From 1f9ede5af4ec5316b003596e4142e7d5a7b6a646 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Mon, 18 Feb 2019 11:30:18 +0000 Subject: [PATCH 1/8] (FM-7698) Ensure that sensitive values are handled correctly --- spec/acceptance/sensitive_spec.rb | 16 +++++++++++++ .../puppet/transport/schema/test_device.rb | 24 +++++++++++++++++++ .../lib/puppet/type/test_sensitive.rb | 6 ++++- 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/spec/acceptance/sensitive_spec.rb b/spec/acceptance/sensitive_spec.rb index f48341fb..e23c4088 100644 --- a/spec/acceptance/sensitive_spec.rb +++ b/spec/acceptance/sensitive_spec.rb @@ -21,6 +21,22 @@ expect(stdout_str).not_to match %r{foo} expect(stdout_str).not_to match %r{warn|error}i end + + context 'when a sensitive value is not the top level type' do + it 'is not exposed by a provider' do + stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"test_sensitive { bar: secret => Sensitive('foo'), "\ + "optional_secret => Sensitive('optional foo'), variant_secret => [Sensitive('variant foo')] }\"") + expect(stdout_str).to match %r{redacted} + expect(stdout_str).not_to match %r{variant foo} + expect(stdout_str).not_to match %r{warn|error}i + end + it 'properly validates the sensitive type value' do + stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"test_sensitive { bar: secret => Sensitive('foo'), "\ + "optional_secret => Sensitive('optional foo'), variant_secret => [Sensitive(134679)] }\"") + expect(stdout_str).to match %r{Sensitive\[String\]( value)?, got Sensitive\[Integer\]} + expect(stdout_str).not_to match %r{134679} + end + end end describe 'using `puppet resource`' do diff --git a/spec/fixtures/test_module/lib/puppet/transport/schema/test_device.rb b/spec/fixtures/test_module/lib/puppet/transport/schema/test_device.rb index 5bd6ee45..df2f7a9b 100644 --- a/spec/fixtures/test_module/lib/puppet/transport/schema/test_device.rb +++ b/spec/fixtures/test_module/lib/puppet/transport/schema/test_device.rb @@ -4,5 +4,29 @@ name: 'test_device', # points at class Puppet::Transport::TestDevice desc: 'Connects to a device', connection_info: { + username: { + type: 'String', + desc: 'The name of the resource you want to manage.', + }, + secret: { + type: 'String', + desc: 'A secret to protect.', + sensitive: true, + }, + optional_secret: { + type: 'Optional[String]', + desc: 'An optional secret to protect.', + sensitive: true, + }, + array_secret: { + type: 'Optional[Array[String]]', + desc: 'An array secret to protect.', + sensitive: true, + }, + variant_secret: { + type: 'Optional[Variant[Array[String], Integer]]', + desc: 'An array secret to protect.', + sensitive: true, + }, }, ) diff --git a/spec/fixtures/test_module/lib/puppet/type/test_sensitive.rb b/spec/fixtures/test_module/lib/puppet/type/test_sensitive.rb index ce74363d..f42f89c9 100644 --- a/spec/fixtures/test_module/lib/puppet/type/test_sensitive.rb +++ b/spec/fixtures/test_module/lib/puppet/type/test_sensitive.rb @@ -26,7 +26,11 @@ desc: 'An optional secret to protect.', }, array_secret: { - type: 'Array[Sensitive[String]]', + type: 'Optional[Array[Sensitive[String]]]', + desc: 'An array secret to protect.', + }, + variant_secret: { + type: 'Optional[Variant[Array[Sensitive[String]], Integer]]', desc: 'An array secret to protect.', }, }, From 2916e593d36646cb660b4fcdd36404e8e4d6bed7 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Tue, 19 Feb 2019 16:31:35 +0000 Subject: [PATCH 2/8] (maint) Fix schema error message returned when checking a transport --- lib/puppet/resource_api/transport.rb | 4 ++-- lib/puppet/resource_api/type_definition.rb | 7 ++++--- spec/puppet/resource_api/transport_spec.rb | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/puppet/resource_api/transport.rb b/lib/puppet/resource_api/transport.rb index df6177ee..8d96d925 100644 --- a/lib/puppet/resource_api/transport.rb +++ b/lib/puppet/resource_api/transport.rb @@ -57,8 +57,8 @@ def self.validate(name, connection_info) environment: @environment, } end - - transport_schema.check_schema(connection_info) + message_prefix = 'The connection info provided does not match the Transport Schema' + transport_schema.check_schema(connection_info, message_prefix) transport_schema.validate(connection_info) end private_class_method :validate diff --git a/lib/puppet/resource_api/type_definition.rb b/lib/puppet/resource_api/type_definition.rb index be8ad135..0b92da8f 100644 --- a/lib/puppet/resource_api/type_definition.rb +++ b/lib/puppet/resource_api/type_definition.rb @@ -120,16 +120,17 @@ def validate_schema(definition, attr_key) end # validates a resource hash against its type schema - def check_schema(resource) + def check_schema(resource, message_prefix = nil) namevars.each do |namevar| if resource[namevar].nil? raise Puppet::ResourceError, "`#{name}.get` did not return a value for the `#{namevar}` namevar attribute" end end - message = "Provider returned data that does not match the Type Schema for `#{name}[#{resource[namevars.first]}]`" + message_prefix = 'Provider returned data that does not match the Type Schema' if message_prefix.nil? + message = "#{message_prefix} for `#{name}[#{resource[namevars.first]}]`" - rejected_keys = check_schema_keys(resource) # removes bad keys + rejected_keys = check_schema_keys(resource) bad_values = check_schema_values(resource) unless rejected_keys.empty? diff --git a/spec/puppet/resource_api/transport_spec.rb b/spec/puppet/resource_api/transport_spec.rb index 31529c2d..d2e10ce4 100644 --- a/spec/puppet/resource_api/transport_spec.rb +++ b/spec/puppet/resource_api/transport_spec.rb @@ -302,7 +302,7 @@ class Wibble; end described_class.register(schema) expect(described_class).not_to receive(:require).with('puppet/transport/schema/validate') - expect(schema_def).to receive(:check_schema).with('connection_info').and_return(nil) + expect(schema_def).to receive(:check_schema).with('connection_info', kind_of(String)).and_return(nil) expect(schema_def).to receive(:validate).with('connection_info').and_return(nil) described_class.send :validate, 'validate', 'connection_info' From 88c636517703278548bd2290d8536392fcf4b9e3 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Tue, 19 Feb 2019 16:32:45 +0000 Subject: [PATCH 3/8] (FM-7698) Handle a transport schema type with `sensitive: true` set --- lib/puppet/resource_api/type_definition.rb | 7 +- spec/acceptance/device_spec.rb | 9 +- spec/acceptance/transport/transport_spec.rb | 196 ++++++++++++++++++ .../transport/schema/test_device_sensitive.rb | 32 +++ .../puppet/transport/test_device_sensitive.rb | 21 ++ .../resource_api/base_type_definition_spec.rb | 55 ++++- 6 files changed, 310 insertions(+), 10 deletions(-) create mode 100644 spec/acceptance/transport/transport_spec.rb create mode 100644 spec/fixtures/test_module/lib/puppet/transport/schema/test_device_sensitive.rb create mode 100644 spec/fixtures/test_module/lib/puppet/transport/test_device_sensitive.rb diff --git a/lib/puppet/resource_api/type_definition.rb b/lib/puppet/resource_api/type_definition.rb index 0b92da8f..40bd3713 100644 --- a/lib/puppet/resource_api/type_definition.rb +++ b/lib/puppet/resource_api/type_definition.rb @@ -169,12 +169,17 @@ def check_schema_values(resource) resource.each do |key, value| next unless attributes[key] type = @data_type_cache[attributes[key][:type]] + is_sensitive = (attributes[key].key?(:sensitive) && (attributes[key][:sensitive] == true)) error_message = Puppet::ResourceApi::DataTypeHandling.try_validate( type, value, '', ) - bad_vals[key] = value unless error_message.nil? + if is_sensitive + bad_vals[key] = '<< redacted value >> ' + error_message unless error_message.nil? + else + bad_vals[key] = value unless error_message.nil? + end end bad_vals end diff --git a/spec/acceptance/device_spec.rb b/spec/acceptance/device_spec.rb index 909313c9..788244dd 100644 --- a/spec/acceptance/device_spec.rb +++ b/spec/acceptance/device_spec.rb @@ -78,7 +78,14 @@ DEVICE_CONF end let(:device_credentials) { Tempfile.new('credentials.txt') } - let(:device_credentials_content) { {} } + let(:device_credentials_content) do + <= Gem::Version.new('5.3.6') && Gem::Version.new(Puppet::PUPPETVERSION) != Gem::Version.new('5.4.0') diff --git a/spec/acceptance/transport/transport_spec.rb b/spec/acceptance/transport/transport_spec.rb new file mode 100644 index 00000000..3ab93bec --- /dev/null +++ b/spec/acceptance/transport/transport_spec.rb @@ -0,0 +1,196 @@ +require 'spec_helper' +require 'tempfile' +require 'open3' + +RSpec.describe 'a transport' do + let(:common_args) { '--verbose --trace --debug --strict=error --modulepath spec/fixtures' } + + before(:all) do + FileUtils.mkdir_p(File.expand_path('~/.puppetlabs/opt/puppet/cache/devices/the_node/state')) + end + + describe 'using `puppet device`' do + let(:common_args) { super() + ' --target the_node' } + let(:device_conf) { Tempfile.new('device.conf') } + let(:device_conf_content) do + <= Gem::Version.new('5.3.6') && Gem::Version.new(Puppet::PUPPETVERSION) != Gem::Version.new('5.4.0') + end + + before(:each) do + skip "No device --apply in puppet before v5.3.6 nor in v5.4.0 (v#{Puppet::PUPPETVERSION} is installed)" unless is_device_apply_supported? + device_conf.write(device_conf_content) + device_conf.close + + device_credentials.write(device_credentials_content) + device_credentials.close + end + + after(:each) do + device_conf.unlink + device_credentials.unlink + end + + context 'when all sensitive values are valid' do + let(:device_credentials_content) do + <"foo"} + expect(stdout_str).to match %r{:secret_string=>"wibble"} + expect(stdout_str).to match %r{:optional_secret=>"bar"} + expect(stdout_str).to match %r{:array_secret=>\["meep"\]} + expect(stdout_str).to match %r{:variant_secret=>21} + end + end + end + + context 'with a sensitive string value that is invalid' do + let(:device_credentials_content) do + <> } + expect(stdout_str).not_to match %r{optional_secret} + expect(stdout_str).not_to match %r{array_secret} + expect(stdout_str).not_to match %r{variant_secret} + end + end + end + + context 'with an optional sensitive string value that is invalid' do + let(:device_credentials_content) do + <>} + expect(stdout_str).not_to match %r{array_secret} + expect(stdout_str).not_to match %r{variant_secret} + end + end + end + + context 'with an array of sensitive strings that is invalid' do + let(:device_credentials_content) do + <>} + expect(stdout_str).not_to match %r{variant_secret} + end + end + end + + context 'with an variant containing a sensitive value that is invalid' do + let(:device_credentials_content) do + <>} + end + end + end + end +end diff --git a/spec/fixtures/test_module/lib/puppet/transport/schema/test_device_sensitive.rb b/spec/fixtures/test_module/lib/puppet/transport/schema/test_device_sensitive.rb new file mode 100644 index 00000000..a22c43aa --- /dev/null +++ b/spec/fixtures/test_module/lib/puppet/transport/schema/test_device_sensitive.rb @@ -0,0 +1,32 @@ +require 'puppet/resource_api' + +Puppet::ResourceApi.register_transport( + name: 'test_device_sensitive', # points at class Puppet::Transport::TestDevice + desc: 'Connects to a device', + connection_info: { + username: { + type: 'String', + desc: 'The name of the resource you want to manage.', + }, + secret_string: { + type: 'String', + desc: 'A secret to protect.', + sensitive: true, + }, + optional_secret: { + type: 'Optional[String]', + desc: 'An optional secret to protect.', + sensitive: true, + }, + array_secret: { + type: 'Optional[Array[String]]', + desc: 'An array secret to protect.', + sensitive: true, + }, + variant_secret: { + type: 'Optional[Variant[Array[String], Integer]]', + desc: 'An array secret to protect.', + sensitive: true, + }, + }, +) diff --git a/spec/fixtures/test_module/lib/puppet/transport/test_device_sensitive.rb b/spec/fixtures/test_module/lib/puppet/transport/test_device_sensitive.rb new file mode 100644 index 00000000..c2a898a2 --- /dev/null +++ b/spec/fixtures/test_module/lib/puppet/transport/test_device_sensitive.rb @@ -0,0 +1,21 @@ +module Puppet::Transport +# a transport for a test_device +class TestDeviceSensitive + def initialize(_context, connection_info); + puts "transport connection_info: #{connection_info}" + end + + def facts(_context) + { 'foo' => 'bar' } + end + + def verify(_context) + return true + end + + def close(_context) + return + end +end + +end diff --git a/spec/puppet/resource_api/base_type_definition_spec.rb b/spec/puppet/resource_api/base_type_definition_spec.rb index 64ab1cc5..62a918fd 100644 --- a/spec/puppet/resource_api/base_type_definition_spec.rb +++ b/spec/puppet/resource_api/base_type_definition_spec.rb @@ -52,19 +52,58 @@ end describe '#check_schema_values' do - context 'when resource contains only valid values' do - let(:resource) { { name: 'some_resource', prop: 1, ensure: 'present' } } + context 'when the definition is a type' do + context 'when resource contains only valid values' do + let(:resource) { { name: 'some_resource', prop: 1, ensure: 'present' } } - it 'returns an empty array' do - expect(type.check_schema_values(resource)).to eq({}) + it 'returns an empty array' do + expect(type.check_schema_values(resource)).to eq({}) + end + end + + context 'when resource contains invalid values' do + let(:resource) { { name: 'test_string', prop: 'foo', ensure: 1 } } + + it 'returns a hash of the keys that have invalid values' do + expect(type.check_schema_values(resource)).to eq(prop: 'foo', ensure: 1) + end end end - context 'when resource contains invalid values' do - let(:resource) { { name: 'test_string', prop: 'foo', ensure: 1 } } + context 'when the definition is a transport' do + subject(:type) { described_class.new(definition, :connection_info) } + + let(:definition) do + { + name: 'some_transport', + connection_info: { + username: { + type: 'String', + desc: 'The username to connect with', + }, + secret: { + type: 'String', + desc: 'A sensitive value', + sensitive: true, + }, + }, + } + end + + context 'when resource contains only valid values' do + let(:resource) { { username: 'wibble', secret: 'foo' } } - it 'returns a hash of the keys that have invalid values' do - expect(type.check_schema_values(resource)).to eq(prop: 'foo', ensure: 1) + it 'returns an empty array' do + expect(type.check_schema_values(resource)).to eq({}) + end + end + + context 'when resource contains invalid values' do + let(:resource) { { username: 'wibble', secret: 12_345 } } + + it 'returns a hash of the keys that have invalid values' do + expect(type.check_schema_values(resource)).to match(secret: %r{<< redacted value >> expect(s|ed) a String value, got Integer}) + end end end end From 19f9139b0c9fb91cdb78957ae39d0765b0d7a8c0 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Thu, 21 Feb 2019 16:11:06 +0000 Subject: [PATCH 4/8] (maint) remove invalid comment --- lib/puppet/resource_api/transport.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/puppet/resource_api/transport.rb b/lib/puppet/resource_api/transport.rb index 8d96d925..9ac98297 100644 --- a/lib/puppet/resource_api/transport.rb +++ b/lib/puppet/resource_api/transport.rb @@ -31,7 +31,6 @@ def connect(name, connection_info) validate(name, connection_info) require "puppet/transport/#{name}" class_name = name.split('_').map { |e| e.capitalize }.join - # passing the copy as it may have been stripped on invalid key/values by validate Puppet::Transport.const_get(class_name).new(get_context(name), connection_info) end module_function :connect # rubocop:disable Style/AccessModifierDeclarations From 7466c20ac37ee8226de13a8b7c9645821ebe009d Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Thu, 21 Feb 2019 19:56:45 +0000 Subject: [PATCH 5/8] (maint) use device wrapper to support demo transport --- spec/acceptance/transport/transport_spec.rb | 10 ---------- .../network_device/test_device_sensitive/device.rb | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) create mode 100644 spec/fixtures/test_module/lib/puppet/util/network_device/test_device_sensitive/device.rb diff --git a/spec/acceptance/transport/transport_spec.rb b/spec/acceptance/transport/transport_spec.rb index 3ab93bec..d7678952 100644 --- a/spec/acceptance/transport/transport_spec.rb +++ b/spec/acceptance/transport/transport_spec.rb @@ -53,8 +53,6 @@ def is_device_apply_supported? end it 'does not throw' do - pending('Requires Puppet with NetworkDevice.rb support for Transports') - Tempfile.create('apply_success') do |f| f.write 'notify { "foo": }' f.close @@ -87,8 +85,6 @@ def is_device_apply_supported? end it 'Value type mismatch' do - pending('Requires Puppet with NetworkDevice.rb support for Transports') - Tempfile.create('apply_success') do |f| f.write 'notify { "foo": }' f.close @@ -117,8 +113,6 @@ def is_device_apply_supported? end it 'Value type mismatch' do - pending('Requires Puppet with NetworkDevice.rb support for Transports') - Tempfile.create('apply_success') do |f| f.write 'notify { "foo": }' f.close @@ -147,8 +141,6 @@ def is_device_apply_supported? end it 'Value type mismatch' do - pending('Requires Puppet with NetworkDevice.rb support for Transports') - Tempfile.create('apply_success') do |f| f.write 'notify { "foo": }' f.close @@ -177,8 +169,6 @@ def is_device_apply_supported? end it 'Value type mismatch' do - pending('Requires Puppet with NetworkDevice.rb support for Transports') - Tempfile.create('apply_success') do |f| f.write 'notify { "foo": }' f.close diff --git a/spec/fixtures/test_module/lib/puppet/util/network_device/test_device_sensitive/device.rb b/spec/fixtures/test_module/lib/puppet/util/network_device/test_device_sensitive/device.rb new file mode 100644 index 00000000..4c04b7cf --- /dev/null +++ b/spec/fixtures/test_module/lib/puppet/util/network_device/test_device_sensitive/device.rb @@ -0,0 +1,12 @@ +require 'puppet/resource_api/transport/wrapper' + +class Puppet::Util::NetworkDevice; end + +module Puppet::Util::NetworkDevice::Test_device_sensitive # rubocop:disable Style/ClassAndModuleCamelCase + # The main class for handling the connection and command parsing to the IOS Catalyst device + class Device < Puppet::ResourceApi::Transport::Wrapper + def initialize(url_or_config, _options = {}) + super('test_device_sensitive', url_or_config) + end + end +end \ No newline at end of file From d3e2e0bff88746638d5ad64a1a6684bc92de2a39 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Thu, 21 Feb 2019 20:43:46 +0000 Subject: [PATCH 6/8] (PDK-7698) Wrap raw values flagged as sensitive in Puppet Sensitive type Before passing the connection_info to the transport, wrap them in a PSensitiveType to prevent unexpected leaking of data. --- lib/puppet/resource_api/transport.rb | 15 ++++++++- spec/acceptance/transport/transport_spec.rb | 13 ++++---- spec/puppet/resource_api/transport_spec.rb | 36 +++++++++++++++++++++ 3 files changed, 56 insertions(+), 8 deletions(-) diff --git a/lib/puppet/resource_api/transport.rb b/lib/puppet/resource_api/transport.rb index 9ac98297..dc6d65a5 100644 --- a/lib/puppet/resource_api/transport.rb +++ b/lib/puppet/resource_api/transport.rb @@ -31,7 +31,7 @@ def connect(name, connection_info) validate(name, connection_info) require "puppet/transport/#{name}" class_name = name.split('_').map { |e| e.capitalize }.join - Puppet::Transport.const_get(class_name).new(get_context(name), connection_info) + Puppet::Transport.const_get(class_name).new(get_context(name), wrap_sensitive(name, connection_info)) end module_function :connect # rubocop:disable Style/AccessModifierDeclarations @@ -79,4 +79,17 @@ def self.init_transports @transports[@environment] ||= {} end private_class_method :init_transports + + def self.wrap_sensitive(name, connection_info) + transport_schema = @transports[@environment][name] + if transport_schema + transport_schema.definition[:connection_info].each do |attr_name, options| + if options.key?(:sensitive) && (options[:sensitive] == true) + connection_info[attr_name] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(connection_info[:name]) + end + end + end + connection_info + end + private_class_method :wrap_sensitive end diff --git a/spec/acceptance/transport/transport_spec.rb b/spec/acceptance/transport/transport_spec.rb index d7678952..3fe7c0b5 100644 --- a/spec/acceptance/transport/transport_spec.rb +++ b/spec/acceptance/transport/transport_spec.rb @@ -47,7 +47,7 @@ def is_device_apply_supported? secret_string: wibble optional_secret: bar array_secret: [meep] - variant_secret: 21 + variant_secret: 1234567890 } DEVICE_CREDS end @@ -59,14 +59,13 @@ def is_device_apply_supported? stdout_str, _status = Open3.capture2e("puppet device #{common_args} --deviceconfig #{device_conf.path} --apply #{f.path}") expect(stdout_str).not_to match %r{Value type mismatch} - # These are only matched because the test transport prints them - # This however shows that the transport can view the raw values + expect(stdout_str).to match %r{transport connection_info:} expect(stdout_str).to match %r{:username=>"foo"} - expect(stdout_str).to match %r{:secret_string=>"wibble"} - expect(stdout_str).to match %r{:optional_secret=>"bar"} - expect(stdout_str).to match %r{:array_secret=>\["meep"\]} - expect(stdout_str).to match %r{:variant_secret=>21} + expect(stdout_str).not_to match %r{wibble} + expect(stdout_str).not_to match %r{bar} + expect(stdout_str).not_to match %r{meep} + expect(stdout_str).not_to match %r{1234567890} end end end diff --git a/spec/puppet/resource_api/transport_spec.rb b/spec/puppet/resource_api/transport_spec.rb index d2e10ce4..6bd10a61 100644 --- a/spec/puppet/resource_api/transport_spec.rb +++ b/spec/puppet/resource_api/transport_spec.rb @@ -331,4 +331,40 @@ class Wibble; end end end end + + describe '#wrap_sensitive(name, connection_info)' do + context 'when the connection info contains a `Sensitive` type' do + let(:schema) do + { + name: 'sensitive_transport', + desc: 'a secret', + connection_info: { + secret: { + type: 'String', + desc: 'A secret to protect.', + sensitive: true, + }, + }, + } + end + let(:schema_def) { instance_double('Puppet::ResourceApi::TransportSchemaDef', 'schema_def') } + let(:connection_info) do + { + secret: 'sup3r_secret_str1ng', + } + end + + before(:each) do + allow(Puppet::ResourceApi::TransportSchemaDef).to receive(:new).with(schema).and_return(schema_def) + described_class.register(schema) + end + + it 'wraps the value in a PSensitiveType' do + allow(schema_def).to receive(:definition).and_return(schema) + + conn_info = described_class.send :wrap_sensitive, 'sensitive_transport', connection_info + expect(conn_info[:secret]).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive) + end + end + end end From 75aae39ae20d77d10db1278bcfd89b2bc2ab5ef6 Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Fri, 22 Feb 2019 14:03:37 +0000 Subject: [PATCH 7/8] (maint) Fixes travis failure concerning jar-dependencies --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 978c4106..7b214550 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ matrix: - env: RVM="jruby-9.1.9.0" PUPPET_GEM_VERSION='~> 5' JRUBY_OPTS="--debug" before_cache: pushd ~/.rvm && rm -rf archives rubies/ruby-2.2.7 rubies/ruby-2.3.4 && popd cache: - bundler: true + bundler: false directories: ~/.rvm before_install: rvm use jruby-9.1.9.0 --install --binary --fuzzy - rvm: 2.4.3 From 95d65c030169af1a13b7ffc6351c891b52c25a9a Mon Sep 17 00:00:00 2001 From: Dave Armstrong Date: Mon, 25 Feb 2019 16:25:56 +0000 Subject: [PATCH 8/8] (PDK-7698) Ensure that Sensitive values get unwrapped correctly --- lib/puppet/resource_api/transport.rb | 2 +- spec/puppet/resource_api/transport_spec.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/puppet/resource_api/transport.rb b/lib/puppet/resource_api/transport.rb index dc6d65a5..438333f1 100644 --- a/lib/puppet/resource_api/transport.rb +++ b/lib/puppet/resource_api/transport.rb @@ -85,7 +85,7 @@ def self.wrap_sensitive(name, connection_info) if transport_schema transport_schema.definition[:connection_info].each do |attr_name, options| if options.key?(:sensitive) && (options[:sensitive] == true) - connection_info[attr_name] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(connection_info[:name]) + connection_info[attr_name] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(connection_info[attr_name]) end end end diff --git a/spec/puppet/resource_api/transport_spec.rb b/spec/puppet/resource_api/transport_spec.rb index 6bd10a61..ad59697d 100644 --- a/spec/puppet/resource_api/transport_spec.rb +++ b/spec/puppet/resource_api/transport_spec.rb @@ -364,6 +364,7 @@ class Wibble; end conn_info = described_class.send :wrap_sensitive, 'sensitive_transport', connection_info expect(conn_info[:secret]).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive) + expect(conn_info[:secret].unwrap).to eq('sup3r_secret_str1ng') end end end