search

puppetlabs / puppetlabs-concat

File concatenation system for Puppet
Apache License 2.0
171 stars 303 forks source link

Support for content with sensitive type #742

Closed teluq-pbrideau closed 1 year ago

teluq-pbrideau commented 2 years ago

Use Case

If there is sensitive content included in a file (like a password), I don’t want it to be displayed in the log.

Describe the Solution You Would Like

Support for the Sensitive type in the content:

class secret_within_content {
  $secret = Sensitive('mysecret')
  concat { '/tmp/example.conf':  }
  concat::fragment { 'secret' :
    target  => '/tmp/example.conf',
    content => $secret,
  }
}

class with_inline_epp {
  $secret = Sensitive('mysecret')
  $content = inline_epp("secret = <%= $s %>", { s => $secret })
  concat { '/tmp/example.conf':  }
  concat::fragment { 'secret' :
    target  => '/tmp/example.conf',
    content => $content,
  }
}

Describe Alternatives You've Considered

The alternative for now it to use show_diff => false, which don’t show any diff at all, but I would like to only remove the data that is sensitive, not the entire diff from the logs

Additional Context

I’ve tried adding Sensitive in fragment.pp on line 47:

46  if versioncmp($clientversion, '6.0') >= 0 and versioncmp($_serverversion, '6.0') >= 0 {
47    assert_type(Optional[Variant[String, Deferred, Sensitive]], $content)
48  } else {
49    assert_type(Optional[String], $content)
50  }

But then there is a warning and the diff still show the sensitive content: Warning: /Concat_fragment[secret]: Unable to mark 'content' as sensitive: content is a parameter and not a property, and cannot be automatically redacted. I would like to offer a pull request on this, but i’m unsure where I would go from here... Is a complete provider has to be written for this to work?

jcpunk commented 1 year ago

I'll confess interest in this as well.