(PUP-8969) Preserve sensitiveness of epp templates

If an EPP template contains a Sensitive data type, then join the unwrapped
value, but wrap the entire result as Sensitive. This way the underlying
sensitive value is preserved, and the caller can access it by unwrapping the
entire result. Previously, the result was always a string and contained the
generic 'Sensitive [redacted]' message, so the underlying sensitive value was
lost.

Update the `epp` and `inline_epp` function signatures, since they can both
return either String or Sensitive[String].

Update the `epp` application to unwrap sensitive values produced by the above
functions.

Author: joshcooper

lib/puppet/face/epp.rb

@@ -440,7 +440,12 @@ def get_values(compiler, options)
 
   def render_inline(epp_source, compiler, options)
     template_args = get_values(compiler, options)
-    Puppet::Pops::Evaluator::EppEvaluator.inline_epp(compiler.topscope, epp_source, template_args)
+    result = Puppet::Pops::Evaluator::EppEvaluator.inline_epp(compiler.topscope, epp_source, template_args)
+    if result.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      result.unwrap
+    else
+      result
+    end
   end
 
   def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
@@ -457,7 +462,12 @@ def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
       if template_file.nil? && Puppet::FileSystem.exist?(epp_template_name)
         epp_template_name = File.expand_path(epp_template_name)
       end
-      output << Puppet::Pops::Evaluator::EppEvaluator.epp(compiler.topscope, epp_template_name, compiler.environment, template_args)
+      result = Puppet::Pops::Evaluator::EppEvaluator.epp(compiler.topscope, epp_template_name, compiler.environment, template_args)
+      if result.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+        output << result.unwrap
+      else
+        output << result
+      end
     rescue Puppet::ParseError => detail
       Puppet.err("--- #{epp_template_name}") if show_filename
       raise detail

lib/puppet/functions/epp.rb

@@ -40,6 +40,7 @@
     scope_param
     param 'String', :path
     optional_param 'Hash[Pattern[/^\w+$/], Any]', :parameters
+    return_type 'Variant[String, Sensitive[String]]'
   end
 
   def epp(scope, path, parameters = nil)

lib/puppet/functions/inline_epp.rb

@@ -51,6 +51,7 @@
     scope_param()
     param 'String', :template
     optional_param 'Hash[Pattern[/^\w+$/], Any]', :parameters
+    return_type 'Variant[String, Sensitive[String]]'
   end
 
   def inline_epp(scope, template, parameters = nil)

lib/puppet/pops/evaluator/evaluator_impl.rb

@@ -462,10 +462,24 @@ def calculate(left, right, bin_expr, scope)
   end
 
   def eval_EppExpression(o, scope)
+    contains_sensitive = false
+
     scope["@epp"] = []
     evaluate(o.body, scope)
-    result = scope["@epp"].join
-    result
+    result = scope["@epp"].map do |r|
+      if r.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+        contains_sensitive = true
+        string(r.unwrap, scope)
+      else
+        r
+      end
+    end.join
+
+    if contains_sensitive
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(result)
+    else
+      result
+    end
   end
 
   def eval_RenderStringExpression(o, scope)
@@ -474,7 +488,12 @@ def eval_RenderStringExpression(o, scope)
   end
 
   def eval_RenderExpression(o, scope)
-    scope["@epp"] << string(evaluate(o.expr, scope), scope)
+    result = evaluate(o.expr, scope)
+    if result.instance_of?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      scope["@epp"] << result
+    else
+      scope["@epp"] << string(result, scope)
+    end
     nil
   end
 

spec/unit/functions/inline_epp_spec.rb

@@ -1,8 +1,10 @@
-
 require 'spec_helper'
 
+require 'puppet_spec/compiler'
+
 describe "the inline_epp function" do
   include PuppetSpec::Files
+  include PuppetSpec::Compiler
 
   let :node     do Puppet::Node.new('localhost') end
   let :compiler do Puppet::Parser::Compiler.new(node) end
@@ -73,6 +75,28 @@
     expect(eval_template("string was: <%= $string %>")).to eq("string was: the string value")
   end
 
+  context "when using Sensitive" do
+    it "returns an unwrapped sensitive value as a String" do
+      expect(eval_and_collect_notices(<<~END)).to eq(["opensesame"])
+        notice(inline_epp("<%= Sensitive('opensesame').unwrap %>"))
+      END
+    end
+
+    it "rewraps a sensitive value" do
+      expect(eval_and_collect_notices(<<~END)).to eq(["Sensitive [value redacted]"])
+        notice(inline_epp("<%= Sensitive('opensesame') %>"))
+      END
+    end
+
+    it "can be double wrapped" do
+      catalog = compile_to_catalog(<<~END)
+        notify { 'title':
+          message => Sensitive(inline_epp("<%= Sensitive('opensesame') %>"))
+        }
+      END
+      expect(catalog.resource(:notify, 'title')['message']).to eq('opensesame')
+    end
+  end
 
   def eval_template_with_args(content, args_hash)
     epp_function.call(scope, content, args_hash)