Merge pull request #5668 from chef/afiune/COOL-642/dont-report-sensitive-data

Report a blank resource if sensitive is enabled

3 files changed, 46 insertions, 0 deletions

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 4d0d50fbcd..6d60f16065 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -6,6 +6,16 @@ _This file holds "in progress" release notes for the current release under devel
 
 - You can now enable chef-client to run as a scheduled task directly from the client MSI on Windows hosts.
 
+## Highlighted bug fixes for this release:
+
+- Fixed exposure of sensitive data of resources marked as sensitive inside Reporting. Before you
+  were able to see the sensitive data on the Run History tab in the Chef Manage Console. Now we
+  are sending a new blank resource if the resource is marked as sensitive, this way we will not
+  compromise any sensitive data.
+
+  _Note: Old data that was already sent to Reporting marked as sensitive will continue to be
+  displayed. Apologies._
+
 ## New deprecations introduced in this release:
 
 ### Chef Platform Methods
@@ -13,3 +23,4 @@ _This file holds "in progress" release notes for the current release under devel
 - **Deprecation ID**: 13
 - **Remediation Docs**: <https://docs.chef.io/chef_platform_methods.html>
 - **Expected Removal**: Chef 13 (April 2017)
+
diff --git a/lib/chef/resource_reporter.rb b/lib/chef/resource_reporter.rb
index 8422870e2a..368e66245f 100644
--- a/lib/chef/resource_reporter.rb
+++ b/lib/chef/resource_reporter.rb
@@ -198,6 +198,17 @@ class Chef
     def resource_completed(new_resource)
       if @pending_update && !nested_resource?(new_resource)
         @pending_update.finish
+
+        # Verify if the resource has sensitive data
+        # and create a new blank resource with only
+        # the name so we can report it back without
+        # sensitive data
+        if @pending_update.new_resource.sensitive
+          klass = @pending_update.new_resource.class
+          resource_name = @pending_update.new_resource.name
+          @pending_update.new_resource = klass.new(resource_name)
+        end
+
         @updated_resources << @pending_update
         @pending_update = nil
       end
diff --git a/spec/unit/resource_reporter_spec.rb b/spec/unit/resource_reporter_spec.rb
index f951c62b94..ccd7087c0b 100644
--- a/spec/unit/resource_reporter_spec.rb
+++ b/spec/unit/resource_reporter_spec.rb
@@ -265,6 +265,30 @@ describe Chef::ResourceReporter do
       @resource_reporter.run_started(@run_status)
     end
 
+    context "when the new_resource is sensitive" do
+      before do
+        @execute_resource = Chef::Resource::Execute.new("sensitive-resource")
+        @execute_resource.name("sensitive-resource")
+        @execute_resource.command('echo "password: SECRET"')
+        @execute_resource.sensitive(true)
+        @resource_reporter.resource_action_start(@execute_resource, :run)
+        @resource_reporter.resource_current_state_loaded(@execute_resource, :run, @current_resource)
+        @resource_reporter.resource_updated(@execute_resource, :run)
+        @resource_reporter.resource_completed(@execute_resource)
+        @run_status.stop_clock
+        @report = @resource_reporter.prepare_run_data
+        @first_update_report = @report["resources"].first
+      end
+
+      it "resource_name in prepared_run_data should be the same" do
+        expect(@first_update_report["name"]).to eq("sensitive-resource")
+      end
+
+      it "resource_command in prepared_run_data should be blank" do
+        expect(@first_update_report["after"]).to eq({ :command => "sensitive-resource" })
+      end
+    end
+
     context "when the new_resource does not have a string for name and identity" do
       context "the new_resource name and id are nil" do
         before do