diff options
| author | Salim Afiune <afiune@chef.io> | 2016-12-21 10:30:55 -0500 |
|---|---|---|
| committer | Salim Afiune <afiune@chef.io> | 2016-12-22 12:43:10 -0500 |
| commit | 1b60195f4cb7ec5414ceb8543fc9a41c1ba4b73b (patch) | |
| tree | 93d86c65378c5264cca6f7756030af0dfb1cdb42 /lib/chef/resource_reporter.rb | |
| parent | 30138f63819899b676cfcdef8b00e3ed132e601e (diff) | |
| download | chef-1b60195f4cb7ec5414ceb8543fc9a41c1ba4b73b.tar.gz | |
Transform sensitive resources before report them
COOL-642/ZD 12936 - Chef Manage Run History compromises sensitive data
Before this commit we were sending sensitive resource information to
Reporting and therefor you were able to see the sensitive data on the
Run History in the Chef Manage Console.
This commit is fixing this problem and now it is transforming any
sensitive resource to display the word `*sensitive*` instead of the
actual data. As we are inserting this values directly to the data base,
it means that this change will cascade all the way to the front-end.
Catch: Old data that was already reported and is displaying sensitive
data will contineu to be displayed. Apologize.
Signed-off-by: Salim Afiune <afiune@chef.io>
Diffstat (limited to 'lib/chef/resource_reporter.rb')
| -rw-r--r-- | lib/chef/resource_reporter.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/chef/resource_reporter.rb b/lib/chef/resource_reporter.rb index 8422870e2a..83787818b8 100644 --- a/lib/chef/resource_reporter.rb +++ b/lib/chef/resource_reporter.rb @@ -198,11 +198,32 @@ class Chef def resource_completed(new_resource) if @pending_update && !nested_resource?(new_resource) @pending_update.finish + + # Verify if the resource has sensitive data + if @pending_update.new_resource.sensitive + sensitive_resource = transform_sensitive_resource(@pending_update.new_resource) + @pending_update.new_resource = sensitive_resource + end @updated_resources << @pending_update @pending_update = nil end end + def transform_sensitive_resource(resource) + mock_display = '*sensitive*' + + # Every resource has a name + resource.name(mock_display) + # For Execute Resources + resource.command(mock_display) if defined? resource.command + # For File Resources + resource.content(mock_display) if defined? resource.content + # For Template Resources + resource.variables({'data' => mock_display}) if defined? resource.variables + + resource + end + def run_completed(node) @status = "success" post_reporting_data |