|
1 | 1 | # frozen_string_literal: true |
2 | 2 |
|
3 | 3 | require 'diffy' |
| 4 | +require 'digest' |
4 | 5 | require 'hashdiff' |
5 | 6 | require 'json' |
6 | 7 | require 'set' |
@@ -263,7 +264,7 @@ def filter_and_cleanup(catalog_resources) |
263 | 264 |
|
264 | 265 | # Handle parameters |
265 | 266 | if k == 'parameters' |
266 | | - cleansed_param = cleanse_parameters_hash(v) |
| 267 | + cleansed_param = cleanse_parameters_hash(v, resource.fetch('sensitive_parameters', [])) |
267 | 268 | hsh[k] = cleansed_param unless cleansed_param.nil? || cleansed_param.empty? |
268 | 269 | elsif k == 'tags' |
269 | 270 | # The order of tags is unimportant. Sort this array to avoid false diffs if order changes. |
@@ -456,10 +457,18 @@ def ignored?(diff) |
456 | 457 |
|
457 | 458 | # Cleanse parameters of filtered attributes. |
458 | 459 | # @param parameters_hash [Hash] Hash of parameters |
| 460 | + # @param sensitive_parameters [Array] Array of sensitive parameters |
459 | 461 | # @return [Hash] Cleaned parameters hash (original input hash is not altered) |
460 | | - def cleanse_parameters_hash(parameters_hash) |
| 462 | + def cleanse_parameters_hash(parameters_hash, sensitive_parameters) |
461 | 463 | result = parameters_hash.dup |
462 | 464 |
|
| 465 | + # hides sensitive params. We still need to know if there's a going to |
| 466 | + # be a diff, so we hash the value. |
| 467 | + sensitive_parameters.each do |p| |
| 468 | + md5 = Digest::MD5.hexdigest Marshal.dump(result[p]) |
| 469 | + result[p] = 'Sensitive [md5sum ' + md5 + ']' |
| 470 | + end |
| 471 | + |
463 | 472 | # 'before' and 'require' handle internal Puppet ordering but do not affect what |
464 | 473 | # happens on the target machine. Don't consider these for the purpose of catalog diff. |
465 | 474 | result.delete('before') |
|
0 commit comments