Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Claire Cadman updated an issue Puppet / PUP-8969 Support interpolation of sensitive values in EPP templates Change By: Claire Cadman Labels: doc_reviewed Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.75570.1605004680026%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates Passed CI in de3c3a8d74 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.64623.1603768740032%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-8969
Support interpolation of sensitive values in EPP templates
Change By:
Josh Cooper
Release Notes Summary:
Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:inline_epp("Password is <%= Sensitive('opensesame') %>")) Note this only applies to EPP templates, not ERB templates.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.61572.1603390800268%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates Merged to master in https://github.com/puppetlabs/puppet/commit/729ad1867faa278a398bf45db95cbedf63d32e10 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.61566.1603390740039%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8969 Support interpolation of sensitive values in EPP templates Change By: Josh Cooper Sprint: Platform Core KANBAN Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.59873.1603237980089%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-8969
Support interpolation of sensitive values in EPP templates
Change By:
Josh Cooper
Release Notes:
Enhancement
Release Notes Summary:
Previously, if you interpolated a sensitive value in a template, then you were required to unwrap the sensitive value and rewrap the result:Sensitive(inline_epp("Password is <%= Sensitive('opensesame').unwrap %>"))Now the `epp` and `inline_epp` functions automatically return a Sensitive value if any interpolated variables are sensitive. So now you can simply do:inline_epp("Password is <%= Sensitive('opensesame') %>"))
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8969 Support interpolation of sensitive values in EPP templates Change By: Josh Cooper Fix Version/s: PUP 6.20.0 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.59852.1603237320088%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates I have never seen a situation where in a template or epp the customer wanted the string "** REDACTED **" That was my feeling as well. And this PR should eliminate the "thrash around for awhile" part since the "file resource whose content is a templated configuration file containing secrets" use case will just work. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.54011.1602544860079%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Reid Vandewiele commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates Josh Cooper I have never seen a situation where in a template or epp the customer wanted the string "** REDACTED **" (or whatever) to be displayed. I've frequently seen people accidentally do it, and then have to thrash around for awhile trying to figure out that they need to call .unwrap(). Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.52738.1602265740028%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title
Josh Cooper commented on PUP-8969
Re: Support interpolation of sensitive values in EPP templates
Currently, if an epp template contains a sensitive value that is not explicitly unwrapped, then the redacted value is part of the rendered output. Is there ever a case where the user actually wants that, for example?
$ bx puppet apply -e 'notice(inline_epp("This string should be redacted: <%= Sensitive.new(\"sesame\") %>"))'
Notice: Scope(Class[main]): This string should be redacted: Sensitive [value redacted]
Reid Vandewiele, Charlie Sharpsteen, Gene Liverman do you have thoughts about this? Have you ever seen a situation where someone wants to render an epp template and they want the output to contain output like above? My inclination is that it's a bug and they forgot to call Sensitive.new("sesame").unwrap in the template. If we need to preserve the behavior, then we could either 1) add an optional parameter to epp, inline_epp to control if the output is rewrapped or 2) make this change in Puppet 7. I'm not 100% sure the first option is feasible given epp already takes an optional hash of parameters, and the function would need to accept another optional argument, but maybe that is possible following the lookup_1, lookup_2, etc example.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Henrik Lindberg commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates I don't think that problem can be resolved with some kind of general implementation as that would mean unwrapping arguments to calls and rewrapping them for every function call. OTOH, you kind of want it to break as that signals "hey, you need to deal with the fact this is a Sensitive value". The other approach is naturally to add support for operating on Sensitive to every function. For some functions that would not be hard to do, but for others with complex dispatches it becomes difficult and would necessitate a feature allowing "re-dispatch" after unwrapping. I don't think that is worth the effort! Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.38535.1600417320024%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper commented on PUP-8969 Re: Support interpolation of sensitive values in EPP templates I updated the title and submitted a PR with those changes (it still needs tests). Allowing `epp` and `inline_epp` to return `Sensitive` seems backwards compatible, as the caller can wrap the return value with `Sensitive` and the result doesn't get double wrapped. But there may be other cases to consider? Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.36485.1600192380041%40Atlassian.JIRA.
Jira (PUP-8969) Support interpolation of sensitive values in EPP templates
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8969 Support interpolation of sensitive values in EPP templates Change By: Josh Cooper Summary: Sensitive parameters are not redacted from reports / agent output when used Support interpolation of sensitive values in EPP templates Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.262922.1530114614000.36434.1600190880027%40Atlassian.JIRA.
