Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PUP-11846) Handle unprocessed, deferred sensitive #9064

Merged
merged 3 commits into from
Jul 6, 2023
Merged

(PUP-11846) Handle unprocessed, deferred sensitive #9064

merged 3 commits into from
Jul 6, 2023

Conversation

m0dular
Copy link
Contributor

@m0dular m0dular commented Jun 5, 2023

Prior to this commit, evaluating a deferred resource that includes a Sensitive value would fail during munging. This commit marks these resources as sensitive and unwraps them during catalog application.

@m0dular m0dular requested a review from a team as a code owner June 5, 2023 23:54
@joshcooper joshcooper mentioned this pull request Jun 29, 2023
Closed
@natemccurdy
Copy link
Contributor

Looks like this does solve the problem from PUP-11846.

~/src/puppetlabs/puppet [PUP-11846 ?2]$ cat reproduce-PUP-11846.pp                                                                                                                     $secret = Deferred('new', [Sensitive, "hello world\n"])
file { '/tmp/test.txt':
  ensure  => 'file',
  content => $secret,
}

 ~/src/puppetlabs/puppet  PUP-11846 ?2  be puppet apply reproduce-PUP-11846.pp
Notice: Compiled catalog for adot.local in environment production in 0.02 seconds
Notice: Applied catalog in 0.01 seconds

 ~/src/puppetlabs/puppet  PUP-11846 ?2  git co main
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
 ~/src/puppetlabs/puppet  main ?2  bundle install >/dev/null && bundle update >/dev/null
 ~/src/puppetlabs/puppet  main ?2  be puppet apply reproduce-PUP-11846.pp
Notice: Compiled catalog for adot.local in environment production in 0.01 seconds
Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

@natemccurdy
Copy link
Contributor

@m0dular Thanks for the patch. Do you think you'd be able to add spec tests for this?

@joshcooper
Copy link
Contributor

Ah I'm working on specs, so don't worry about that part.

joshcooper
joshcooper reviewed Jun 30, 2023
View reviewed changes
lib/puppet/pops/evaluator/deferred_resolver.rb Outdated
# If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
# The DeferredValue.resolve method will unwrap it during catalog application
elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)} and not r.sensitive_parameters.include?(k.to_sym)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One tricky issue is deferred values can nest like:

puppet/spec/unit/pops/evaluator/deferred_resolver_spec.rb

Lines 35 to 38 in c4c07ee

$args = Deferred("inline_epp", ["<%= 'a,b,c' %>"])
notify { "deferred":
message => Deferred("split", [$args, ","])
}

puppet/spec/unit/functions/call_spec.rb

Lines 115 to 118 in c4c07ee

function my_split(Hash $hashy, Array[Sensitive] $sensy) { split($hashy['key'][0], $sensy[0].unwrap |$x| {$x}) }
$d = Deferred('my_split', [ {'key' => [Deferred('test::abc')]}, [Sensitive(Deferred('test::dash'))]])
$a = $d.call()
notify { $a[0]: }

I think this will approach will still work (?) as the resolve_futures method is called recursively with each DeferredValue and if any of them have PSensitiveType arguments, then the overall parameter will be marked as sensitive (but only marked once). But I'd like to write a test to confirm that happens.

m0dular and others added 3 commits July 5, 2023 18:59
@m0dular @joshcooper
(PUP-11846) Handle unprocessed, deferred sensitive
b92e4d3 
Prior to this commit, evaluating a deferred resource that includes a
Sensitive value would fail during munging.  This commit marks these
resources as sensitive and unwraps them during catalog application.
@joshcooper
(PUP-11846) Add test for Deferred(Sensitive) file content
198eec9
@joshcooper
(PUP-11846) Refactor marking sensitive parameters
274aa08
@joshcooper joshcooper changed the base branch from main to 7.x July 6, 2023 02:00
@joshcooper
Copy link
Contributor

I rebased the PR onto 7.x and added tests. This will also get merged to puppet#main automatically.

@joshcooper
Copy link
Contributor

Have to close and reopen to rekick GH actions with the correct matrix

@joshcooper joshcooper closed this Jul 6, 2023
@joshcooper joshcooper reopened this Jul 6, 2023
@joshcooper joshcooper merged commit 52849da into puppetlabs:7.x Jul 6, 2023
21 checks passed
@coreymbe coreymbe mentioned this pull request Aug 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshcooper joshcooper joshcooper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m0dular @natemccurdy @joshcooper