Merge branch 'main' into main

Author: danadoherty639

Gemfile

@@ -37,7 +37,7 @@ group :development do
 end
 group :development, :release_prep do
   gem "puppet-strings", '~> 4.0',         require: false
-  gem "puppetlabs_spec_helper", '~> 7.0', require: false
+  gem "puppetlabs_spec_helper", '~> 8.0', require: false
 end
 group :system_tests do
   gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw]

lib/puppet/provider/dsc_base_provider/dsc_base_provider.rb

@@ -794,7 +794,7 @@ def prepare_credentials(resource)
       variable_name = random_variable_name
       credential_hash = {
         'user' => property_hash[:value]['user'],
-        'password' => escape_quotes(property_hash[:value]['password'].unwrap)
+        'password' => escape_quotes(unwrap_string(property_hash[:value]['password']))
       }
       credentials_block << format_pscredential(variable_name, credential_hash)
       instantiated_variables.merge!(variable_name => credential_hash)
@@ -899,7 +899,7 @@ def format_ciminstance(variable_name, class_name, property_hash)
   #
   # @param resource [Hash] a hash with the information needed to run `Invoke-DscResource`
   # @return [String] A string representing the PowerShell definition of the InvokeParams hash
-  def invoke_params(resource)
+  def invoke_params(resource) # rubocop:disable Metrics/MethodLength
     params = {
       Name: resource[:dscmeta_resource_friendly_name],
       Method: resource[:dsc_invoke_method],
@@ -917,6 +917,10 @@ def invoke_params(resource)
       params[:ModuleName] = resource[:dscmeta_module_name]
     end
     resource[:parameters].each do |property_name, property_hash|
+      # ignore dsc_timeout, since it is only used to specify the powershell command timeout
+      # and timeout itself is not a parameter to the DSC resource
+      next if property_name == :dsc_timeout
+
       # strip dsc_ from the beginning of the property name declaration
       name = property_name.to_s.gsub(/^dsc_/, '').to_sym
       params[:Property][name] = case property_hash[:mof_type]
@@ -925,7 +929,7 @@ def invoke_params(resource)
                                   # the Credential hash interpolable as it will be replaced by a variable reference.
                                   {
                                     'user' => property_hash[:value]['user'],
-                                    'password' => escape_quotes(property_hash[:value]['password'].unwrap)
+                                    'password' => escape_quotes(unwrap_string(property_hash[:value]['password']))
                                   }
                                 when 'DateTime'
                                   # These have to be handled specifically because they rely on the *Puppet* DateTime,
@@ -1018,6 +1022,31 @@ def unwrap(value)
     end
   end
 
+  # Unwrap sensitive strings and handle string
+  #
+  # @param value [Object] The object to unwrap sensitive data inside of
+  # @return [Object] The object with any sensitive strings unwrapped
+  def unwrap_string(value)
+    case value
+    when Puppet::Pops::Types::PSensitiveType::Sensitive
+      value.unwrap
+    when Hash
+      unwrapped = {}
+      value.each do |k, v|
+        unwrapped[k] = unwrap_string(v)
+      end
+      unwrapped
+    when Array
+      unwrapped = []
+      value.each do |v|
+        unwrapped << unwrap_string(v)
+      end
+      unwrapped
+    else
+      value
+    end
+  end
+
   # Escape any nested single quotes in a Sensitive string
   #
   # @param text [String] the text to escape

spec/unit/puppet/provider/dsc_base_provider/dsc_base_provider_spec.rb

@@ -439,7 +439,7 @@
           mof_is_embedded: false
         },
         dsc_psdscrunascredential: {
-          type: 'Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]',
+          type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
           behaviour: :parameter,
           mandatory_for_get: false,
           mandatory_for_set: false,
@@ -906,7 +906,7 @@
             mof_is_embedded: false
           },
           dsc_psdscrunascredential: {
-            type: 'Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]',
+            type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
             desc: 'The Credential to run DSC under',
             behaviour: :parameter,
             mandatory_for_get: false,
@@ -1572,6 +1572,8 @@
       let(:test_resource) { base_resource.merge(additional_parameters) }
 
       before do
+        allow(Puppet::Pops::Types::PSensitiveType::Sensitive).to receive(:===).with(foo_password).and_return(true)
+        allow(Puppet::Pops::Types::PSensitiveType::Sensitive).to receive(:===).with(bar_password).and_return(true)
         allow(foo_password).to receive(:unwrap).and_return('foo')
         allow(bar_password).to receive(:unwrap).and_return('bar')
       end
@@ -1811,6 +1813,11 @@
           "$InvokeParams = @{Name = 'Foo'; Method = 'Get'; Property = @{credential = $SomeCredential}; ModuleName = 'PuppetDsc'}"
         end
 
+        before do
+          allow(Puppet::Pops::Types::PSensitiveType::Sensitive).to receive(:===).with(password).and_return(true)
+          allow(password).to receive(:unwrap).and_return('bar')
+        end
+
         it 'unwraps the credential hash and interpolates the appropriate variable' do
           expect(password).to receive(:unwrap).and_return('FooPassword')
           expect(provider).to receive(:interpolate_variables).with(formatted_param_hash).and_return(variable_interpolated_param_hash)