diff options
author | Sergey Sergeev <zhirafovod@gmail.com> | 2014-04-10 00:34:12 -0700 |
---|---|---|
committer | Bryan McLellan <btm@getchef.com> | 2014-06-10 09:05:38 -0700 |
commit | cee94f52d52806885fbd63d63addc3708b25f409 (patch) | |
tree | 56d97f58cb9aea164df6791cf8a4ba3d9ec64c2e | |
parent | 5265dec56c99698f09c94604e72552820370ff86 (diff) | |
download | chef-cee94f52d52806885fbd63d63addc3708b25f409.tar.gz |
CHEF-5098 fix sensitive data output on failure
provide a way to supprese sensitive attribute for a resource
* add sensitive attribute to the resource class
* fix output in resource_failure_inspector if sensitive attribute set
* add spec tests for resource
fix implementation based on PR reivew
* suppres to_text ouptut if sensitive attribute set in resource
* remove rescue of unset sentitive attribute in resource_failure_inspecto
-rw-r--r-- | lib/chef/formatters/error_inspectors/resource_failure_inspector.rb | 3 | ||||
-rw-r--r-- | lib/chef/resource.rb | 10 | ||||
-rw-r--r-- | spec/unit/resource_spec.rb | 37 |
3 files changed, 48 insertions, 2 deletions
diff --git a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb index 6f1f71b8f9..59c7249f74 100644 --- a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb +++ b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb @@ -25,6 +25,7 @@ class Chef attr_reader :resource attr_reader :action attr_reader :exception + attr_reader :sensitive def initialize(resource, action, exception) @resource = resource @@ -40,7 +41,7 @@ class Chef end unless dynamic_resource? - error_description.section("Resource Declaration:", recipe_snippet) + error_description.section("Resource Declaration:", sensitive ? "suppressed sensitive resource output" : recipe_snippet) end error_description.section("Compiled Resource:", "#{resource.to_text}") diff --git a/lib/chef/resource.rb b/lib/chef/resource.rb index 9370f34d56..6c8e0434a0 100644 --- a/lib/chef/resource.rb +++ b/lib/chef/resource.rb @@ -253,6 +253,7 @@ F @source_line = nil @guard_interpreter = :default @elapsed_time = 0 + @sensitive = false @node = run_context ? deprecated_ivar(run_context.node, :node, :warn) : nil end @@ -400,6 +401,14 @@ F ) end + def sensitive(arg=nil) + set_or_return( + :sensitive, + arg, + :kind_of => [ TrueClass, FalseClass ] + ) + end + def epic_fail(arg=nil) ignore_failure(arg) end @@ -494,6 +503,7 @@ F end def to_text + return "suppressed sensitive resource output" if sensitive ivars = instance_variables.map { |ivar| ivar.to_sym } - HIDDEN_IVARS text = "# Declared in #{@source_line}\n\n" text << self.class.dsl_name + "(\"#{name}\") do\n" diff --git a/spec/unit/resource_spec.rb b/spec/unit/resource_spec.rb index 99217af20e..dd6d58630f 100644 --- a/spec/unit/resource_spec.rb +++ b/spec/unit/resource_spec.rb @@ -344,7 +344,8 @@ describe Chef::Resource do expected_keys = [ :allowed_actions, :params, :provider, :updated, :updated_by_last_action, :before, :supports, :noop, :ignore_failure, :name, :source_line, - :action, :retries, :retry_delay, :elapsed_time, :guard_interpreter] + :action, :retries, :retry_delay, :elapsed_time, + :guard_interpreter, :sensitive ] (hash.keys - expected_keys).should == [] (expected_keys - hash.keys).should == [] hash[:name].should eql("funk") @@ -781,6 +782,40 @@ describe Chef::Resource do end end + + describe "resource sensitive attribute" do + + before(:each) do + @resource_file = Chef::Resource::File.new("/nonexistent/CHEF-5098/file", @run_context) + @action = :create + end + + def compiled_resource_data(resource, action, err) + error_inspector = Chef::Formatters::ErrorInspectors::ResourceFailureInspector.new(resource, action, err) + description = Chef::Formatters::ErrorDescription.new("test") + error_inspector.add_explanation(description) + Chef::Log.info("descrtiption: #{description.inspect},error_inspector: #{error_inspector}") + description.sections[1]["Compiled Resource:"] + end + + it "set to false by default" do + @resource.sensitive.should be_false + end + + it "when set to false should show compiled resource for failed resource" do + expect { @resource_file.run_action(@action) }.to raise_error { |err| + compiled_resource_data(@resource_file, @action, err).should match 'path "/nonexistent/CHEF-5098/file"' + } + end + + it "when set to true should show compiled resource for failed resource" do + @resource_file.sensitive true + expect { @resource_file.run_action(@action) }.to raise_error { |err| + compiled_resource_data(@resource_file, @action, err).should eql("suppressed sensitive resource output") + } + end + + end end describe Chef::Resource::Notification do |