• Rob Browning's avatar
    (PDB-3322) Redact sensitive parameters in terminus · fdd4ceff
    Rob Browning authored
    A resource parameter marked Sensitive()
    
      notify {'hi':  message => Sensitive('there')}
    
    will show up in the terminus
    like this:
    
            input = {...
                     'environment'=>'production',
                     'resources'=>
                     [...
                      {'type'=>'Notify',
                       'title'=>'hi',
                       'tags'=>Puppet::Util::TagSet.new(['notify', 'hi', 'class']),
                       'file'=> 'site.pp',
                       'line'=>1,
                       'exported'=>false,
                       'parameters'=>{:message=>'there'},
                       'sensitive_parameters'=>[:message]}],
                     'edges'=>
                     [{'source'=>'Stage[main]', 'target'=>'Class[Settings]'},
                      {'source'=>'Stage[main]', 'target'=>'Class[main]'},
                      {'source'=>'Class[main]', 'target'=>'Notify[hi]'}],
                     'classes'=>['settings']}
    
    Remove any sensitive values from 'parameters', and remove
    'sensitive_parameters' before sending data to PuppetDB.
    
    Aside from the fact that we don't want senstitive parameters to be
    stored in (or even make it to) PuppetDB, the 'sensitive_parameters'
    element can cause command processing to fail, e.g. when an existing
    parameter becomes sensitive.  Add an integration test for that.
    fdd4ceff
Name
Last commit
Last update
..
lib/puppet Loading commit data...
spec Loading commit data...