
 
 require 'pathname'
 require 'json'
+require 'erb' # ensure ERB is available
 require_relative '../../../puppet_x/puppetlabs/dsc_lite/powershell_hash_formatter'
 
 Puppet::Type.type(:base_dsc_lite).provide(:powershell) do
@@ -31,6 +32,10 @@
   Puppet (including 3.x), or to a Puppet version newer than 3.x.
   UPGRADE
 
+  # ---------------------------
+  # Class-level helpers
+  # ---------------------------
+
   def self.upgrade_message
     Puppet.warning DSC_LITE_MODULE_PUPPET_UPGRADE_MSG unless @upgrade_warning_issued
     @upgrade_warning_issued = true
@@ -40,22 +45,48 @@ def self.vendored_modules_path
     File.expand_path(Pathname.new(__FILE__).dirname + '../../../' + 'puppet_x/dsc_resources')
   end
 
+  def self.template_path
+    File.expand_path(Pathname.new(__FILE__).dirname)
+  end
+
+  def self.format_dsc_lite(dsc_value)
+    # Keep this PURE to avoid breaking unit tests:
+    # it should not try to resolve Deferred values.
+    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
+  end
+
+  def self.escape_quotes(text)
+    text.gsub("'", "''")
+  end
+
+  def self.redact_content(content)
+    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
+    # This means a redaction of a string not including '= ' before the string value will not redact.
+    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
+    # always inside a hash table to be passed along. This means we can (currently) expect the value to
+    # always come after an equals sign.
+    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
+    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
+  end
+
+  # ---------------------------
+  # Instance-level helpers
+  # ---------------------------
+
+  # Return only dsc_* parameters that have a value
   def dsc_parameters
     resource.parameters_with_value.select do |p|
       p.name.to_s.include? 'dsc_'
     end
   end
 
+  # Return the :properties parameter (if provided)
   def dsc_property_param
     resource.parameters_with_value.select { |pr| pr.name == :properties }.each do |p|
       p.name.to_s.include? 'dsc_'
     end
   end
 
-  def self.template_path
-    File.expand_path(Pathname.new(__FILE__).dirname)
-  end
-
   def set_timeout
     resource[:dsc_timeout] ? resource[:dsc_timeout] * 1000 : 1_200_000
   end
@@ -65,11 +96,83 @@ def ps_manager
     Pwsh::Manager.instance(command(:powershell), Pwsh::Manager.powershell_args, debug: debug_output)
   end
 
+  # --- NEW: deep scan for Deferred ---
+  # Recursively detect any object whose class name suggests it's a Puppet Deferred
+  def deep_contains_deferred?(obj)
+    case obj
+    when Hash
+      obj.any? { |k, v| deep_contains_deferred?(k) || deep_contains_deferred?(v) }
+    when Array
+      obj.any? { |v| deep_contains_deferred?(v) }
+    else
+      obj && obj.class && obj.class.name.to_s.include?('Deferred')
+    end
+  end
+
+  # --- NEW: best-effort resolution hook ---
+  # Attempt to resolve any remaining Deferreds before rendering ERB.
+  # This is intentionally defensive: it tries available agent-side options
+  # and degrades to no-op if none are present.
+  def ensure_deferreds_resolved!
+    # 1) Catalog-wide resolve (if the catalog supports it)
+    begin
+      cat = resource&.catalog
+      if cat && cat.respond_to?(:resolve_and_replace)
+        cat.resolve_and_replace
+        Puppet.debug('DSC_lite: called catalog.resolve_and_replace for last-chance Deferred resolution')
+      end
+    rescue StandardError => e
+      Puppet.debug("DSC_lite: resolve_and_replace raised #{e.class}: #{e.message}")
+    end
+
+    # 2) Compiler lookup (often nil in agent/provider context)
+    begin
+      compiler = Puppet.respond_to?(:lookup) ? Puppet.lookup(:compiler) { nil } : nil
+      Puppet.debug('DSC_lite: compiler available for resolution') if compiler
+    rescue StandardError => e
+      Puppet.debug("DSC_lite: compiler lookup failed: #{e.class}: #{e.message}")
+    end
+
+    # 3) Nothing else to do safely here—actual evaluation requires scope,
+    # which agent providers typically don't have. We rely on (1), and if
+    # it still leaks we'll detect/log just before formatting.
+    nil
+  end
+
+  # --- NEW: provider helper used by ERB ---
+  # Route every formatted value through here so we can:
+  #  - perform a last-chance Deferred resolution
+  #  - then delegate to the pure formatter
+  def format_for_ps(value)
+    if deep_contains_deferred?(value)
+      Puppet.debug('DSC_lite: Deferred detected in ERB-bound value; attempting last-chance resolution')
+      ensure_deferreds_resolved!
+      if deep_contains_deferred?(value)
+        Puppet.debug('DSC_lite: value still contains Deferred after last-chance resolution')
+        # Optional: uncomment to fail fast with a clearer message instead of formatter type error
+        # raise Puppet::Error, 'DSC_lite: Deferred value reached ERB formatting; '\
+        #                      'agent invoked provider before deferrals completed (Puppet 8 timing).'
+      end
+    end
+    self.class.format_dsc_lite(value)
+  end
+  # ---------------------------
+  # Provider operations
+  # ---------------------------
+
   def exists?
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
     version = Facter.value(:powershell_version)
     Puppet.debug "PowerShell Version: #{version}"
+
+    # Last-chance resolve + pinpoint diagnostic BEFORE rendering
+    ensure_deferreds_resolved!
+    leaks = resource.parameters_with_value
+                    .select { |p| deep_contains_deferred?(p.value) }
+                    .map { |p| "#{p.name}=#{p.value.class}" }
+    Puppet.debug("DSC_lite: still deferred after resolution? #{leaks.join(', ')}")
+
     script_content = ps_script_content('test')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
@@ -97,6 +200,14 @@ def exists?
   def create
     timeout = set_timeout
     Puppet.debug "Dsc Timeout: #{timeout} milliseconds"
+
+    # Last-chance resolve + pinpoint diagnostic BEFORE rendering
+    ensure_deferreds_resolved!
+    leaks = resource.parameters_with_value
+                    .select { |p| deep_contains_deferred?(p.value) }
+                    .map { |p| "#{p.name}=#{p.value.class}" }
+    Puppet.debug("DSC_lite: still deferred after resolution? #{leaks.join(', ')}")
+
     script_content = ps_script_content('set')
     Puppet.debug "\n" + self.class.redact_content(script_content)
 
@@ -116,7 +227,6 @@ def create
     raise(data['errormessage']) unless data['errormessage'].empty?
 
     notify_reboot_pending if data['rebootrequired'] == true
-
     data
   end
 
@@ -138,34 +248,20 @@ def notify_reboot_pending
     end
   end
 
-  def self.format_dsc_lite(dsc_value)
-    PuppetX::PuppetLabs::DscLite::PowerShellHashFormatter.format(dsc_value)
-  end
-
-  def self.escape_quotes(text)
-    text.gsub("'", "''")
-  end
-
-  def self.redact_content(content)
-    # Note that here we match after an equals to ensure we redact the value being passed, but not the key.
-    # This means a redaction of a string not including '= ' before the string value will not redact.
-    # Every secret unwrapped in this module will unwrap as "'secret' # PuppetSensitive" and, currently,
-    # always inside a hash table to be passed along. This means we can (currently) expect the value to
-    # always come after an equals sign.
-    # Note that the line may include a semi-colon and/or a newline character after the sensitive unwrap.
-    content.gsub(%r{= '.+' # PuppetSensitive;?(\\n)?$}, "= '[REDACTED]'")
-  end
-
   def ps_script_content(mode)
     self.class.ps_script_content(mode, resource, self)
   end
-
+  
   def self.ps_script_content(mode, resource, provider)
     dsc_invoke_method = mode
     @param_hash = resource
     template_name = resource.generic_dsc ? '/invoke_generic_dsc_resource.ps1.erb' : '/invoke_dsc_resource.ps1.erb'
     file = File.new(template_path + template_name, encoding: Encoding::UTF_8)
+
+    # Provide explicit local for ERB if templates refer to it
+    vendored_modules_path = self.vendored_modules_path
+
     template = ERB.new(file.read, trim_mode: '-')
-    template.result(binding)
+    template.result(binding) # binding includes: resource, provider, dsc_invoke_method, vendored_modules_path
   end
 end
