(MODULES-8856) Redact debug #104
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
These changes have passed in AdHoc. |
michaeltlombardi
changed the title
Iristyle
suggested changes
Apr 12, 2019
Prior to this commit the provider would output the full PowerShell log to be executed during debug runs. This was to ensure that we could verify exactly what would be executed. However, this also meant that credentials and other secrets could leak into the debug output, and thus also into PuppetDB logs. This commit modifies the provider and a helper to inject a PowerShell comment after a secret as `# PuppetSensitive`. This does not interfere with passing the data to PowerShell, but does allow us to redact the sensitive information using a regex matcher prior to emitting via debug logging. That redaction is handled by a new class method on the provider called `redact_content`. This commit also includes updated spec tests to verify that sensitive data, when present, can be both unwrapped *and* redacted prior to being emitted.
Iristyle
approved these changes
Apr 12, 2019
|
👍 This seems like a far less intrusive approach that will scale better should we add additional formatting logic, etc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prior to this commit the provider would output the full Powershell log to be executed during debug runs. This is to ensure that we can verify exactly what will be executed. However, this also meant that credentials and other secrets could leak into the debug output, and thus also into PuppetDB logs.
This commit modifies the provider, ERB templates, and a helper file to ensure that methods for formatting Puppet data to be PowerShell compliant are able to take a new parameter,
redact.Passing this parameter will cause the script builder to redact any sensitive data it is passed. This flag is forwarded along through several helpers. This implementation allows us to reuse the code for interpolating the correct values into the PowerShell script for the actual execution and for the debug messaging.
There is possibly a better implementation for this change.
This commit also includes updated spec and integration tests to verify the behavior when choosing to redact sensitive values.