Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10511

Sensitive data type is lost when declaring multiple resources using title arrays

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2020-06-10, NW - 2020-06-24
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      This commit is fixing support of sensitive data type parameters when declaring multiple resources using title arrays
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.15.0, 5.5.20
      Puppet Server Version: N/A
      OS Name/Version: N/A

      When multiple resources are declared using an array of titles, the type information for Sensitive parameters is lost. This results in type validation errors if a resource declares a data type such as Sensitive[String]

      Install Puppet 6 on CentOS 7 and create a defined type with a password parameter declared to be Sensitive[String]:

      mkdir -p /etc/puppetlabs/code/environments/production/modules/test_mod/manifests
       
      cat <<'EOF' > /etc/puppetlabs/code/environments/production/modules/test_mod/manifests/service.pp
      define test_mod::service(
        Sensitive[String] $password,
      ){
        notify{"${title} ${password}": }
      }
      EOF
      

      Attempt to apply the following manifest:

      test_mod::service { ["ServiceA","ServiceB"]:
        password => Sensitive("password")
      }
      

      Desired Behavior:

      Output matches individual resources declared in a loop:

      # puppet apply <<'EOF'
      each(["ServiceA","ServiceB"] ) |String $svc_name| {
        test_mod::service { $svc_name:
          password => Sensitive("password")
        }
      }
      EOF
       
      Notice: Compiled catalog for olde-pacemaker.delivery.puppetlabs.net in environment production in 0.02 seconds
      Notice: ServiceA Sensitive [value redacted]
      Notice: /Stage[main]/Main/Test_mod::Service[ServiceA]/Notify[ServiceA Sensitive [value redacted]]/message: defined 'message' as 'ServiceA Sensitive [value redacted]'
      Notice: ServiceB Sensitive [value redacted]
      Notice: /Stage[main]/Main/Test_mod::Service[ServiceB]/Notify[ServiceB Sensitive [value redacted]]/message: defined 'message' as 'ServiceB Sensitive [value redacted]'
      Notice: Applied catalog in 0.01 seconds
      

      Actual Behavior:

      Compilation fails when defining the second resource as password has been coerced to a String:

      # puppet apply <<'EOF'
      test_mod::service { ["ServiceA","ServiceB"]:
        password => Sensitive("password")
      }
      EOF
       
      Error: Test_mod::Service[ServiceB]: parameter 'password' expects a Sensitive[String] value, got String on node olde-pacemaker.delivery.puppetlabs.net
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ciprian.badescu Ciprian Badescu
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support