Jira (PUP-8969) Support interpolation of sensitive values in EPP templates

27 views
Skip to first unread message

Josh Cooper (Jira)

unread,
Sep 15, 2020, 1:28:03 PM9/15/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Puppet / Improvement PUP-8969
Support interpolation of sensitive values in EPP templates
Change By: Josh Cooper
Summary: Sensitive parameters are not redacted from reports / agent output when used Support interpolation of sensitive values in EPP templates
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Sep 15, 2020, 1:53:03 PM9/15/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-8969
 
Re: Support interpolation of sensitive values in EPP templates

I updated the title and submitted a PR with those changes (it still needs tests). Allowing `epp` and `inline_epp` to return `Sensitive` seems backwards compatible, as the caller can wrap the return value with `Sensitive` and the result doesn't get double wrapped. But there may be other cases to consider?

Henrik Lindberg (Jira)

unread,
Sep 18, 2020, 4:22:04 AM9/18/20
to puppe...@googlegroups.com

I don't think that problem can be resolved with some kind of general implementation as that would mean unwrapping arguments to calls and rewrapping them for every function call. OTOH, you kind of want it to break as that signals "hey, you need to deal with the fact this is a Sensitive value".

The other approach is naturally to add support for operating on Sensitive to every function. For some functions that would not be hard to do, but for others with complex dispatches it becomes difficult and would necessitate a feature allowing "re-dispatch" after unwrapping. I don't think that is worth the effort!

Josh Cooper (Jira)

unread,
Oct 8, 2020, 6:54:03 PM10/8/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-8969

Currently, if an epp template contains a sensitive value that is not explicitly unwrapped, then the redacted value is part of the rendered output. Is there ever a case where the user actually wants that, for example?

$ bx puppet apply -e 'notice(inline_epp("This string should be redacted: <%= Sensitive.new(\"sesame\") %>"))'
 
Notice: Scope(Class[main]): This string should be redacted: Sensitive [value redacted]

Reid Vandewiele, Charlie Sharpsteen, Gene Liverman do you have thoughts about this? Have you ever seen a situation where someone wants to render an epp template and they want the output to contain output like above? My inclination is that it's a bug and they forgot to call Sensitive.new("sesame").unwrap in the template.

If we need to preserve the behavior, then we could either 1) add an optional parameter to epp, inline_epp to control if the output is rewrapped or 2) make this change in Puppet 7. I'm not 100% sure the first option is feasible given epp already takes an optional hash of parameters, and the function would need to accept another optional argument, but maybe that is possible following the lookup_1, lookup_2, etc example.

Reid Vandewiele (Jira)

unread,
Oct 9, 2020, 1:49:04 PM10/9/20
to puppe...@googlegroups.com

Josh Cooper I have never seen a situation where in a template or epp the customer wanted the string "** REDACTED **" (or whatever) to be displayed.

I've frequently seen people accidentally do it, and then have to thrash around for awhile trying to figure out that they need to call .unwrap().

Josh Cooper (Jira)

unread,
Oct 12, 2020, 7:21:03 PM10/12/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-8969

I have never seen a situation where in a template or epp the customer wanted the string "** REDACTED **"

That was my feeling as well. And this PR should eliminate the "thrash around for awhile" part since the "file resource whose content is a templated configuration file containing secrets" use case will just work.

Josh Cooper (Jira)

unread,
Oct 20, 2020, 7:42:03 PM10/20/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.20.0

Josh Cooper (Jira)

unread,
Oct 20, 2020, 7:50:02 PM10/20/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Enhancement
Release Notes Summary: Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:

Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))

Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:

inline_epp("Password is <%= Sensitive('opensesame') %>"))

Josh Cooper (Jira)

unread,
Oct 20, 2020, 7:53:02 PM10/20/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (Jira)

unread,
Oct 22, 2020, 2:19:04 PM10/22/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-8969

Josh Cooper (Jira)

unread,
Oct 22, 2020, 2:20:04 PM10/22/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary:
Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:

Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))

Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:

inline_epp("Password is <%= Sensitive('opensesame') %>"))


Note this only applies to EPP templates, not ERB templates.

Josh Cooper (Jira)

unread,
Oct 26, 2020, 11:19:05 PM10/26/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-8969

Claire Cadman (Jira)

unread,
Nov 10, 2020, 5:38:03 AM11/10/20
to puppe...@googlegroups.com
Claire Cadman updated an issue
 
Change By: Claire Cadman
Labels: doc_reviewed
Reply all
Reply to author
Forward
0 new messages