Merge pull request #4200 from chef/jdm/dont-print-pscred

Prevent inspect on PsCredential from printing out plain text password

3 files changed, 30 insertions, 6 deletions

diff --git a/lib/chef/resource/dsc_resource.rb b/lib/chef/resource/dsc_resource.rb
index b6167e76d0..1dcde8de96 100644
--- a/lib/chef/resource/dsc_resource.rb
+++ b/lib/chef/resource/dsc_resource.rb
@@ -20,16 +20,34 @@ require 'chef/dsl/powershell'
 class Chef

   class Resource

     class DscResource < Chef::Resource

-

       provides :dsc_resource, os: "windows"

 

+      # This class will check if the object responds to

+      # to_text. If it does, it will call that as opposed

+      # to inspect. This is useful for properties that hold

+      # objects such as PsCredential, where we do not want

+      # to dump the actual ivars

+      class ToTextHash < Hash

+        def to_text

+          descriptions = self.map do |(property, obj)|

+            obj_text = if obj.respond_to?(:to_text)

+                         obj.to_text

+                       else

+                         obj.inspect

+                       end

+            "#{property}=>#{obj_text}"

+          end

+          "{#{descriptions.join(', ')}}"

+        end

+      end

+

       include Chef::DSL::Powershell

 

       default_action :run

 

       def initialize(name, run_context)

         super

-        @properties = {}

+        @properties = ToTextHash.new

         @resource = nil

         @reboot_action = :nothing

       end

diff --git a/lib/chef/util/powershell/ps_credential.rb b/lib/chef/util/powershell/ps_credential.rb
index 3f4558a77c..2fc0650e5f 100644
--- a/lib/chef/util/powershell/ps_credential.rb
+++ b/lib/chef/util/powershell/ps_credential.rb
@@ -29,9 +29,8 @@ class Chef::Util::Powershell
       "New-Object System.Management.Automation.PSCredential('#{@username}',('#{encrypt(@password)}' | ConvertTo-SecureString))"
     end
 
-    def to_s
-      to_psobject
-    end
+    alias to_s to_psobject
+    alias to_text to_psobject
 
     private
 
diff --git a/spec/unit/util/powershell/ps_credential_spec.rb b/spec/unit/util/powershell/ps_credential_spec.rb
index bac58b02e5..668ec525c6 100644
--- a/spec/unit/util/powershell/ps_credential_spec.rb
+++ b/spec/unit/util/powershell/ps_credential_spec.rb
@@ -21,7 +21,7 @@ require 'chef/util/powershell/ps_credential'
 
 describe Chef::Util::Powershell::PSCredential do
   let (:username) { 'foo' }
-  let (:password) { 'password' }
+  let (:password) { 'ThIsIsThEpAsSwOrD' }
 
   context 'when username and password are provided' do
     let(:ps_credential) { Chef::Util::Powershell::PSCredential.new(username, password)}
@@ -33,5 +33,12 @@ describe Chef::Util::Powershell::PSCredential do
             "'#{username}',('encrypted' | ConvertTo-SecureString))")
       end
     end
+
+    context 'when to_text is called' do
+      it 'should not contain the password' do
+        allow(ps_credential).to receive(:encrypt).with(password).and_return('encrypted')
+        expect(ps_credential.to_text).not_to match(/#{password}/)
+      end
+    end
   end
 end