On Wed, Sep 9, 2020 at 11:16 PM 'Dirk Heinrichs' via Puppet Users <
puppet-users@googlegroups.com> wrote:
> Am Mittwoch, den 09.09.2020, 08:59 -0700 schrieb Josh Cooper:
>
> The issue you're running into is due to the sensitive value being
> interpolated:
>
> content => "${foo}\n"
>
> If you reference the Sensitive variable directly, then it will work as
> expected:
>
> content => $foo
>
>
> OK, thanks a lot. But then I'd loose the trailing "\n".
>
To interpolate sensitive values, you currently have to unwrap the sensitive
value, interpolate the value, and then rewrap as sensitive:
$var = Sensitive('a')
$var2 = Sensitive("${var.unwrap}\n")
file { '/tmp/sensitive.txt':
ensure => file,
content => $var2
}
> And it's also quite counterintuitive, isn't it?
>
Yes, I agree the current behavior is surprising and not easy to work with,
which is why I filed PUP-10092 :)
Think "exec", where it's sometimes needed to provide a password as part of
> the command. One would have to define $password as String instead of
> Sensitive and then wrap the whole command in a Sensitive() call (as Mattias
> suggested).
>
Note the `exec` resource specifically treats the entire
command/unless/onlyif parameters as sensitive, so those values don't
accidentally end up in logs and reports. Also note this capability is
available for any provider by passing `sensitive: true` to
Puppet::Util::Execution.execute
<https://github.com/puppetlabs/puppet/blob/6.18.0/lib/puppet/util/execution.rb#L159>
.
>
> This issue and some possible solutions have been discussed in
> https://tickets.puppetlabs.com/browse/PUP-10092
> <https://urldefense.com/v3/__https://tickets.puppetlabs.com/browse/PUP-10092__;!!Obbck6kTJA!O4r1x_A74uV9gBlwYRiL9nM4gus0ekJBAjar-QkllcvgQnLkdaGjPKxAsiQQM7O9$>.
> For example, Henrik suggested a `rewrap` function
> https://tickets.puppetlabs.com/browse/PUP-10093
> <https://urldefense.com/v3/__https://tickets.puppetlabs.com/browse/PUP-10093__;!!Obbck6kTJA!O4r1x_A74uV9gBlwYRiL9nM4gus0ekJBAjar-QkllcvgQnLkdaGjPKxAsjvV9iIs$>
> .
>
>
> Reg. the solution(s) discussed in there: Wouldn't the addition of a string
> concatenation operator (+) solve the problem right away (to make it content
> => $foo + "\n")?
>
That might work, but is a bit magic and may not work if the order is
reversed (as each type would need to account for concatenation with a
sensitive):
content => "prefix" + $foo
I'm not sure if it's feasible for puppet to cast the "prefix" string to a
sensitive so it can be concatenated with foo. Which I think is why Henrik
was suggesting the "rewrap" function. That way it's explicit and it works
regardless of argument order. Also it would handle hashes/arrays.
Josh
--
Josh Cooper | Software Engineer
j...@puppet.com
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97umre_yBB_NAxX2%3DeaUJeJE4yXSnZCfrKfH99GGx%2BkTexA%40mail.gmail.com.
