Uploaded image for project: 'Puppet Development Kit'
  1. Puppet Development Kit
  2. PDK-1091

Remove Sensitive data from all log messages

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Network Automation
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      When evaluating types in the Resource API, we need to detect when the top-level puppet4 data type is Sensitive (See https://puppet.com/docs/puppet/4.9/lang_data_sensitive.html) and deal with wrapped data being passed back and forth.

      Likely we want to pass through the wrapped ruby representation of sensitive data to the provider, so that the provider is protected from accidental information leakage until the provider actually requires it. The problem here is that puppet seems to already unwrap the value before pushing it to the type:

      $ bundle exec puppet apply --verbose --trace --strict=error --modulepath spec/fixtures --debug -e "test_sensitive { bar: secret => Sensitive('foo') }"
      [...]
      Error: Parameter secret failed on Test_sensitive[bar]: test_sensitive.secret expects a Sensitive value, got String
      /home/david/git/puppet-resource_api/lib/puppet/resource_api.rb:610:in `validate'
      /home/david/git/puppet-resource_api/lib/puppet/resource_api.rb:528:in `mungify'
      /home/david/git/puppet-resource_api/lib/puppet/resource_api.rb:218:in `block (4 levels) in register_type'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/property.rb:598:in `value='
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/type.rb:675:in `[]='
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/type.rb:2486:in `block in set_parameters'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/type.rb:2480:in `each'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/type.rb:2480:in `set_parameters'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/type.rb:2395:in `initialize'
      /home/david/git/puppet-resource_api/lib/puppet/resource_api.rb:101:in `block (2 levels) in register_type'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource.rb:460:in `new'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource.rb:460:in `to_ral'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource/catalog.rb:625:in `block in to_catalog'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource/catalog.rb:617:in `each'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource/catalog.rb:617:in `to_catalog'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/resource/catalog.rb:498:in `to_ral'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/application/apply.rb:269:in `block in main'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/context.rb:65:in `override'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet.rb:263:in `override'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/application/apply.rb:233:in `main'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/application/apply.rb:174:in `run_command'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/application.rb:358:in `block in run'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/util.rb:666:in `exit_on_fail'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/application.rb:358:in `run'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/util/command_line.rb:132:in `run'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/lib/puppet/util/command_line.rb:72:in `execute'
      /home/david/gems/ruby/2.5.0/bundler/gems/puppet-373c19129bb7/bin/puppet:5:in `<top (required)>'
      /home/david/gems/ruby/2.5.0/bin/puppet:23:in `load'
      /home/david/gems/ruby/2.5.0/bin/puppet:23:in `<main>'
      

      See https://github.com/DavidS/puppet-resource_api/tree/sensitive-exploration for example tests showing the problem.

      Possible approach to solving this:

      • detect a Sensitive type in the definition, and automatically ensure wrapping it (Puppet::Pops::Types::PSensitiveType::Sensitive.new(value)) before passing it on to set.
        We'll also have to make sure returning Sensitive from get also works as intended.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              david.schmitt David Schmitt
              Reporter:
              david.schmitt David Schmitt
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support