summaryrefslogtreecommitdiff
path: root/spec/unit
diff options
context:
space:
mode:
authorSalim Afiune <afiune@chef.io>2016-12-21 10:30:55 -0500
committerSalim Afiune <afiune@chef.io>2016-12-22 12:43:10 -0500
commit1b60195f4cb7ec5414ceb8543fc9a41c1ba4b73b (patch)
tree93d86c65378c5264cca6f7756030af0dfb1cdb42 /spec/unit
parent30138f63819899b676cfcdef8b00e3ed132e601e (diff)
downloadchef-1b60195f4cb7ec5414ceb8543fc9a41c1ba4b73b.tar.gz
Transform sensitive resources before report them
COOL-642/ZD 12936 - Chef Manage Run History compromises sensitive data Before this commit we were sending sensitive resource information to Reporting and therefor you were able to see the sensitive data on the Run History in the Chef Manage Console. This commit is fixing this problem and now it is transforming any sensitive resource to display the word `*sensitive*` instead of the actual data. As we are inserting this values directly to the data base, it means that this change will cascade all the way to the front-end. Catch: Old data that was already reported and is displaying sensitive data will contineu to be displayed. Apologize. Signed-off-by: Salim Afiune <afiune@chef.io>
Diffstat (limited to 'spec/unit')
-rw-r--r--spec/unit/resource_reporter_spec.rb24
1 files changed, 24 insertions, 0 deletions
diff --git a/spec/unit/resource_reporter_spec.rb b/spec/unit/resource_reporter_spec.rb
index f951c62b94..e896aac4d7 100644
--- a/spec/unit/resource_reporter_spec.rb
+++ b/spec/unit/resource_reporter_spec.rb
@@ -265,6 +265,30 @@ describe Chef::ResourceReporter do
@resource_reporter.run_started(@run_status)
end
+ context "when the new_resource is sensitive" do
+ before do
+ @execute_resource = Chef::Resource::Execute.new("my sensitive execute block")
+ @execute_resource.name('sensitive-resource')
+ @execute_resource.command('echo "password: SECRET"')
+ @execute_resource.sensitive(true)
+ @resource_reporter.resource_action_start(@execute_resource, :run)
+ @resource_reporter.resource_current_state_loaded(@execute_resource, :run, @current_resource)
+ @resource_reporter.resource_updated(@execute_resource, :run)
+ @resource_reporter.resource_completed(@execute_resource)
+ @run_status.stop_clock
+ @report = @resource_reporter.prepare_run_data
+ @first_update_report = @report["resources"].first
+ end
+
+ it "resource_name in prepared_run_data should be transformed" do
+ expect(@first_update_report["name"]).to eq('*sensitive*')
+ end
+
+ it "resource_command in prepared_run_data should be transformed" do
+ expect(@first_update_report["after"]).to eq({:command=>"*sensitive*"})
+ end
+ end
+
context "when the new_resource does not have a string for name and identity" do
context "the new_resource name and id are nil" do
before do