summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarc A. Paradise <marc.paradise@gmail.com>2021-07-09 12:23:32 -0400
committerMarc A. Paradise <marc.paradise@gmail.com>2021-07-09 13:55:05 -0400
commit2e71f933a256f34735f91892b0db7537cfdbf86a (patch)
treed0a8c6c7dba56d337ce38a4cb34c6000d2864c9c
parent194c2154df8b4f85e00b04e67dc843625631efe6 (diff)
downloadchef-2e71f933a256f34735f91892b0db7537cfdbf86a.tar.gz
Mark resource blocks containing secrets sensitive
When a resource block contains usage of the secrets DSL, auto-mark that resource sensitive to help reduce the potential for sensitive data to be output to logs/stdout. Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>
-rw-r--r--lib/chef/dsl/secret.rb6
-rw-r--r--spec/unit/dsl/secret_spec.rb19
2 files changed, 21 insertions, 4 deletions
diff --git a/lib/chef/dsl/secret.rb b/lib/chef/dsl/secret.rb
index 258bb93f14..5bb1cf5c34 100644
--- a/lib/chef/dsl/secret.rb
+++ b/lib/chef/dsl/secret.rb
@@ -25,6 +25,9 @@ class Chef
# and returns the retrieved secret value.
# This DSL providers a wrapper around [Chef::SecretFetcher]
#
+ # Use of the secret helper in the context of a resource block will automatically mark
+ # that resource as 'sensitive', preventing resource data from being logged. See [Chef::Resource#sensitive].
+ #
# @option name [Object] The identifier or name for this secret
# @option service [Symbol] The service identifier for the service that will
# perform the secret lookup
@@ -50,10 +53,9 @@ class Chef
# value = secret(name: "test1", service: "my_aws_east")
# value = secret(name: "test1", service: "my_aws_west", config: { region: "override-region" })
def secret(name: nil, service: nil, config: nil)
+ sensitive(true) if is_a?(Chef::Resource)
Chef::SecretFetcher.for_service(service, config).fetch(name)
end
end
end
end
-
-
diff --git a/spec/unit/dsl/secret_spec.rb b/spec/unit/dsl/secret_spec.rb
index 280b4f5114..99699b253e 100644
--- a/spec/unit/dsl/secret_spec.rb
+++ b/spec/unit/dsl/secret_spec.rb
@@ -43,8 +43,23 @@ describe Chef::DSL::Secret do
end
it "resolves a secret when using the example fetcher" do
- secret_value = dsl.secret(name: "test1", service: :example,
- config: { "test1" => "secret value" })
+ secret_value = dsl.secret(name: "test1", service: :example, config: { "test1" => "secret value" })
expect(secret_value).to eq "secret value"
end
+
+ context "when used within a resource" do
+ let(:run_context) {
+ Chef::RunContext.new(Chef::Node.new,
+ Chef::CookbookCollection.new(Chef::CookbookLoader.new(File.join(CHEF_SPEC_DATA, "cookbooks"))),
+ Chef::EventDispatch::Dispatcher.new)
+ }
+
+ it "marks that resource as 'sensitive'" do
+ recipe = Chef::Recipe.new("secrets", "test", run_context)
+ recipe.zen_master "secret_test" do
+ peace secret(name: "test1", service: :example, config: { "test1" => true })
+ end
+ expect(run_context.resource_collection.lookup("zen_master[secret_test]").sensitive).to eql(true)
+ end
+ end
end