diff options
author | Marc A. Paradise <marc.paradise@gmail.com> | 2021-06-02 17:44:22 -0400 |
---|---|---|
committer | Marc A. Paradise <marc.paradise@gmail.com> | 2021-06-09 09:42:50 -0400 |
commit | fbc814b180c6e100d828cd741787dd845c2c0f83 (patch) | |
tree | ac45bdcabca6fabfb143d67772b3fb64eb32f15b | |
parent | 8e8aa9fa7a7ff5ce802efd855dc0e33f487515e5 (diff) | |
download | chef-fbc814b180c6e100d828cd741787dd845c2c0f83.tar.gz |
Do not send blocked attributes to data collector
This uses the newly exposed Chef::Node#data_for_save
to ensure that the data we're submitting to data collector
has allow/block rules applied, the same way that we do
for node.save.
Fixes #10895
Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>
-rw-r--r-- | lib/chef/data_collector/run_end_message.rb | 2 | ||||
-rw-r--r-- | spec/unit/data_collector_spec.rb | 48 |
2 files changed, 48 insertions, 2 deletions
diff --git a/lib/chef/data_collector/run_end_message.rb b/lib/chef/data_collector/run_end_message.rb index 1900effa26..91cf21e643 100644 --- a/lib/chef/data_collector/run_end_message.rb +++ b/lib/chef/data_collector/run_end_message.rb @@ -51,7 +51,7 @@ class Chef "id" => run_status&.run_id, "message_version" => "1.1.0", "message_type" => "run_converge", - "node" => node || {}, + "node" => node&.data_for_save || {}, "node_name" => node&.name || data_collector.node_name, "organization_name" => organization, "resources" => all_action_records(action_collection), diff --git a/spec/unit/data_collector_spec.rb b/spec/unit/data_collector_spec.rb index 63531663ee..24f8807d2e 100644 --- a/spec/unit/data_collector_spec.rb +++ b/spec/unit/data_collector_spec.rb @@ -142,11 +142,17 @@ describe Chef::DataCollector do def expect_converge_message(keys) keys["message_type"] = "run_converge" keys["message_version"] = "1.1.0" + # if (keys.key?("node") && !keys["node"].empty?) + # expect(rest_client).to receive(:post) do |_a, hash, _b| + # require 'pry'; binding.pry + # end + # else expect(rest_client).to receive(:post).with( nil, hash_including(keys), { "Content-Type" => "application/json" } ) + # end end def resource_has_diff(new_resource, status) @@ -202,7 +208,7 @@ describe Chef::DataCollector do end it "has a node" do - expect_converge_message("node" => expected_node) + expect_converge_message("node" => expected_node.is_a?(Chef::Node) ? expected_node.data_for_save : expected_node) send_run_failed_or_completed_event end @@ -808,6 +814,46 @@ describe Chef::DataCollector do it_behaves_like "sends a converge message" end + context "when node attributes are block-listed" do + let(:status) { "success" } + before do + Chef::Config[:blocked_default_attributes] = [ + %w{secret key_to_the_kingdom}, + ] + node.default = { + "secret" => { "key_to_the_kingdom" => "under the flower pot to the left of the drawbridge" }, + "publicinfo" => { "num_flower_pots" => 18 }, + } + end + + it "payload should exclude blocked attributes" do + expect(rest_client).to receive(:post) do |_addr, hash, _headers| + expect(hash["node"]["default"]).to eq({ "secret" => {}, "publicinfo" => { "num_flower_pots" => 18 } }) + end + send_run_failed_or_completed_event + end + end + + context "when node attributes are allow-listed" do + let(:status) { "success" } + before do + Chef::Config[:allowed_default_attributes] = [ + %w{public entrance}, + ] + node.default = { + "public" => { "entrance" => "is the drawbridge" }, + "secret" => { "entrance" => "is the tunnel" }, + } + end + + it "payload should include only allowed attributes" do + expect(rest_client).to receive(:post) do |_addr, hash, _headers| + expect(hash["node"]["default"]).to eq({ "public" => { "entrance" => "is the drawbridge" } }) + end + send_run_failed_or_completed_event + end + end + end end |