Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Kate Lopresti updated an issue Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Kate Lopresti Labels: docs docs-reviewed feature Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Michael Smith updated an issue Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Michael Smith Labels: docs Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Yasmin Rajabi assigned an issue to Michael Smith Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Yasmin Rajabi Assignee: Michael Smith Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Cas Donoghue Release Notes Summary: Tasks can define parameters to be "sensitive". Sensitive parameter values will not be logged in plain text by Bolt unless loglevel is set to debug. Release Notes: New Feature Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Michael Smith assigned an issue to Alex Dreyer Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Michael Smith Assignee: Michael Smith Alex Dreyer Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Nick Maludy commented on BOLT-794 Re: Unable to call a task with a Sensitive string Talking with Nick and Alex, i think we want to limit the scope to simply: declare a parameter as sensitive in task metadata via the property "sensitive": true. This would ensure any input for that type is obfuscated in Bolt logs (except when --debug is passed). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Michael Smith commented on BOLT-794 Re: Unable to call a task with a Sensitive string I don't think we ended up with the behavior we wanted. What I think we want is to work is declare a parameter as sensitive in task metadata via the property "sensitive": true. This would ensure any input for that type is obfuscated in Bolt logs. It would accept either input matching the declared type, or input of the declared type wrapped in a call to Sensitive(...). for a parameter not marked sensitive in task metadata, accept input of the declared type wrapped in a call to Sensitive(...) and ensure it's obfuscated in Bolt logs. Being wrapped in Sensitive(...) is assumed to obfuscate it in any other plan output as a property of the Puppet language. declaring a parameter to have the type Sensitive in metadata would not be allowed, as this wouldn't work with PE. These properties allow a task author or a plan author to ensure input is obfuscated, without having to modify parts not under their control. What we ended up with is if a parameter is marked "sensitive": true, then input is obfuscated. the type passed must match the type declared in task metadata, so if input is wrapped in a call to Sensitive(...) then the parameter type must also be declared as Sensitive. Those properties mean that the task and plan authors have to be aligned about whether or not the type is wrapped with Sensitive(...). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title David Kramer assigned an issue to Michael Smith Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: David Kramer Assignee: Michael Smith Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Michael Smith updated an issue Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Michael Smith Sprint: Bolt Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Michael Smith updated an issue Puppet Task Runner / BOLT-794 Unable to call a task with a Sensitive string Change By: Michael Smith Fix Version/s: BOLT Next Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title Henrik Lindberg commented on BOLT-794 Re: Unable to call a task with a Sensitive string As you found, the implementation does not support Rich Data. Then, as you found, Sensitive does not mean that the value is encrypted, it is simply marked as being Sensitive, and it is up to the users of that value to ensure that it is not leaked. There is work in progress on adding an Encrypted data type to Puppet (most likely in Puppet 6). It is also a RichData value. For that to work in Bolt, it needs to support using Rich Data serialization to tasks. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title
Nick Maludy updated an issue
Puppet Task Runner / BOLT-794
Unable to call a task with a Sensitive string
Change By:
Nick Maludy
From a plan, if i try to call a task that accepts a Sensitive string i get an error.Plan code:{code:java} $res = run_task('st2::key_get', $nodes, key=> $st2kv_key, decrypt=> true, api_key=> Sensitive($api_key)){code}Task metadata:{code:java}{ "description": "Retrieve the value for a key from the StackStorm datastore", "parameters": {"key": { "type": "String[1]", "description": "Key to get"},"scope": { "type": "Optional[String]", "description": "Scope to retrieve the data from. Default = 'system'"},"decrypt": { "type": "Optional[Boolean]", "description": "Decrypt secret if encrypted. Default = false"},"convert": { "type": "Optional[Boolean]", "description": "Attempt to convert the string into a hash, array, etc by parsing it as JSON. If an error occurs the string data will be returned. Default = true"},"api_key": { "description": "StackStorm API key to use for authentication (prefer this over username/password).", "type": "Optional[Sensitive[String]]"},"auth_token": { "description": "StackStorm auth token. Use this if username/password auth has already been established in a previous task and auth token is being passed around.", "type": "Optional[Sensitive[String]]"},"username": { "description": "Username to use for StackStorm authentication.", "type": "Optional[String]"},"password": { "description": "Password to use for StackStorm authentication.", "type": "Optional[Sensitive[String] [ ] "} }, "implementations": [{ "name": "st2_common.py"} ]}{code}Error received when running the plan:{code:java}{ "kind": "bolt/pal-error", "msg": "Task parameters is not of type Data (file: /opt/encore/puppet/encore_rp/plans/st2kv_env.pp, line: 55)", "details": { }}{code}Doing some initial debugging i found: [https://github.com/puppetlabs/bolt/blob/master/bolt-modules/boltlib/lib/puppet/functions/run_task.rb#L122]This lead me here: [https://github.com/puppetlabs/puppet/blob/1d168825ff78722884ae45508b5bfef04de12664/lib/puppet/pops/types/type_factory.rb#L371]That maps to the following type alias: [https://github.com/puppetlabs/puppet/blob/1d168825ff78722884ae45508b5bfef04de12664/lib/puppet/pops/loader/static_loader.rb#L30] No Sensitive type is available in the Data type, makes sense why i'm seeing the error now. I tried changing the code in `run_task` to use RichData instead, since that contains Sensitive, but the Sensitive data was never decrypted when sent to the task.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title
Nick Maludy updated an issue
Puppet Task Runner / BOLT-794
Unable to call a task with a Sensitive string
Change By:
Nick Maludy
From a plan, if i try to call a task that accepts a Sensitive string i get an error.Plan code:{code:java} $res = run_task('st2::key_get', $nodes, key=> $st2kv_key, decrypt=> true, api_key=> Sensitive($api_key)){code}Task metadata:{code:java} { "description": "Retrieve the value for a key from the StackStorm datastore", "parameters": {"key": { "type": "String[1]", "description": "Key to get"},"scope": { "type": "Optional[String]", "description": "Scope to retrieve the data from. Default = 'system'"},"decrypt": { "type": "Optional[Boolean]", "description": "Decrypt secret if encrypted. Default = false"},"convert": { "type": "Optional[Boolean]", "description": "Attempt to convert the string into a hash, array, etc by parsing it as JSON. If an error occurs the string data will be returned. Default = true"},"api_key": { "description": "StackStorm API key to use for authentication (prefer this over username/password).", "type": "Optional[Sensitive[String]]"},"auth_token": { "description": "StackStorm auth token. Use this if username/password auth has already been established in a previous task and auth token is being passed around.", "type": "Optional[Sensitive[String]]"},"username": { "description": "Username to use for StackStorm authentication.", "type": "Optional[String]"},"password": { "description": "Password to use for StackStorm authentication.", "type": "Optional[Sensitive[String]["} }, "implementations": [{ "name": "st2_common.py"} ]}{code}Error received when running the plan:{code:java} { "kind": "bolt/pal-error", "msg": "Task parameters is not of type Data (file: /opt/encore/puppet/encore_rp/plans/st2kv_env.pp, line: 55)", "details": { }}{code}Doing some initial debugging i found: [https://github.com/puppetlabs/bolt/blob/master/bolt-modules/boltlib/lib/puppet/functions/run_task.rb#L122]This lead me here: [https://github.com/puppetlabs/puppet/blob/1d168825ff78722884ae45508b5bfef04de12664/lib/puppet/pops/types/type_factory.rb#L371]That maps to the following type alias: [https://github.com/puppetlabs/puppet/blob/1d168825ff78722884ae45508b5bfef04de12664/lib/puppet/pops/loader/static_loader.rb#L30] No Sensitive type is available in the Data type, makes sense why i'm seeing the error now. I tried changing the code in `run_task` to use RichData instead, since that contains Sensitive, but the Sensitive data was never decrypted when sent to the task.
Jira (BOLT-794) Unable to call a task with a Sensitive string
Title: Message Title
Nick Maludy created an issue
Puppet Task Runner / BOLT-794
Unable to call a task with a Sensitive string
Issue Type:
Bug
Affects Versions:
0.21.7
Assignee:
Unassigned
Created:
2018/08/20 6:18 PM
Priority:
Normal
Reporter:
Nick Maludy
From a plan, if i try to call a task that accepts a Sensitive string i get an error. Plan code:
$res = run_task('st2::key_get', $nodes,
key=> $st2kv_key,
decrypt=> true,
api_key=> Sensitive($api_key))
Task metadata:
