On Wed, Sep 9, 2020 at 11:16 PM 'Dirk Heinrichs' via Puppet Users <
[email protected]> wrote:
> Am Mittwoch, den 09.09.2020, 08:59 -0700 schrieb Josh Cooper:
>
> The issue you're running into is due to the sensitive value being
> interpolated:
>
> content => "${foo}\n"
>
> If you reference the Sensitive variable directly, then it will work as
> expected:
>
> content => $foo
>
>
> OK, thanks a lot. But then I'd loose the trailing "\n".
>
To interpolate sensitive values, you currently have to unwrap the sensitive
value, interpolate the value, and then rewrap as sensitive:
$var = Sensitive('a')
$var2 = Sensitive("${var.unwrap}\n")
file { '/tmp/sensitive.txt':
ensure => file,
content => $var2
}
> And it's also quite counterintuitive, isn't it?
>
Yes, I agree the current behavior is surprising and not easy to work with,
which is why I filed PUP-10092 :)
Think "exec", where it's sometimes needed to provide a password as part of
> the command. One would have to define $password as String instead of
> Sensitive and then wrap the whole command in a Sensitive() call (as Mattias
> suggested).
>
Note the `exec` resource specifically treats the entire
command/unless/onlyif parameters as sensitive, so those values don't
accidentally end up in logs and reports. Also note this capability is
available for any provider by passing `sensitive: true` to
Puppet::Util::Execution.execute
<https://github.com/puppetlabs/puppet/blob/6.18.0/lib/puppet/util/execution.rb#L159>
.
>
> This issue and some possible solutions have been discussed in
> https://tickets.puppetlabs.com/browse/PUP-10092
> <https://urldefense.com/v3/__https://tickets.puppetlabs.com/browse/PUP-10092__;!!Obbck6kTJA!O4r1x_A74uV9gBlwYRiL9nM4gus0ekJBAjar-QkllcvgQnLkdaGjPKxAsiQQM7O9$>.
> For example, Henrik suggested a `rewrap` function
> https://tickets.puppetlabs.com/browse/PUP-10093
> <https://urldefense.com/v3/__https://tickets.puppetlabs.com/browse/PUP-10093__;!!Obbck6kTJA!O4r1x_A74uV9gBlwYRiL9nM4gus0ekJBAjar-QkllcvgQnLkdaGjPKxAsjvV9iIs$>
> .
>
>
> Reg. the solution(s) discussed in there: Wouldn't the addition of a string
> concatenation operator (+) solve the problem right away (to make it content
> => $foo + "\n")?
>
That might work, but is a bit magic and may not work if the order is
reversed (as each type would need to account for concatenation with a
sensitive):
content => "prefix" + $foo
I'm not sure if it's feasible for puppet to cast the "prefix" string to a
sensitive so it can be concatenated with foo. Which I think is why Henrik
was suggesting the "rewrap" function. That way it's explicit and it works
regardless of argument order. Also it would handle hashes/arrays.
Josh
--
Josh Cooper | Software Engineer
[email protected]
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97umre_yBB_NAxX2%3DeaUJeJE4yXSnZCfrKfH99GGx%2BkTexA%40mail.gmail.com.
