Merge pull request #216 from waipeng/hide_sensitive

Hide sensitive parameters
github · Oct 31, 2019 · e9d3744 · e9d3744
2 parents 88c3c48 + a54ad58
commit e9d3744
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/lib/octocatalog-diff/catalog-diff/differ.rb b/lib/octocatalog-diff/catalog-diff/differ.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'diffy'
+require 'digest'
 require 'hashdiff'
 require 'json'
 require 'set'
@@ -263,7 +264,7 @@ def filter_and_cleanup(catalog_resources)
 
             # Handle parameters
             if k == 'parameters'
-              cleansed_param = cleanse_parameters_hash(v)
+              cleansed_param = cleanse_parameters_hash(v, resource.fetch('sensitive_parameters', []))
               hsh[k] = cleansed_param unless cleansed_param.nil? || cleansed_param.empty?
             elsif k == 'tags'
               # The order of tags is unimportant. Sort this array to avoid false diffs if order changes.
@@ -456,10 +457,18 @@ def ignored?(diff)
 
       # Cleanse parameters of filtered attributes.
       # @param parameters_hash [Hash] Hash of parameters
+      # @param sensitive_parameters [Array] Array of sensitive parameters
       # @return [Hash] Cleaned parameters hash (original input hash is not altered)
-      def cleanse_parameters_hash(parameters_hash)
+      def cleanse_parameters_hash(parameters_hash, sensitive_parameters)
         result = parameters_hash.dup
 
+        # hides sensitive params. We still need to know if there's a going to
+        # be a diff, so we hash the value.
+        sensitive_parameters.each do |p|
+          md5 = Digest::MD5.hexdigest Marshal.dump(result[p])
+          result[p] = 'Sensitive [md5sum ' + md5 + ']'
+        end
+
         # 'before' and 'require' handle internal Puppet ordering but do not affect what
         # happens on the target machine. Don't consider these for the purpose of catalog diff.
         result.delete('before')

diff --git a/spec/octocatalog-diff/tests/catalog-diff/differ_spec.rb b/spec/octocatalog-diff/tests/catalog-diff/differ_spec.rb
@@ -382,6 +382,30 @@
           result = testobj.catalog1
           expect(result.first['title']).to eq('/etc/foo')
         end
+
+        it 'should hide sensitive parameters' do
+          json_hash = {
+            'document_type' => 'Catalog',
+            'data' => {
+              'name' => 'rspec-node.github.net',
+              'tags' => [],
+              'resources' => [
+                {
+                  'type' => 'File',
+                  'title' => 'verysecretfile',
+                  'parameters' => {
+                    'content' => 'secret1'
+                  },
+                  'sensitive_parameters' => ['content']
+                }
+              ]
+            }
+          }
+          catalog = OctocatalogDiff::Catalog.create(json: JSON.generate(json_hash))
+          testobj = OctocatalogDiff::CatalogDiff::Differ.new(@options, catalog, @empty_puppet_catalog)
+          result = testobj.catalog1
+          expect(result.first['parameters']['content']).to eq('Sensitive [md5sum e52d98c459819a11775936d8dfbb7929]')
+        end
       end
 
       describe '#diff' do