Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10092

Support concatenating sensitive values

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:
    • Epic Link:
    • Team:
      Coremunity
    • QA Risk Assessment:
      Needs Assessment

      Description

      The compiler evaluates interpolated sensitive values differently than non-interpolated ones, which is surprising:

      $secret = Sensitive('s3cret')
      notify { 'a': message => $secret }
      notify { 'b': message => "${secret}" }
      

      The first resource evaluates to:

            "parameters": {
              "message": "s3cret"
            },
            "sensitive_parameters": [
              "message"
            ]
      

      While the second evaluates to:

            "parameters": {
              "message": "Sensitive [value redacted]"
            }
      

      Note the second one is lossy, as we no longer know what the original value was.

      It would be preferable for the compiler to retain the sensitive data type during interpolation (when evaluating the concatenate expression). So for example "foo $secret" would produce a sensitive value whose unwrapped value was "foo s3cret".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:

                  Zendesk Support