@@ -9,7 +9,13 @@ def initialize(proc)
99 end
1010
1111 def resolve
12- @proc . call
12+ val = @proc . call
13+ # Deferred sensitive values will be marked as such in resolve_futures()
14+ if val . is_a? ( Puppet ::Pops ::Types ::PSensitiveType ::Sensitive )
15+ val . unwrap
16+ else
17+ val
18+ end
1319 end
1420end
1521
@@ -87,8 +93,12 @@ def resolve_futures(catalog)
8793 #
8894 if resolved . is_a? ( Puppet ::Pops ::Types ::PSensitiveType ::Sensitive )
8995 resolved = resolved . unwrap
90- unless r . sensitive_parameters . include? ( k . to_sym )
91- r . sensitive_parameters = ( r . sensitive_parameters + [ k . to_sym ] ) . freeze
96+ mark_sensitive_parameters ( r , k )
97+ # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
98+ # The DeferredValue.resolve method will unwrap it during catalog application
99+ elsif resolved . is_a? ( Puppet ::Pops ::Evaluator ::DeferredValue )
100+ if v . arguments . any? { |arg | arg . is_a? ( Puppet ::Pops ::Types ::PSensitiveType ) }
101+ mark_sensitive_parameters ( r , k )
92102 end
93103 end
94104 overrides [ k ] = resolved
@@ -97,6 +107,13 @@ def resolve_futures(catalog)
97107 end
98108 end
99109
110+ def mark_sensitive_parameters ( r , k )
111+ unless r . sensitive_parameters . include? ( k . to_sym )
112+ r . sensitive_parameters = ( r . sensitive_parameters + [ k . to_sym ] ) . freeze
113+ end
114+ end
115+ private :mark_sensitive_parameters
116+
100117 def resolve ( x )
101118 if x . class == @deferred_class
102119 resolve_future ( x )
0 commit comments