diff options
| author | Serdar Sutay <serdar@opscode.com> | 2014-01-17 20:27:53 -0800 |
|---|---|---|
| committer | Serdar Sutay <serdar@opscode.com> | 2014-01-17 20:27:53 -0800 |
| commit | cc2a097d3f12c14e9336f931d90228186b068990 (patch) | |
| tree | 11c55609d708817592c771a0c670d09134e88af4 /lib | |
| parent | d8c976257e283506a9dbdbd9a2f3e47bea7e383b (diff) | |
| parent | 65aa6df892b98b5f78ea81ed7eb0bc8f797fc73a (diff) | |
| download | chef-cc2a097d3f12c14e9336f931d90228186b068990.tar.gz | |
Merge pull request #1220 from opscode/CHEF-4639-updated
CHEF-4639: writing credentials files with `file` or `template` may leak credentials in diffs
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/chef/provider/file.rb | 20 | ||||
| -rw-r--r-- | lib/chef/resource/file.rb | 9 |
2 files changed, 23 insertions, 6 deletions
diff --git a/lib/chef/provider/file.rb b/lib/chef/provider/file.rb index b2127d7c87..3ef7725173 100644 --- a/lib/chef/provider/file.rb +++ b/lib/chef/provider/file.rb @@ -352,16 +352,27 @@ class Chef if tempfile.path.nil? || !::File.exists?(tempfile.path) raise "chef-client is confused, trying to deploy a file that has no path or does not exist..." end + # the file? on the next line suppresses the case in why-run when we have a not-file here that would have otherwise been removed if ::File.file?(@new_resource.path) && contents_changed? - diff.diff(@current_resource.path, tempfile.path) - @new_resource.diff( diff.for_reporting ) unless file_created? - description = [ "update content in file #{@new_resource.path} from #{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ] - description << diff.for_output + description = [ "update content in file #{@new_resource.path} from \ +#{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ] + + # Hide the diff output if the resource is marked as a sensitive resource + if @new_resource.sensitive + @new_resource.diff("suppressed sensitive resource") + description << "suppressed sensitive resource" + else + diff.diff(@current_resource.path, tempfile.path) + @new_resource.diff( diff.for_reporting ) unless file_created? + description << diff.for_output + end + converge_by(description) do update_file_contents end end + # unlink necessary to clean up in why-run mode tempfile.unlink end @@ -420,4 +431,3 @@ class Chef end end end - diff --git a/lib/chef/resource/file.rb b/lib/chef/resource/file.rb index 676cbf200a..3db88dcda0 100644 --- a/lib/chef/resource/file.rb +++ b/lib/chef/resource/file.rb @@ -52,9 +52,9 @@ class Chef @force_unlink = false @manage_symlink_source = nil @diff = nil + @sensitive = false end - def content(arg=nil) set_or_return( :content, @@ -119,6 +119,13 @@ class Chef ) end + def sensitive(arg=nil) + set_or_return( + :sensitive, + arg, + :kind_of => [ TrueClass, FalseClass ] + ) + end end end end |