Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8856

dsc: credentials should be redacted

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: dsc, dsc_lite
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Team:
      Windows
    • Story Points:
      1
    • Sprint:
      Windows 2019-04-17
    • Method Found:
      Needs Assessment
    • Zendesk Ticket IDs:
      35043
    • Zendesk Ticket Count:
      1
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: dsc and dsc-lite
      Puppet Version: 5.5.x and up
      OS Name/Version: Windows

      The DSC and DSC-lite modules both evaluate an ERB script containing powershell and in the process interpolate credentials needed to manage resources such as the dsc_user. However, when running with puppet agent -td, the powershell script with interpolated credentials is output to the console and captured in the report. For example, given the manifest:

      dsc_user { 'jane-doe':
        dsc_username             => 'jane-doe',
        dsc_description          => 'Jane Doe user',
        dsc_ensure               => present,
        dsc_password             => {
          'user' => 'jane-doe',
          'password' => Sensitive('jane-password')
        },
        dsc_passwordneverexpires => false,
        dsc_disabled             => true,
      }
      

      results in:

      C:\> puppet apply --debug manifest.pp
      ...
         password = [PSCustomObject]@{'user' = 'jane-doe'; 'password' = 'jane-password'} | new-pscredential
      

      We should not expose credentials, which I think realistically means we shouldn't emit the powershell script to stdout/console.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael.lombardi Michael Lombardi
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support