Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8969

Support interpolation of sensitive values in EPP templates

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: PUP 5.5.2
    • Fix Version/s: PUP 7.0.0, PUP 6.20.0
    • Component/s: None
    • Labels:
    • Template:
    • Epic Link:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Zendesk Ticket IDs:
      35573
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:

      Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))

      Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:

      inline_epp("Password is <%= Sensitive('opensesame') %>"))

      Note this only applies to EPP templates, not ERB templates.
      Show
      Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result: Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>")) Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do: inline_epp("Password is <%= Sensitive('opensesame') %>")) Note this only applies to EPP templates, not ERB templates.

      Description

      Description: When I use the sensitive data type I expect it to be treated as sensitive when used in templates.  However it is not.
       
      Steps to reproduce:  I've created a small module / repro case here: https://github.com/suckatrash/sensitive  Just apply the class "sensitive"
       
      Actual Results
       
      If I declare the class "sensitive" it will create two test files /test1 and /test2. 
       
      If I make any changes in the files and run puppet again, I'll see:

      +This string should be redacted: 'this is sensitive'

      in the output of the puppet run and in the report.
       
      If I don't unwrap the sensitive parameter and use the commented line in one of the templates I'll see this:
       

       +This string should be redacted: 'Sensitive [value redacted]'  

       
      Which is great, but that text ends up in the file as well.
       
      Expected Results:  I expect Puppet to output the '[value redacted]' string in reports and stdout, but I expect the cleartext string to be in the file on the system.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              erik.hansen Erik Hansen
              Votes:
              1 Vote for this issue
              Watchers:
              15 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support