Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8969

Support interpolation of sensitive values in EPP templates

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • PUP 5.5.2
    • PUP 7.0.0, PUP 6.20.0
    • None
    • 35573
    • 1
    • Enhancement
    • Hide
      Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:

      Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))

      Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:

      inline_epp("Password is <%= Sensitive('opensesame') %>"))

      Note this only applies to EPP templates, not ERB templates.
      Show
      Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result: Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>")) Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do: inline_epp("Password is <%= Sensitive('opensesame') %>")) Note this only applies to EPP templates, not ERB templates.

    Description

      Description: When I use the sensitive data type I expect it to be treated as sensitive when used in templates.  However it is not.
       
      Steps to reproduce:  I've created a small module / repro case here: https://github.com/suckatrash/sensitive  Just apply the class "sensitive"
       
      Actual Results
       
      If I declare the class "sensitive" it will create two test files /test1 and /test2. 
       
      If I make any changes in the files and run puppet again, I'll see:

      +This string should be redacted: 'this is sensitive'

      in the output of the puppet run and in the report.
       
      If I don't unwrap the sensitive parameter and use the commented line in one of the templates I'll see this:
       

       +This string should be redacted: 'Sensitive [value redacted]'  

       
      Which is great, but that text ends up in the file as well.
       
      Expected Results:  I expect Puppet to output the '[value redacted]' string in reports and stdout, but I expect the cleartext string to be in the file on the system.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. PUP-10092 Support concatenating sensitive values

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              josh Josh Cooper
              erik.hansen Erik Hansen
              Votes:
              1 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support