Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10612

Wrap values in Sensitive in eyaml_lookup_key

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Functions, Hiera & Lookup
    • Labels:
      None
    • Template:
    • QA Risk Assessment:
      Needs Assessment

      Description

      Values looked up with eyaml_lookup_key are returned as strings. This reveals them in console, reports, etc. To prevent this the values should be wrapped in Sensitive type. Currently automatic lookup files when class parameter is of type Sensitive[String] and value looked up is of type String. This leads people to suggest manually converting each sensitive value to Sensitive type via lookup_options:

      lookup_options:
        '^profile::.+::sensitive_\w+$':
          convert_to: 'Sensitive' 

      While this kind of does the job, it's fragile and repetitious. While I can imagine use case where someone would want encrypted values revealed in diffs, I'd guess that for most use-cases the value looked up by eyaml_lookup_key should be wrapped in Sensitive.

      I've managed to hack together the following function in my environment to do it:

      Puppet::Functions.create_function(:eyaml_lookup_key_sensitive) do
        def eyaml_lookup_key_sensitive(key, options, context)
          cleartext = call_function('eyaml_lookup_key', key, options, context)
          Puppet::Pops::Types::PSensitiveType::Sensitive.new(cleartext)
        end
      end
      

      But this would be better done in eyaml_lookup_key.rb to directly store wrapped values into the cache.

      In order to not break backward compatibility the opt-in could be stored in options hash as e.g. convert_to_sensitive boolean option. To make it fancier, the values of this opt-in could be:

      • none: current behaviour
      • encrypted: only wrap encrypted values
      • all: wrap all values

      Use case for this is when someone sets eyaml_lookup_key and its options in defaults and scatters encrypted values throughout layers (i.e. when there's no one dedicated layer for sensitive keys) while accepting performance hit of lookup function vs data_hash.

      Another option would be to make Puppet automatically convert String to Sensitive[String] to make automatic class parameter lookup work. This will however still reveal values in e.g. puppet lookup.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              woky Tomáš Virtus
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:

                  Zendesk Support