search

voxpupuli / puppet-gitlab_ci_runner

Module to mange gitlab CI runners. Extracted from https://github.com/voxpupuli/puppet-gitlab
Apache License 2.0
14 stars 53 forks source link

A deferred sensitive token is not unwrapped #201

Open traylenator opened 1 month ago

traylenator commented 1 month ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

class { 'gitlab_ci_runner':
  runners => {                                   
    'foobar' => {
      'token' => Deferred('myfunc', ['gl'])
    }
  }
}

What are you seeing

Results in the file /etc/gitlab-runner/config.toml

[[runners]]
name = "foobar"
token = #<Sensitive [value redacted]>

What behaviour did you expect instead

The file should contain the the token retrieved in a deferred context.

Output log

Any additional information you'd like to impart

Problem is around here: https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/master/manifests/runner.pp#L108

Where it does:

$content => { 'runners' => [{ 'name' => 'foobar', token => Deferred('myfunc',['gl']}]}

concat::fragment{ ... 
   taget => ...,
   content => Deferred('gitlab_ci_runner::to_toml', [$content]),
}

I believe you need to .unwrap the value of the token before passing it to the ::to_toml function but I'm failing to understand how to do that.

traylenator commented 1 month ago 
$_foo = {
  'x' => 'y',
  'a' => Sensitive('b'),
}

$_bar = $_foo.each | $_k, $_v | { { $_k => $_v.unwrap } }.reduce | $_memo, $_hash | { $_memo + $_hash }

notify{"With Map ${_bar}":}

$_direct = {
  'x' => 'y',
  'a' => Sensitive('b').unwrap,
}

notify{"Direct ${_direct}":}

results in:

Notice: Compiled catalog for aiadm86.cern.ch in environment production in 0.02 seconds
Notice: With Map [x, y, a, Sensitive [value redacted]]
Notice: /Stage[main]/Main/Notify[With Map [x, y, a, Sensitive [value redacted]]]/message: defined 'message' as 'With Map [x, y, a, Sensitive [value redacted]]'
Notice: Direct {x => y, a => b}
Notice: /Stage[main]/Main/Notify[Direct {x => y, a => b}]/message: defined 'message' as 'Direct {x => y, a => b}'
Notice: Applied catalog in 0.01 seconds

why are the two notifies not the same....

traylenator commented 1 month ago

I see this is what I am looking for - https://github.com/puppetlabs/puppetlabs-stdlib/pull/1418

traylenator commented 1 month ago

With this module it is easy to work around since config is already created in concat:

class { 'gitlab_ci_runner':
  runners => {
    'foobar' => {
    }
  }
}
# Work around for https://github.com/voxpupuli/puppet-gitlab_ci_runner/issues/201
Concat_file <| title == '/etc/gitlab-runner/config.toml' |> {                                                
  show_diff => false,
}
concat::fragment{'add_token':
  target  => '/etc/gitlab-runner/config.toml',
  order   => '3',
  content => Deferred('inline_epp',['token = "<%= $token %>"',{ 'token' => Deferred('myfunc', ['gl'])}]),
}