From b92e4d35cc1bc38777b5df0c81d543cd46b73565 Mon Sep 17 00:00:00 2001
From: Adrian Parreiras Horta <sensei.loafage@gmail.com>
Date: Mon, 5 Jun 2023 16:51:27 -0700
Subject: [PATCH 1/3] (PUP-11846) Handle unprocessed, deferred sensitive

Prior to this commit, evaluating a deferred resource that includes a
Sensitive value would fail during munging.  This commit marks these
resources as sensitive and unwraps them during catalog application.
---
 lib/puppet/pops/evaluator/deferred_resolver.rb | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/pops/evaluator/deferred_resolver.rb b/lib/puppet/pops/evaluator/deferred_resolver.rb
index 8bcc89237df..070fba54598 100644
--- a/lib/puppet/pops/evaluator/deferred_resolver.rb
+++ b/lib/puppet/pops/evaluator/deferred_resolver.rb
@@ -9,7 +9,13 @@ def initialize(proc)
   end
 
   def resolve
-    @proc.call
+    val = @proc.call
+    # Deferred sensitive values will be marked as such in resolve_futures()
+    if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      val.unwrap
+    else
+      val
+    end
   end
 end
 
@@ -90,6 +96,12 @@ def resolve_futures(catalog)
           unless r.sensitive_parameters.include?(k.to_sym)
             r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
           end
+        # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
+        # The DeferredValue.resolve method will unwrap it during catalog application
+        elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+          if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)} and not r.sensitive_parameters.include?(k.to_sym)
+            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+          end
         end
         overrides[ k ] = resolved
       end

From 198eec9a0c59ca7fe27805bb90afd39e4d9f3bbc Mon Sep 17 00:00:00 2001
From: Josh Cooper <joshcooper@users.noreply.github.com>
Date: Wed, 28 Jun 2023 23:34:14 -0700
Subject: [PATCH 2/3] (PUP-11846) Add test for Deferred(Sensitive) file content

---
 spec/integration/application/apply_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/spec/integration/application/apply_spec.rb b/spec/integration/application/apply_spec.rb
index 87415157a24..cedeb0ed717 100644
--- a/spec/integration/application/apply_spec.rb
+++ b/spec/integration/application/apply_spec.rb
@@ -755,5 +755,19 @@ def bogus()
         .and output(/Notify\[runs before file\]/).to_stdout
         .and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
     end
+
+    it "applies deferred sensitive file content" do
+      manifest = <<~END
+      file { '#{deferred_file}':
+        ensure => file,
+        content => Deferred('new', [Sensitive, "hello\n"])
+      }
+      END
+      apply.command_line.args = ['-e', manifest]
+      expect {
+        apply.run
+      }.to exit_with(0)
+        .and output(/ensure: changed \[redacted\] to \[redacted\]/).to_stdout
+    end
   end
 end

From 274aa08c032554af00564284d84514c0e3b23928 Mon Sep 17 00:00:00 2001
From: Josh Cooper <joshcooper@users.noreply.github.com>
Date: Wed, 28 Jun 2023 23:34:50 -0700
Subject: [PATCH 3/3] (PUP-11846) Refactor marking sensitive parameters

---
 lib/puppet/pops/evaluator/deferred_resolver.rb | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/puppet/pops/evaluator/deferred_resolver.rb b/lib/puppet/pops/evaluator/deferred_resolver.rb
index 070fba54598..c36b3697cc0 100644
--- a/lib/puppet/pops/evaluator/deferred_resolver.rb
+++ b/lib/puppet/pops/evaluator/deferred_resolver.rb
@@ -93,14 +93,12 @@ def resolve_futures(catalog)
         #
         if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
           resolved = resolved.unwrap
-          unless r.sensitive_parameters.include?(k.to_sym)
-            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
-          end
+          mark_sensitive_parameters(r, k)
         # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
         # The DeferredValue.resolve method will unwrap it during catalog application
         elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
-          if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)} and not r.sensitive_parameters.include?(k.to_sym)
-            r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+          if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
+            mark_sensitive_parameters(r, k)
           end
         end
         overrides[ k ] = resolved
@@ -109,6 +107,13 @@ def resolve_futures(catalog)
     end
   end
 
+  def mark_sensitive_parameters(r, k)
+    unless r.sensitive_parameters.include?(k.to_sym)
+      r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
+    end
+  end
+  private :mark_sensitive_parameters
+
   def resolve(x)
     if x.class == @deferred_class
       resolve_future(x)