Jira (PUP-11846) Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Nate McCurdy (Jira)

unread,

May 2, 2023, 12:30:02 PM5/2/23

to puppe...@googlegroups.com

Nate McCurdy created an issue

Puppet /

PUP-11846

Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Issue Type:	Bug
Affects Versions:	PUP 7.24.0
Assignee:	Unassigned
Created:	2023/05/02 9:29 AM
Priority:	Normal
Reporter:	Nate McCurdy

Puppet Version: 7.24.0
Puppet Server Version: n/a
OS Name/Version: n/a

The Problem

Using a Deferred inline_epp() to render Sensitive content while using --no-preprocess_deferred throws the following error message:

Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Reproduction

Given this Puppet code:

$cert         = Sensitive('hello')

$intermediate = Sensitive('world')

$chain        = Deferred('inline_epp', ["<%= \$cert %>\n<%= \$intermediate %>\n", {

      'cert'         => $cert,

      'intermediate' => $intermediate,

}])

file { '/tmp/test_chain.pem':

  ensure  => 'file',

  content => $chain,

With Puppet 7.24.0 and the --no-preprocess_deferred option, apply the manifest above:

$ puppet apply test.pp --no-preprocess_deferred

Notice: Compiled catalog for nate in environment production in 0.01 seconds

Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Running puppet apply without --no-preprocess_deferred succeeds:

$ puppet apply test.pp

Notice: Compiled catalog for nate in environment production in 0.01 seconds

Notice: /Stage[main]/Main/File[/tmp/test_chain.pem]/ensure: changed [redacted] to [redacted]

Notice: Applied catalog in 0.01 seconds

More Info

I also found that I can fix the problem by not using inline_epp().
If I change the $chain variable to be built with join(), it works:

# This isn't ideal because the file needs a trailing newline, which join() can't do.

$chain = Sensitive(Deferred('join', [[$cert.unwrap, $intermediate.unwrap], "\n"]))

Add Comment

This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)

Nate McCurdy (Jira)

unread,

May 2, 2023, 12:32:01 PM5/2/23

to puppe...@googlegroups.com

Nate McCurdy updated an issue

Puppet /

PUP-11846

Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Change By:	Nate McCurdy

*Puppet Version:* 7.24.0
*Puppet Server Version:* n/a
*OS Name/Version:* n/a

h2. The Problem

Using a {{Deferred}} {{inline_epp()}} to render Sensitive content while using {{--no-preprocess_deferred}} throws the following error message:

{noformat}

Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

{noformat}

h2. Reproduction

Given this Puppet code:
{code}

$cert         = Sensitive('hello')
$intermediate = Sensitive('world')
$chain        = Deferred('inline_epp', ["<%= \$cert %>\n<%= \$intermediate %>\n", {
      'cert'         => $cert,
      'intermediate' => $intermediate,
}])

file { '/tmp/test_chain.pem':
  ensure  => 'file',
  content => $chain,
}

{code}

With Puppet 7.24.0 and the {{--no-preprocess_deferred}} option, apply the manifest above:

{noformat}

$ puppet apply test.pp --no-preprocess_deferred
Notice: Compiled catalog for nate in environment production in 0.01 seconds
Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

{noformat}

Running puppet apply without {{--no-preprocess_deferred}} succeeds:

{noformat}

$ puppet apply test.pp
Notice: Compiled catalog for nate in environment production in 0.01 seconds
Notice: /Stage[main]/Main/File[/tmp/test_chain.pem]/ensure: changed [redacted] to [redacted]
Notice: Applied catalog in 0.01 seconds

{noformat}

h2. More Info

I also found that I can fix the problem by not using {{inline_epp()}}.
If I change the {{$chain}} variable to be built with {{join()}}, it works:

{code}

# This isn't ideal because the file needs a trailing newline, which join() can't do.
$chain = Sensitive(Deferred('join', [[$cert.unwrap, $intermediate.unwrap], "\n"]))

{code}

Here's a stack trace from using {{--trace}}:
{noformat}

Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/checksums.rb:57:in `digest'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/checksums.rb:57:in `hexdigest'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/checksums.rb:57:in `sha256'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/checksum.rb:27:in `sum'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/content.rb:67:in `block (2 levels) in <module:Puppet>'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parameter.rb:443:in `munge'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property.rb:551:in `block in should='
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property.rb:551:in `collect'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property.rb:551:in `should='
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/content.rb:131:in `should='
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property.rb:609:in `value='
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:480:in `block in resolve_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:731:in `block in eachparameter'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:731:in `each'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:731:in `eachparameter'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:473:in `resolve_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:279:in `eval_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `block (2 levels) in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:567:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:566:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `block in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:122:in `traverse'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:178:in `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:238:in `block (2 levels) in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:567:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:566:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:237:in `block in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log.rb:165:in `with_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/report.rb:151:in `as_logging_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:236:in `apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:286:in `block (2 levels) in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:567:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:566:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:285:in `block in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:245:in `block in benchmark'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:244:in `benchmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:284:in `apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:500:in `run_internal'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:339:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:83:in `block (6 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:82:in `block (5 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/timeout.rb:95:in `block in timeout'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/timeout.rb:105:in `timeout'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:81:in `block (4 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:71:in `block (3 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:162:in `with_client'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:67:in `block (2 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:127:in `run_in_fork'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:66:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:172:in `controlled_run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:47:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:433:in `onetime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:393:in `block in run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:390:in `run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:756:in `exit_on_fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
{noformat}

Add Comment

Tony Vu (Jira)

unread,

May 2, 2023, 4:19:02 PM5/2/23

to puppe...@googlegroups.com

Tony Vu updated an issue

Puppet /

PUP-11846

Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Change By:	Tony Vu
Labels:	needs-validation

Add Comment

Nate McCurdy (Jira)

unread,

May 2, 2023, 4:31:02 PM5/2/23

to puppe...@googlegroups.com

Nate McCurdy updated an issue

Puppet /

PUP-11846

Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Change By:	Nate McCurdy

*Puppet Version:* 7.24.0
*Puppet Server Version:* n/a
*OS Name/Version:* n/a

h2. The Problem

Using a {{Deferred}} {{inline_epp()}} to render Sensitive content into a {{file}} resource while using {{--no-preprocess_deferred}} throws the following error message:

Add Comment

Trey Dockendorf (Jira)

unread,

May 2, 2023, 5:04:02 PM5/2/23

to puppe...@googlegroups.com

Trey Dockendorf commented on

PUP-11846

Re: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

We also observed that with "puppet agent" essentially any file with "content" assigned to Deferred function where return value was Sensitive would result in same errors when using "--no-preprocess_deferred". This was ugly hack to get around that:

content => Sensitive(Deferred('unwrap', [$private_key])),

Add Comment

Nate McCurdy (Jira)

unread,

May 2, 2023, 7:31:03 PM5/2/23

to puppe...@googlegroups.com

Nate McCurdy updated an issue

Puppet /

PUP-11846

Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

Change By:	Nate McCurdy

*Puppet Version:* 7.24.0
*Puppet Server Version:* n/a
*OS Name/Version:* n/a

h2. The Problem

Using a {{Deferred}} {{inline_epp()}} to render Sensitive content into a {{file}} resource while using {{--no-preprocess_deferred}} throws the following error message:
{noformat}
Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String
{noformat}

h2. Reproduction

Given this Puppet code:
{code}
$cert         = Sensitive('hello')
$intermediate = Sensitive('world')
$chain        = Deferred('inline_epp', ["<%= \$cert %>\n<%= \$intermediate %>\n", {
      'cert'         => $cert,
      'intermediate' => $intermediate,
}])

file { '/tmp/ test_chain test . pem txt ':
ensure => 'file',
content => $chain Deferred('new' , [Sensitive, "hello world\n"]),

}
{code}

With Puppet 7.24.0 and the {{--no-preprocess_deferred}} option, apply the manifest above:
{noformat}
$ puppet apply test.pp --no-preprocess_deferred
Notice: Compiled catalog for nate in environment production in 0.01 seconds
Error: Failed to apply catalog: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String
{noformat}

Running puppet apply without {{--no-preprocess_deferred}} succeeds:
{noformat}
$ puppet apply test.pp
Notice: Compiled catalog for nate in environment production in 0.01 seconds

Notice: /Stage[main]/Main/File[/tmp/ test_chain test . pem txt ]/ensure: changed [redacted] to [redacted]

Notice: Applied catalog in 0.01 seconds
{noformat}

h2. More Info

I also found that I can fix Moving the problem by not using {{inline_epp()}}.
If I change the {{$chain}} variable Sensitive cast to be built with {{join()}}, it works outside of the Deferred type does work :

{code}
# This isn't ideal because the file needs a trailing newline, which join() can { ' t do /tmp/test . txt':
$chain ensure = > 'file',
content => Sensitive(Deferred(' join new ', [ [$cert.unwrap String , $intermediate.unwrap], " hello world \n"])) ,
}
{code}

Here's a stack trace from using {{--trace}} of the error, which shows that it might be an issue with how file checksums are calculated :
{noformat}

Add Comment

Nate McCurdy (Jira)

unread,

May 2, 2023, 7:32:02 PM5/2/23

to puppe...@googlegroups.com

Nate McCurdy commented on

PUP-11846

Re: Munging failed for value #<Sensitive [value redacted]> in class content: no implicit conversion of Puppet::Pops::Types::PSensitiveType::Sensitive into String

I've found an even simpler, more to the point, reproduction case. So I've removed references to inline_epp() in the ticket description since that was apparently a red herring:

file { '/tmp/test.txt':

  ensure  => 'file',

  content => Deferred('new', [Sensitive, "hello world\n"]),

Add Comment

Reply all

Reply to author

Forward