diff options
| author | Tim Smith <tsmith@chef.io> | 2021-07-09 14:41:45 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-09 14:41:45 -0700 |
| commit | 45ad38a1a95842e98dd4a5ad79600f9209f0b5b0 (patch) | |
| tree | d0a8c6c7dba56d337ce38a4cb34c6000d2864c9c | |
| parent | 194c2154df8b4f85e00b04e67dc843625631efe6 (diff) | |
| parent | 2e71f933a256f34735f91892b0db7537cfdbf86a (diff) | |
| download | chef-45ad38a1a95842e98dd4a5ad79600f9209f0b5b0.tar.gz | |
Merge pull request #11798 from chef/mp/auto-sensitive-in-secret-dsl
Mark resource blocks containing secrets sensitive
| -rw-r--r-- | lib/chef/dsl/secret.rb | 6 | ||||
| -rw-r--r-- | spec/unit/dsl/secret_spec.rb | 19 |
2 files changed, 21 insertions, 4 deletions
diff --git a/lib/chef/dsl/secret.rb b/lib/chef/dsl/secret.rb index 258bb93f14..5bb1cf5c34 100644 --- a/lib/chef/dsl/secret.rb +++ b/lib/chef/dsl/secret.rb @@ -25,6 +25,9 @@ class Chef # and returns the retrieved secret value. # This DSL providers a wrapper around [Chef::SecretFetcher] # + # Use of the secret helper in the context of a resource block will automatically mark + # that resource as 'sensitive', preventing resource data from being logged. See [Chef::Resource#sensitive]. + # # @option name [Object] The identifier or name for this secret # @option service [Symbol] The service identifier for the service that will # perform the secret lookup @@ -50,10 +53,9 @@ class Chef # value = secret(name: "test1", service: "my_aws_east") # value = secret(name: "test1", service: "my_aws_west", config: { region: "override-region" }) def secret(name: nil, service: nil, config: nil) + sensitive(true) if is_a?(Chef::Resource) Chef::SecretFetcher.for_service(service, config).fetch(name) end end end end - - diff --git a/spec/unit/dsl/secret_spec.rb b/spec/unit/dsl/secret_spec.rb index 280b4f5114..99699b253e 100644 --- a/spec/unit/dsl/secret_spec.rb +++ b/spec/unit/dsl/secret_spec.rb @@ -43,8 +43,23 @@ describe Chef::DSL::Secret do end it "resolves a secret when using the example fetcher" do - secret_value = dsl.secret(name: "test1", service: :example, - config: { "test1" => "secret value" }) + secret_value = dsl.secret(name: "test1", service: :example, config: { "test1" => "secret value" }) expect(secret_value).to eq "secret value" end + + context "when used within a resource" do + let(:run_context) { + Chef::RunContext.new(Chef::Node.new, + Chef::CookbookCollection.new(Chef::CookbookLoader.new(File.join(CHEF_SPEC_DATA, "cookbooks"))), + Chef::EventDispatch::Dispatcher.new) + } + + it "marks that resource as 'sensitive'" do + recipe = Chef::Recipe.new("secrets", "test", run_context) + recipe.zen_master "secret_test" do + peace secret(name: "test1", service: :example, config: { "test1" => true }) + end + expect(run_context.resource_collection.lookup("zen_master[secret_test]").sensitive).to eql(true) + end + end end |