puppet 7.15.0-x86-mingw32 → 7.18.0-x86-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ee2719e5d4ae082cb3e5f9f0487813acfcf44dc96ddbeb5fed2b009b21f9fad
-  data.tar.gz: e0ab738928ad2ff627eb22060064b02016fce0aa742eb0bd995d3cfbffd7ed2a
+  metadata.gz: be8dc793f600ac74cfb6d7bc915497078701615b665611bfa173a827115bec28
+  data.tar.gz: 439e9ec7147b6762286c967e20891056a6cac3f8924aaba80232964de8f32f01
 SHA512:
-  metadata.gz: 1a81c9e28a40988a891ca37893b0d721fa12f42c39890746837737b217bb2ecdf626ea3e822feff557557d7f54afa7b41b54d3122039ae0ddc0e9125083dc4b6
-  data.tar.gz: 8b300a0eb554107049cf1d5fb2bc73c76e6bb4ebc24500c138da1b8dd4b0b945906231e8e3a3f97ee4f9dd8ce4913b5b944eae14dcd87296aafd05e126a950f1
+  metadata.gz: 9f647ee5b374a5e0cf018a4a57e7da08ccdc85014ad0e767b02840bcac73aac410ae0098b455df04cdf9eaf37850cdf22368ec258ee81d4cdecc98ad01b18185
+  data.tar.gz: 149c2d818067d98dc89341854c608f9e45c02c62eaea024a92cf804895c455229a3f3cf7975344e1ab5334b17d7917faa903769ac1b39abc9d44f2938579d34e

data/Gemfile.lock

@@ -1,19 +1,21 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: 478623dd22de2de32bbb7b7c340a8d80c269c9f4
+  revision: 6edc2f8e4ebe3cbea96c3af9c294bcd6e2953648
   branch: 1.0.x
   specs:
-    packaging (0.106.0.20.g478623d)
+    packaging (0.107.0.9.g6edc2f8)
       apt_stage_artifacts
       artifactory (~> 3)
       csv (= 3.1.5)
+      google-cloud-storage
+      googleauth
       rake (>= 12.3)
       release-metrics
 
 PATH
   remote: .
   specs:
-    puppet (7.15.0)
+    puppet (7.18.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -31,21 +33,28 @@ GEM
     CFPropertyList (2.3.6)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    apt_stage_artifacts (0.10.1)
+    apt_stage_artifacts (0.11.0)
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     crack (0.4.5)
       rexml
     csv (3.1.5)
+    declarative (0.0.20)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
+    digest-crc (0.6.4)
+      rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
-    facter (4.2.7)
+    facter (4.2.10)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (2.0.3)
     fast_gettext (1.1.2)
     ffi (1.15.5)
     gettext (3.2.9)
@@ -55,32 +64,71 @@ GEM
       fast_gettext (~> 1.1.0)
       gettext (>= 3.0.2, < 3.3.0)
       locale
+    google-apis-core (0.7.0)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (>= 0.16.2, < 2.a)
+      httpclient (>= 2.8.1, < 3.a)
+      mini_mime (~> 1.0)
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.a)
+      rexml
+      webrick
+    google-apis-iamcredentials_v1 (0.13.0)
+      google-apis-core (>= 0.7, < 2.a)
+    google-apis-storage_v1 (0.18.0)
+      google-apis-core (>= 0.7, < 2.a)
+    google-cloud-core (1.6.0)
+      google-cloud-env (~> 1.0)
+      google-cloud-errors (~> 1.0)
+    google-cloud-env (1.6.0)
+      faraday (>= 0.17.3, < 3.0)
+    google-cloud-errors (1.2.0)
+    google-cloud-storage (1.37.0)
+      addressable (~> 2.8)
+      digest-crc (~> 0.4)
+      google-apis-iamcredentials_v1 (~> 0.1)
+      google-apis-storage_v1 (~> 0.1)
+      google-cloud-core (~> 1.6)
+      googleauth (>= 0.16.2, < 2.a)
+      mini_mime (~> 1.0)
+    googleauth (1.2.0)
+      faraday (>= 0.17.3, < 3.a)
+      jwt (>= 1.4, < 3.0)
+      memoist (~> 0.16)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (>= 0.16, < 2.a)
     hashdiff (1.0.1)
-    hiera (3.8.0)
-    hiera-eyaml (3.2.2)
+    hiera (3.9.0)
+    hiera-eyaml (3.3.0)
       highline
       optimist
     highline (2.0.3)
     hocon (1.3.1)
     hpricot (0.8.6)
+    httpclient (2.8.3)
     json-schema (2.8.1)
       addressable (>= 2.4)
+    jwt (2.4.1)
     locale (2.1.3)
+    memoist (0.16.2)
     memory_profiler (1.0.0)
     method_source (1.0.0)
+    mini_mime (1.1.2)
     minitar (0.9)
-    msgpack (1.4.5)
+    msgpack (1.5.3)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
-    parallel (1.21.0)
+    os (1.1.4)
+    parallel (1.22.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
     powerpack (0.1.3)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.6)
+    public_suffix (4.0.7)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
     puppetserver-ca (2.3.6)
@@ -94,6 +142,11 @@ GEM
     release-metrics (1.1.0)
       csv
       docopt
+    representable (3.2.0)
+      declarative (< 0.1.0)
+      trailblazer-option (>= 0.1.1, < 0.2.0)
+      uber (< 0.2.0)
+    retriable (3.1.2)
     rexml (3.2.5)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
@@ -111,7 +164,7 @@ GEM
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.11.0)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.11.0)
     rspec-support (3.11.0)
@@ -126,10 +179,18 @@ GEM
       rubocop (~> 0.49.0)
     ruby-prof (1.4.3)
     ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.5)
     scanf (1.0.0)
     semantic_puppet (1.0.4)
+    signet (0.17.0)
+      addressable (~> 2.8)
+      faraday (>= 0.17.5, < 3.a)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
     text (1.3.1)
     thor (1.2.1)
+    trailblazer-option (0.1.2)
+    uber (0.1.0)
     unicode-display_width (1.8.0)
     vcr (5.1.0)
     webmock (3.14.0)
@@ -137,7 +198,7 @@ GEM
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.7.0)
-    yard (0.9.27)
+    yard (0.9.28)
       webrick (~> 1.7.0)
 
 PLATFORMS
@@ -174,4 +235,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.3.8
+   2.3.10

data/ext/systemd/puppet.service

@@ -11,7 +11,7 @@
 [Unit]
 Description=Puppet agent
 Wants=basic.target
-After=basic.target network.target
+After=basic.target network.target network-online.target
 
 [Service]
 EnvironmentFile=-/etc/sysconfig/puppetagent

data/lib/puppet/agent.rb

@@ -38,26 +38,51 @@ class Puppet::Agent
   # Perform a run with our client.
   def run(client_options = {})
     if disabled?
-      Puppet.notice _("Skipping run of %{client_class}; administratively disabled (Reason: '%{disable_message}');\nUse 'puppet agent --enable' to re-enable.") % { client_class: client_class, disable_message: disable_message }
+      log_disabled_message
       return
     end
 
     result = nil
     wait_for_lock_deadline = nil
     block_run = Puppet::Application.controlled_run do
-      splay client_options.fetch :splay, Puppet[:splay]
+      # splay may sleep for awhile when running onetime! If not onetime, then
+      # the job scheduler splays (only once) so that agents assign themselves a
+      # slot within the splay interval.
+      do_splay = client_options.fetch(:splay, Puppet[:splay])
+      if do_splay
+        splay(do_splay)
+
+        if disabled?
+          log_disabled_message
+          break
+        end
+      end
+
+      # waiting for certs may sleep for awhile depending on onetime, waitforcert and maxwaitforcert!
+      # this needs to happen before forking so that if we fail to obtain certs and try to exit, then
+      # we exit the main process and not the forked child.
+      ssl_context = wait_for_certificates(client_options)
+
       result = run_in_fork(should_fork) do
         with_client(client_options[:transaction_uuid], client_options[:job_id]) do |client|
           client_args = client_options.merge(:pluginsync => Puppet::Configurer.should_pluginsync?)
           begin
+            # lock may sleep for awhile depending on waitforlock and maxwaitforlock!
             lock do
-              # NOTE: Timeout is pretty heinous as the location in which it
-              # throws an error is entirely unpredictable, which means that
-              # it can interrupt code blocks that perform cleanup or enforce
-              # sanity. The only thing a Puppet agent should do after this
-              # error is thrown is die with as much dignity as possible.
-              Timeout.timeout(Puppet[:runtimeout], RunTimeoutError) do
-                client.run(client_args)
+              if disabled?
+                log_disabled_message
+                nil
+              else
+                # NOTE: Timeout is pretty heinous as the location in which it
+                # throws an error is entirely unpredictable, which means that
+                # it can interrupt code blocks that perform cleanup or enforce
+                # sanity. The only thing a Puppet agent should do after this
+                # error is thrown is die with as much dignity as possible.
+                Timeout.timeout(Puppet[:runtimeout], RunTimeoutError) do
+                  Puppet.override(ssl_context: ssl_context) do
+                    client.run(client_args)
+                  end
+                end
               end
             end
           rescue Puppet::LockError
@@ -78,12 +103,13 @@ class Puppet::Agent
             end
           rescue RunTimeoutError => detail
             Puppet.log_exception(detail, _("Execution of %{client_class} did not complete within %{runtimeout} seconds and was terminated.") %
-              {client_class: client_class,
-              runtimeout: Puppet[:runtimeout]})
+              {client_class: client_class, runtimeout: Puppet[:runtimeout]})
             nil
           rescue StandardError => detail
             Puppet.log_exception(detail, _("Could not run %{client_class}: %{detail}") % { client_class: client_class, detail: detail })
             nil
+          ensure
+            Puppet.runtime[:http].close
           end
         end
       end
@@ -137,4 +163,14 @@ class Puppet::Agent
   ensure
     @client = nil
   end
+
+  def wait_for_certificates(options)
+    waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
+    sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert, onetime: Puppet[:onetime])
+    sm.ensure_client_certificate
+  end
+
+  def log_disabled_message
+    Puppet.notice _("Skipping run of %{client_class}; administratively disabled (Reason: '%{disable_message}');\nUse 'puppet agent --enable' to re-enable.") % { client_class: client_class, disable_message: disable_message }
+  end
 end

data/lib/puppet/application/agent.rb

@@ -158,7 +158,7 @@ applying the whole thing.
 '--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
 once and displays on the console (and in the log) the current certificate
 (or certificate request) fingerprint. Providing the '--digest' option
-allows to use a different digest algorithm to generate the fingerprint.
+allows you to use a different digest algorithm to generate the fingerprint.
 The main use is to verify that before signing a certificate request on
 the master, the certificate request the master received is the same as
 the one the client sent (to prevent against man-in-the-middle attacks
@@ -383,15 +383,11 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
       log_config if Puppet[:daemonize]
 
-      # run ssl state machine, waiting if needed
-      ssl_context = wait_for_certificates
-
       # Each application is responsible for pushing loaders onto the context.
       # Use the current environment that has already been established, though
       # it may change later during the configurer run.
       env = Puppet.lookup(:current_environment)
-      Puppet.override(ssl_context: ssl_context,
-                      current_environment: env,
+      Puppet.override(current_environment: env,
                       loaders: Puppet::Pops::Loaders.new(env, true)) do
         if Puppet[:onetime]
           onetime(daemon)
@@ -434,7 +430,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
   def onetime(daemon)
     begin
-      exitstatus = daemon.agent.run({:job_id => options[:job_id], :start_time => options[:start_time]})
+      exitstatus = daemon.agent.run({:job_id => options[:job_id], :start_time => options[:start_time], :waitforcert => options[:waitforcert]})
     rescue => detail
       Puppet.log_exception(detail)
     end
@@ -524,10 +520,4 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
     daemon
   end
-
-  def wait_for_certificates
-    waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
-    sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert)
-    sm.ensure_client_certificate
-  end
 end

data/lib/puppet/application/apply.rb

@@ -241,7 +241,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         end
 
         # Resolve all deferred values and replace them / mutate the catalog
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment)
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, apply_environment, Puppet[:preprocess_deferred])
 
         # Translate it to a RAL catalog
         catalog = catalog.to_ral
@@ -350,7 +350,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         raise Puppet::Error, _("Could not deserialize catalog from %{format}: %{detail}") % { format: format, detail: detail }, detail.backtrace
       end
       # Resolve all deferred values and replace them / mutate the catalog
-      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment)
+      Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(node.facts, catalog, configured_environment, Puppet[:preprocess_deferred])
 
       catalog.to_ral
     end

data/lib/puppet/configurer.rb

@@ -112,7 +112,7 @@ class Puppet::Configurer
     catalog_conversion_time = thinmark do
       # Will mutate the result and replace all Deferred values with resolved values
       if facts
-        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment))
+        Puppet::Pops::Evaluator::DeferredResolver.resolve_and_replace(facts, result, Puppet.lookup(:current_environment), Puppet[:preprocess_deferred])
       end
 
       catalog = result.to_ral

data/lib/puppet/defaults.rb

@@ -1534,7 +1534,7 @@ EOT
       :type => :file,
       :mode => "0640",
       :desc => "Transactional storage file for persisting data between
-        transactions for the purposes of infering information (such as
+        transactions for the purposes of inferring information (such as
         corrective_change) on new data received."
     },
     :clientyamldir => {
@@ -2021,6 +2021,16 @@ EOT
         being evaluated.  This allows you to interactively see exactly
         what is being done.",
     },
+    :preprocess_deferred => {
+      :default => true,
+      :type => :boolean,
+      :desc => "Whether puppet should call deferred functions before applying
+        the catalog. If set to `true`, then all prerequisites needed for the
+        deferred function must be satified prior to puppet running. If set to
+        `false`, then deferred functions will follow puppet relationships and
+        ordering. This allows puppet to install prerequisites needed for a
+        deferred function and call the deferred function in the same run."
+    },
     :summarize => {
         :default  => false,
         :type     => :boolean,

data/lib/puppet/http/client.rb

@@ -98,7 +98,7 @@ class Puppet::HTTP::Client
   #   used if :include_system_store is set to true
   # @param [Integer] redirect_limit default number of HTTP redirections to allow
   #   in a given request. Can also be specified per-request.
-  # @param [Integer] retry_limit number of HTTP reties allowed in a given
+  # @param [Integer] retry_limit number of HTTP retries allowed in a given
   #   request
   #
   def initialize(pool: Puppet::HTTP::Pool.new(Puppet[:http_keepalive_timeout]), ssl_context: nil, system_ssl_context: nil, redirect_limit: 10, retry_limit: 100)
@@ -300,6 +300,24 @@ class Puppet::HTTP::Client
   # @api public
   def close
     @pool.close
+    @default_ssl_context = nil
+    @default_system_ssl_context = nil
+  end
+
+  def default_ssl_context
+    cert = Puppet::X509::CertProvider.new
+    password = cert.load_private_key_password
+
+    ssl = Puppet::SSL::SSLProvider.new
+    ctx = ssl.load_context(certname: Puppet[:certname], password: password)
+    ssl.print(ctx)
+    ctx
+  rescue => e
+    # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
+    Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
+    # TRANSLATORS: `puppet agent -t` is a command and should not be translated
+    Puppet.err(_("Run `puppet agent -t`"))
+    raise e
   end
 
   protected
@@ -458,7 +476,9 @@ class Puppet::HTTP::Client
     cacerts = cert_provider.load_cacerts || []
 
     ssl = Puppet::SSL::SSLProvider.new
-    @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts)
+    @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts, include_client_cert: true)
+    ssl.print(@default_system_ssl_context)
+    @default_system_ssl_context
   end
 
   def apply_auth(request, basic_auth)

data/lib/puppet/info_service/task_information_service.rb

@@ -6,7 +6,7 @@ class Puppet::InfoService::TaskInformationService
     env = Puppet.lookup(:environments).get!(environment_name)
     env.modules.map do |mod|
       mod.tasks.map do |task|
-        {:module => {:name => task.module.name}, :name => task.name}
+        {:module => {:name => task.module.name}, :name => task.name, :metadata => task.metadata}
       end
     end.flatten
   end

data/lib/puppet/module/task.rb

@@ -52,6 +52,10 @@ class Puppet::Module
       return false
     end
 
+    def self.is_tasks_file?(path)
+      File.file?(path) && is_tasks_filename?(path)
+    end
+
     # Determine whether a file has a legal name for either a task's executable or metadata file.
     def self.is_tasks_filename?(path)
       name_less_extension = File.basename(path, '.*')
@@ -200,7 +204,7 @@ class Puppet::Module
 
     def self.tasks_in_module(pup_module)
       task_files = Dir.glob(File.join(pup_module.tasks_directory, '*'))
-        .keep_if { |f| is_tasks_filename?(f) }
+        .keep_if { |f| is_tasks_file?(f) }
 
       module_executables = task_files.reject(&method(:is_tasks_metadata_filename?)).map.to_a
 

data/lib/puppet/parameter.rb

@@ -177,15 +177,15 @@ class Puppet::Parameter
     end
 
     # @overload unmunge {|| ... }
-    # Defines an optional method used to convert the parameter value to DSL/string form from an internal form.
+    # Defines an optional method used to convert the parameter value from internal form to DSL/string form.
     # If an `unmunge` method is not defined, the internal form is used.
     # @see munge
-    # @note This adds a method with the name `unmunge` in the created parameter class.
+    # @note This adds a method with the name `unsafe_unmunge` in the created parameter class.
     # @dsl type
     # @api public
     #
     def unmunge(&block)
-      define_method(:unmunge, &block)
+      define_method(:unsafe_unmunge, &block)
     end
 
     # Sets a marker indicating that this parameter is the _namevar_ (unique identifier) of the type
@@ -415,10 +415,21 @@ class Puppet::Parameter
   # @return [Object] the unmunged value
   #
   def unmunge(value)
+    return value if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+
+    unsafe_unmunge(value)
+  end
+
+  # This is the default implementation of `unmunge` that simply produces the value (if it is valid).
+  # The DSL method {unmunge} should be used to define an overriding method if unmunging is required.
+  #
+  # @api private
+  #
+  def unsafe_unmunge(value)
     value
   end
 
-  # Munges the value to internal form.
+  # Munges the value from DSL form to internal form.
   # This implementation of `munge` provides exception handling around the specified munging of this parameter.
   # @note This method should not be overridden. Use the DSL method {munge} to define a munging method
   #   if required.
@@ -426,6 +437,8 @@ class Puppet::Parameter
   # @return [Object] the munged (internal) value
   #
   def munge(value)
+    return value if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+
     begin
       ret = unsafe_munge(value)
     rescue Puppet::Error => detail
@@ -459,6 +472,8 @@ class Puppet::Parameter
   # @api public
   #
   def validate(value)
+    return if value.is_a?(Puppet::Pops::Evaluator::DeferredValue)
+
     begin
       unsafe_validate(value)
     rescue ArgumentError => detail

data/lib/puppet/pops/evaluator/deferred_resolver.rb

@@ -3,6 +3,16 @@ require_relative '../../../puppet/parser/script_compiler'
 module Puppet::Pops
 module Evaluator
 
+class DeferredValue
+  def initialize(proc)
+    @proc = proc
+  end
+
+  def resolve
+    @proc.call
+  end
+end
+
 # Utility class to help resolve instances of Puppet::Pops::Types::PDeferredType::Deferred
 #
 class DeferredResolver
@@ -20,9 +30,9 @@ class DeferredResolver
   #  are to be mixed into the scope
   # @return [nil] does not return anything - the catalog is modified as a side effect
   #
-  def self.resolve_and_replace(facts, catalog, environment = catalog.environment_instance)
-    compiler = Puppet::Parser::ScriptCompiler.new(environment, catalog.name, true)
-    resolver = new(compiler)
+  def self.resolve_and_replace(facts, catalog, environment = catalog.environment_instance, preprocess_deferred = true)
+    compiler = Puppet::Parser::ScriptCompiler.new(environment, catalog.name, preprocess_deferred)
+    resolver = new(compiler, preprocess_deferred)
     resolver.set_facts_variable(facts)
     # TODO:
     #    # When scripting the trusted data are always local, but set them anyway
@@ -53,11 +63,12 @@ class DeferredResolver
     resolver.resolve(value)
   end
 
-  def initialize(compiler)
+  def initialize(compiler, preprocess_deferred = true)
     @compiler = compiler
     # Always resolve in top scope
     @scope = @compiler.topscope
     @deferred_class = Puppet::Pops::Types::TypeFactory.deferred.implementation_class
+    @preprocess_deferred = preprocess_deferred
   end
 
   # @param facts [Puppet::Node::Facts] the facts to set in $facts in the compiler's topscope
@@ -106,6 +117,24 @@ class DeferredResolver
     end
   end
 
+  def resolve_lazy_args(x)
+    if x.is_a?(DeferredValue)
+      x.resolve
+    elsif x.is_a?(Array)
+      x.map {|v| resolve_lazy_args(v) }
+    elsif x.is_a?(Hash)
+      result = {}
+      x.each_pair {|k,v| result[k] = resolve_lazy_args(v) }
+      result
+    elsif x.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      # rewrap in a new Sensitive after resolving any nested deferred values
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(resolve_lazy_args(x.unwrap))
+    else
+      x
+    end
+  end
+  private :resolve_lazy_args
+
   def resolve_future(f)
     # If any of the arguments to a future is a future it needs to be resolved first
     func_name = f.name
@@ -117,8 +146,19 @@ class DeferredResolver
       mapped_arguments.insert(0, @scope[var_name])
     end
 
-    # call the function (name in deferred, or 'dig' for a variable)
-    @scope.call_function(func_name, mapped_arguments)
+    if @preprocess_deferred
+      # call the function (name in deferred, or 'dig' for a variable)
+      @scope.call_function(func_name, mapped_arguments)
+    else
+      # call the function later
+      DeferredValue.new(
+        Proc.new {
+          # deferred functions can have nested deferred arguments
+          resolved_arguments = mapped_arguments.map { |arg| resolve_lazy_args(arg) }
+          @scope.call_function(func_name, resolved_arguments)
+        }
+      )
+    end
   end
 
   def map_arguments(args)

data/lib/puppet/pops/functions/dispatcher.rb

@@ -19,6 +19,10 @@ class Puppet::Pops::Functions::Dispatcher
     @dispatchers.empty?
   end
 
+  def find_matching_dispatcher(args, &block)
+    @dispatchers.find { |d| d.type.callable_with?(args, block) }
+  end
+
   # Dispatches the call to the first found signature (entry with matching type).
   #
   # @param instance [Puppet::Functions::Function] - the function to call
@@ -28,19 +32,19 @@ class Puppet::Pops::Functions::Dispatcher
   #
   # @api private
   def dispatch(instance, calling_scope, args, &block)
-    found = @dispatchers.find { |d| d.type.callable_with?(args, block) }
-    unless found
+
+    dispatcher = find_matching_dispatcher(args, &block)
+    unless dispatcher
       args_type = Puppet::Pops::Types::TypeCalculator.singleton.infer_set(block_given? ? args + [block] : args)
       raise ArgumentError, Puppet::Pops::Types::TypeMismatchDescriber.describe_signatures(instance.class.name, signatures, args_type)
     end
-
-    if found.argument_mismatch_handler?
-      msg = found.invoke(instance, calling_scope, args)
+    if dispatcher.argument_mismatch_handler?
+      msg = dispatcher.invoke(instance, calling_scope, args)
       raise ArgumentError, "'#{instance.class.name}' #{msg}"
     end
 
     catch(:next) do
-      found.invoke(instance, calling_scope, args, &block)
+      dispatcher.invoke(instance, calling_scope, args, &block)
     end
   end