Skip to content

Commit

Permalink
Merge pull request #9064 from m0dular/PUP-11846
Browse files Browse the repository at this point in the history 
(PUP-11846) Handle unprocessed, deferred sensitive
  • Loading branch information
@joshcooper
joshcooper committed Jul 6, 2023
2 parents c8bba06 + 274aa08 commit 52849da
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 3 deletions.
23 changes: 20 additions & 3 deletions lib/puppet/pops/evaluator/deferred_resolver.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@ def initialize(proc)
end

def resolve
@proc.call
val = @proc.call
# Deferred sensitive values will be marked as such in resolve_futures()
if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
val.unwrap
else
val
end
end
end

Expand Down Expand Up @@ -87,8 +93,12 @@ def resolve_futures(catalog)
#
if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
resolved = resolved.unwrap
unless r.sensitive_parameters.include?(k.to_sym)
r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
mark_sensitive_parameters(r, k)
# If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
# The DeferredValue.resolve method will unwrap it during catalog application
elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
mark_sensitive_parameters(r, k)
end
end
overrides[ k ] = resolved
Expand All @@ -97,6 +107,13 @@ def resolve_futures(catalog)
end
end

def mark_sensitive_parameters(r, k)
unless r.sensitive_parameters.include?(k.to_sym)
r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
end
end
private :mark_sensitive_parameters

def resolve(x)
if x.class == @deferred_class
resolve_future(x)
Expand Down
14 changes: 14 additions & 0 deletions spec/integration/application/apply_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -755,5 +755,19 @@ def bogus()
.and output(/Notify\[runs before file\]/).to_stdout
.and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
end

it "applies deferred sensitive file content" do
manifest = <<~END
file { '#{deferred_file}':
ensure => file,
content => Deferred('new', [Sensitive, "hello\n"])
}
END
apply.command_line.args = ['-e', manifest]
expect {
apply.run
}.to exit_with(0)
.and output(/ensure: changed \[redacted\] to \[redacted\]/).to_stdout
end
end
end

0 comments on commit 52849da

Please sign in to comment.