Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unwrap sensitive values in error messages #42

Merged
merged 1 commit into from
Mar 8, 2024
Merged

Unwrap sensitive values in error messages #42

merged 1 commit into from
Mar 8, 2024

Conversation

smortex
Copy link

@smortex smortex commented Feb 24, 2023

When sensitive values are compared and do not match, the produce error message does not help for debugging:

  1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as ****
     Failure/Error:
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command'     => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''),
               'sensitive'   => 'true',
               'unless'      => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"),
               'port'        => '5432')

       expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to #<Sensitive [value redacted]>, and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to #<Sensitive [value redacted]>
       Diff:
         <The diff is empty, are your objects producing identical `#inspect` output?>
     # ./spec/defines/server/role_spec.rb:56:in `block (3 levels) in <top (required)>'
     # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `load'
     # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `<main>'

With this change, the sensitive values are unwrapped and allow to spot the missing unwraps in unit tests:

  1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as ****
     Failure/Error:
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command'     => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''),
               'sensitive'   => 'true',
               'unless'      => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"),
               'port'        => '5432')

       expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'"), and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'")
       Diff:

       @@ -1,4 +1,4 @@
       -Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'")
       +Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'")

       -Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'")
       +Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'")

@smortex smortex marked this pull request as ready for review February 24, 2023 22:46
@smortex smortex requested a review from a team as a code owner February 24, 2023 22:46
@smortex smortex mentioned this pull request Feb 24, 2023
Merged
@smortex
Copy link
Author

smortex commented Feb 24, 2023

For the record, this change is backward incompatible since matching any Sensitive value against the String "Sensitive [value redacted]" was previously passing and is now failing. It feels more logical to not introduce a magic string here IMHO, so I assumed this would be okay.

@CLAassistant
Copy link

CLAassistant commented Apr 19, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@LukasAud
Copy link

Re-opening the PR due to age to re-kick CI. Want a fresh check on this before reviewing.

@LukasAud LukasAud closed this Jul 13, 2023
@LukasAud LukasAud reopened this Jul 13, 2023
@LukasAud LukasAud requested a review from bastelfreak as a code owner July 13, 2023 14:39
@smortex smortex force-pushed the unwrap-in-errors branch from c6b2ebf to 7b029c4 Compare July 13, 2023 18:01
@smortex
Copy link
Author

smortex commented Jul 13, 2023

@LukasAud I rebased on top of master hopping that this would help. The workflow need approval however.

@LukasAud
Copy link

@smortex Sorry for the delay. Wasnt expecting the 'approve and run' function to be a blocker here. Tests are running now tho they are hitting rubocop rules.

@smortex smortex force-pushed the unwrap-in-errors branch from 7b029c4 to ce3611d Compare July 17, 2023 19:54
@smortex
Copy link
Author

smortex commented Jul 17, 2023

Ooops, sorry about this, should have checked locally.

Rebased and fixed (rubocop and rspec seems happy on my computer). Thanks!

@LukasAud
Copy link

@smortex This is looking good. Im happy to drop an approval but I will hold of from merging as this is a backwards-incompatible and there is a few things we want to do before cutting a major release, including cutting a minor one beforehand.

Sorry for the delay but this will have to sit here for a bit longer.

@smortex
Unwrap sensitive values in error messages
b9dde53 
When sensitive values are compared and do not match, the produce error
message does not help for debugging:

```
  1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as ****
     Failure/Error:
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command'     => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''),
               'sensitive'   => 'true',
               'unless'      => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"),
               'port'        => '5432')

       expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to #<Sensitive [value redacted]>, and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to #<Sensitive [value redacted]>
       Diff:
         <The diff is empty, are your objects producing identical `#inspect` output?>
     # ./spec/defines/server/role_spec.rb:56:in `block (3 levels) in <top (required)>'
     # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `load'
     # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `<main>'
```

With this change, the sensitive values are unwrapped and allow to spot
the missing unwraps in unit tests:

```
  1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as ****
     Failure/Error:
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command'     => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''),
               'sensitive'   => 'true',
               'unless'      => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"),
               'port'        => '5432')

       expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'"), and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'")
       Diff:

       @@ -1,4 +1,4 @@
       -Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'")
       +Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'")

       -Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'")
       +Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'")
```
@smortex smortex requested a review from a team as a code owner October 13, 2023 19:45
@smortex
Copy link
Author

smortex commented Oct 13, 2023

👋 A new major release was cut a few days ago. I rebased my work on top of master to fix the conflicts.

Can we merge and release this?

ekohl
ekohl approved these changes Mar 8, 2024
View reviewed changes
Copy link

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just ran into this problem and can verify the patch helps a lot in debugging.

jordanbreen28
jordanbreen28 approved these changes Mar 8, 2024
View reviewed changes
Copy link

@jordanbreen28 jordanbreen28 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing stuff @smortex - will save a lot of debugging pain for people in the future!

@jordanbreen28 jordanbreen28 merged commit 6888827 into puppetlabs:main Mar 8, 2024
@smortex smortex deleted the unwrap-in-errors branch March 12, 2024 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

@bastelfreak bastelfreak bastelfreak approved these changes

@jordanbreen28 jordanbreen28 jordanbreen28 approved these changes

Assignees
No one assigned
Labels
backwards-incompatible
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@smortex @CLAassistant @LukasAud @ekohl @bastelfreak @jordanbreen28