Sensitive[T] types
74 views
Skip to first unread message
R.I.Pienaar
Aug 30, 2016, 9:15:23 AM8/30/16
to puppet-dev
hello,
I've been trying to figure out what these Sensitive types are all about based on https://github.com/puppetlabs/puppet-specifications/blob/master/language/types_values_variables.md#sensitivet
Best I can tell there isn't yet docs on docs.puppet.com for these
First I don't actually find usable examples in the spec docs, like what is it for? Whats a typical use case here?
The most basic example works:
$secret = Sensitive(42)
$processed = $secret.unwrap |$sensitive| { $sensitive * 2 }
notice $secret
notice $processed
This gives:
Notice: Scope(Class[main]): Sensitive [value redacted]
Notice: Scope(Class[main]): 84
Now I guess you want to be able to pass the sensitive one into a class, and it should not automatically unwrap but remain sensitive:
class x(Sensitive $foo) {
notice($foo)
}
class{"x": foo => Sensitive("bar")}
This fails:
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
Changing the "Sensitive $foo" to "Sensitive[String] $foo" as well:
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
Yes if I do:
notice(type_of(Sensitive("bar")))
I get "Sensitive[String]" so surely it should be passable into the class
Ok, so this is where it gets really weird, the docs says:
There is no automatic unwrapping of sensitive values. As a consequence
it is not possible to perform operations on sensitive values other than
interpolating it as a String. When such interpolation takes place, the
value is shown as "[redacted]".
So ok, we have to specifically do like $foo.unwrap, but here's the really weird thing, once I
failed to pass a Sensitive type into the class I decided to do this:
class x(String $foo) {
notice("Value of \$foo: ${foo}")
notice("Size of \$foo: ${foo.size}")
notify{$foo: }
}
$x = Sensitive("bar")
notice("Type of \$x: ${type_of($x)}")
notice("Value of \$x: ${x}")
class{"x":
foo => $x
}
This gives me:
Notice: Scope(Class[main]): Type of $x: Sensitive[String]
Notice: Scope(Class[main]): Value of $x: Sensitive [value redacted]
Notice: Scope(Class[X]): Value of $foo: bar
Notice: Scope(Class[X]): Size of $foo: 3
Notice: Compiled catalog for dev3.devco.net in environment production in 0.13 seconds
Error: /X: Unable to mark 'foo' as sensitive: the property itself is not defined on component.
Notice: bar
Notice: /Stage[main]/X/Notify[bar]/message: defined 'message' as 'bar'
So here it gets unwrapped automatically by just passing the Sensitive[String] into a variable
of String on a class? Does not seem like this is intended behaviour, and basically I have not been
able to do anything useful with these
Whats the intended purpose and how do you use this?
---
R.I.Pienaar
I've been trying to figure out what these Sensitive types are all about based on https://github.com/puppetlabs/puppet-specifications/blob/master/language/types_values_variables.md#sensitivet
Best I can tell there isn't yet docs on docs.puppet.com for these
First I don't actually find usable examples in the spec docs, like what is it for? Whats a typical use case here?
The most basic example works:
$secret = Sensitive(42)
$processed = $secret.unwrap |$sensitive| { $sensitive * 2 }
notice $secret
notice $processed
This gives:
Notice: Scope(Class[main]): Sensitive [value redacted]
Notice: Scope(Class[main]): 84
Now I guess you want to be able to pass the sensitive one into a class, and it should not automatically unwrap but remain sensitive:
class x(Sensitive $foo) {
notice($foo)
}
class{"x": foo => Sensitive("bar")}
This fails:
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
Changing the "Sensitive $foo" to "Sensitive[String] $foo" as well:
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
Yes if I do:
notice(type_of(Sensitive("bar")))
I get "Sensitive[String]" so surely it should be passable into the class
Ok, so this is where it gets really weird, the docs says:
There is no automatic unwrapping of sensitive values. As a consequence
it is not possible to perform operations on sensitive values other than
interpolating it as a String. When such interpolation takes place, the
value is shown as "[redacted]".
So ok, we have to specifically do like $foo.unwrap, but here's the really weird thing, once I
failed to pass a Sensitive type into the class I decided to do this:
class x(String $foo) {
notice("Value of \$foo: ${foo}")
notice("Size of \$foo: ${foo.size}")
notify{$foo: }
}
$x = Sensitive("bar")
notice("Type of \$x: ${type_of($x)}")
notice("Value of \$x: ${x}")
class{"x":
foo => $x
}
This gives me:
Notice: Scope(Class[main]): Type of $x: Sensitive[String]
Notice: Scope(Class[main]): Value of $x: Sensitive [value redacted]
Notice: Scope(Class[X]): Value of $foo: bar
Notice: Scope(Class[X]): Size of $foo: 3
Notice: Compiled catalog for dev3.devco.net in environment production in 0.13 seconds
Error: /X: Unable to mark 'foo' as sensitive: the property itself is not defined on component.
Notice: bar
Notice: /Stage[main]/X/Notify[bar]/message: defined 'message' as 'bar'
So here it gets unwrapped automatically by just passing the Sensitive[String] into a variable
of String on a class? Does not seem like this is intended behaviour, and basically I have not been
able to do anything useful with these
Whats the intended purpose and how do you use this?
---
R.I.Pienaar
Henrik Lindberg
Aug 30, 2016, 7:15:12 PM8/30/16
to puppe...@googlegroups.com
On 30/08/16 15:15, R.I.Pienaar wrote:
> hello,
>
> I've been trying to figure out what these Sensitive types are all about based on https://github.com/puppetlabs/puppet-specifications/blob/master/language/types_values_variables.md#sensitivet
> Best I can tell there isn't yet docs on docs.puppet.com for these
>
> First I don't actually find usable examples in the spec docs, like what is it for? Whats a typical use case here?
>
> The most basic example works:
>
> $secret = Sensitive(42)
> $processed = $secret.unwrap |$sensitive| { $sensitive * 2 }
> notice $secret
> notice $processed
>
> This gives:
>
> Notice: Scope(Class[main]): Sensitive [value redacted]
> Notice: Scope(Class[main]): 84
>
> Now I guess you want to be able to pass the sensitive one into a class, and it should not automatically unwrap but remain sensitive:
>
> class x(Sensitive $foo) {
> notice($foo)
> }
>
> class{"x": foo => Sensitive("bar")}
>
> This fails:
>
> Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
>
> Changing the "Sensitive $foo" to "Sensitive[String] $foo" as well:
>
> Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
>
> Yes if I do:
>
> notice(type_of(Sensitive("bar")))
>
> I get "Sensitive[String]" so surely it should be passable into the class
>
You found a bug. PUP-6662 was logged earlier today and progress have
> hello,
>
> I've been trying to figure out what these Sensitive types are all about based on https://github.com/puppetlabs/puppet-specifications/blob/master/language/types_values_variables.md#sensitivet
> Best I can tell there isn't yet docs on docs.puppet.com for these
>
> First I don't actually find usable examples in the spec docs, like what is it for? Whats a typical use case here?
>
> The most basic example works:
>
> $secret = Sensitive(42)
> $processed = $secret.unwrap |$sensitive| { $sensitive * 2 }
> notice $secret
> notice $processed
>
> This gives:
>
> Notice: Scope(Class[main]): Sensitive [value redacted]
> Notice: Scope(Class[main]): 84
>
> Now I guess you want to be able to pass the sensitive one into a class, and it should not automatically unwrap but remain sensitive:
>
> class x(Sensitive $foo) {
> notice($foo)
> }
>
> class{"x": foo => Sensitive("bar")}
>
> This fails:
>
> Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
>
> Changing the "Sensitive $foo" to "Sensitive[String] $foo" as well:
>
> Error: Evaluation Error: Error while evaluating a Resource Statement, Class[X]: parameter 'foo' expects a Sensitive value, got String
>
> Yes if I do:
>
> notice(type_of(Sensitive("bar")))
>
> I get "Sensitive[String]" so surely it should be passable into the class
>
been made on fixing this. Expect to be able to get this in to Puppet
4.6.2, but it is tight.
Basically, before PUP-6662 is fixed it is only possible to use Sensitive
values directly in native resources.
- henrik
Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
Reply all
Reply to author
Forward
0 new messages