CHEF-5098 fix sensitive data output on failure

provide a way to supprese sensitive attribute for a resource * add sensitive attribute to the resource class * fix output in resource_failure_inspector if sensitive attribute set * add spec tests for resource fix implementation based on PR reivew * suppres to_text ouptut if sensitive attribute set in resource * remove rescue of unset sentitive attribute in resource_failure_inspecto
author: Sergey Sergeev <zhirafovod@gmail.com> 2014-04-10 00:34:12 -0700
committer: Bryan McLellan <btm@getchef.com> 2014-06-10 09:05:38 -0700
commit: cee94f52d52806885fbd63d63addc3708b25f409 (patch)
tree: 56d97f58cb9aea164df6791cf8a4ba3d9ec64c2e
parent: 5265dec56c99698f09c94604e72552820370ff86 (diff)
download: chef-cee94f52d52806885fbd63d63addc3708b25f409.tar.gz
3 files changed, 48 insertions, 2 deletions
diff --git a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb
index 6f1f71b8f9..59c7249f74 100644
--- a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb
+++ b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb
@@ -25,6 +25,7 @@ class Chef
         attr_reader :resource
         attr_reader :action
         attr_reader :exception
+        attr_reader :sensitive
 
         def initialize(resource, action, exception)
           @resource = resource
@@ -40,7 +41,7 @@ class Chef
           end
 
           unless dynamic_resource?
-            error_description.section("Resource Declaration:", recipe_snippet)
+            error_description.section("Resource Declaration:", sensitive ? "suppressed sensitive resource output" : recipe_snippet)
           end
 
           error_description.section("Compiled Resource:", "#{resource.to_text}")
diff --git a/lib/chef/resource.rb b/lib/chef/resource.rb
index 9370f34d56..6c8e0434a0 100644
--- a/lib/chef/resource.rb
+++ b/lib/chef/resource.rb
@@ -253,6 +253,7 @@ F
       @source_line = nil
       @guard_interpreter = :default
       @elapsed_time = 0
+      @sensitive = false
 
       @node = run_context ? deprecated_ivar(run_context.node, :node, :warn) : nil
     end
@@ -400,6 +401,14 @@ F
       )
     end
 
+    def sensitive(arg=nil)
+      set_or_return(
+        :sensitive,
+        arg,
+        :kind_of => [ TrueClass, FalseClass ]
+      )
+    end
+
     def epic_fail(arg=nil)
       ignore_failure(arg)
     end
@@ -494,6 +503,7 @@ F
     end
 
     def to_text
+      return "suppressed sensitive resource output" if sensitive
       ivars = instance_variables.map { |ivar| ivar.to_sym } - HIDDEN_IVARS
       text = "# Declared in #{@source_line}\n\n"
       text << self.class.dsl_name + "(\"#{name}\") do\n"
diff --git a/spec/unit/resource_spec.rb b/spec/unit/resource_spec.rb
index 99217af20e..dd6d58630f 100644
--- a/spec/unit/resource_spec.rb
+++ b/spec/unit/resource_spec.rb
@@ -344,7 +344,8 @@ describe Chef::Resource do
       expected_keys = [ :allowed_actions, :params, :provider, :updated,
         :updated_by_last_action, :before, :supports,
         :noop, :ignore_failure, :name, :source_line,
-        :action, :retries, :retry_delay, :elapsed_time, :guard_interpreter]
+        :action, :retries, :retry_delay, :elapsed_time, 
+        :guard_interpreter, :sensitive ]
       (hash.keys - expected_keys).should == []
       (expected_keys - hash.keys).should == []
       hash[:name].should eql("funk")
@@ -781,6 +782,40 @@ describe Chef::Resource do
     end
 
   end
+
+  describe "resource sensitive attribute" do
+
+    before(:each) do
+       @resource_file = Chef::Resource::File.new("/nonexistent/CHEF-5098/file", @run_context)
+       @action = :create
+    end 
+
+    def compiled_resource_data(resource, action, err)
+      error_inspector = Chef::Formatters::ErrorInspectors::ResourceFailureInspector.new(resource, action, err)
+      description = Chef::Formatters::ErrorDescription.new("test")
+      error_inspector.add_explanation(description)
+      Chef::Log.info("descrtiption: #{description.inspect},error_inspector: #{error_inspector}")
+      description.sections[1]["Compiled Resource:"]
+    end
+
+    it "set to false by default" do
+      @resource.sensitive.should be_false
+    end
+
+    it "when set to false should show compiled resource for failed resource" do
+      expect { @resource_file.run_action(@action) }.to raise_error { |err|
+            compiled_resource_data(@resource_file, @action, err).should match 'path "/nonexistent/CHEF-5098/file"'
+          }
+    end
+
+    it "when set to true should show compiled resource for failed resource" do
+      @resource_file.sensitive true
+      expect { @resource_file.run_action(@action) }.to raise_error { |err|
+            compiled_resource_data(@resource_file, @action, err).should eql("suppressed sensitive resource output")
+          }
+    end
+
+  end
 end
 
 describe Chef::Resource::Notification do
author	Sergey Sergeev <zhirafovod@gmail.com>	2014-04-10 00:34:12 -0700
committer	Bryan McLellan <btm@getchef.com>	2014-06-10 09:05:38 -0700
commit	cee94f52d52806885fbd63d63addc3708b25f409 (patch)
tree	56d97f58cb9aea164df6791cf8a4ba3d9ec64c2e
parent	5265dec56c99698f09c94604e72552820370ff86 (diff)
download	chef-cee94f52d52806885fbd63d63addc3708b25f409.tar.gz