-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PUP-11846) Handle unprocessed, deferred sensitive #9064
Conversation
Looks like this does solve the problem from PUP-11846.
|
@m0dular Thanks for the patch. Do you think you'd be able to add spec tests for this? |
Ah I'm working on specs, so don't worry about that part. |
# If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive | ||
# The DeferredValue.resolve method will unwrap it during catalog application | ||
elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue) | ||
if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)} and not r.sensitive_parameters.include?(k.to_sym) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One tricky issue is deferred values can nest like:
puppet/spec/unit/pops/evaluator/deferred_resolver_spec.rb
Lines 35 to 38 in c4c07ee
$args = Deferred("inline_epp", ["<%= 'a,b,c' %>"]) | |
notify { "deferred": | |
message => Deferred("split", [$args, ","]) | |
} |
puppet/spec/unit/functions/call_spec.rb
Lines 115 to 118 in c4c07ee
function my_split(Hash $hashy, Array[Sensitive] $sensy) { split($hashy['key'][0], $sensy[0].unwrap |$x| {$x}) } | |
$d = Deferred('my_split', [ {'key' => [Deferred('test::abc')]}, [Sensitive(Deferred('test::dash'))]]) | |
$a = $d.call() | |
notify { $a[0]: } |
I think this will approach will still work (?) as the resolve_futures
method is called recursively with each DeferredValue
and if any of them have PSensitiveType
arguments, then the overall parameter will be marked as sensitive (but only marked once). But I'd like to write a test to confirm that happens.
Prior to this commit, evaluating a deferred resource that includes a Sensitive value would fail during munging. This commit marks these resources as sensitive and unwraps them during catalog application.
I rebased the PR onto 7.x and added tests. This will also get merged to puppet#main automatically. |
Have to close and reopen to rekick GH actions with the correct matrix |
Prior to this commit, evaluating a deferred resource that includes a Sensitive value would fail during munging. This commit marks these resources as sensitive and unwraps them during catalog application.