Skip to content

Commit

Permalink
Hide sensitive parameters
Browse files Browse the repository at this point in the history 
This solves an issue for me where even though both 'to' and 'from'
catalogs were being compiled, (not coming from puppetdb), resources with
sensitive data were still being marked as 'changed'.

With this commit, sensitive data won't be leaked, but replaced by a
simple hash so that diffs should still show.
  • Loading branch information
@alexjfisher
alexjfisher committed Aug 3, 2020
1 parent 967bd3a commit fa57725
Showing 1 changed file with 41 additions and 1 deletion.
42 changes: 41 additions & 1 deletion lib/puppet/catalog-diff/compilecatalog.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ def initialize(node_name, save_directory, server, certless, catalog_from_puppetd
catalog = if catalog_from_puppetdb
get_catalog_from_puppetdb(node_name, server)
else
compile_catalog(node_name, server, certless)
catalog = compile_catalog(node_name, server, certless)
clean_sensitive_parameters!(catalog)
clean_nested_sensitive_parameters!(catalog)
catalog
end
catalog = render_pson(catalog)
begin
Expand Down Expand Up @@ -122,6 +125,43 @@ def render_pson(catalog)
pson
end

def clean_sensitive_parameters!(catalog)
catalog['resources'].map! do |resource|
if resource.key? 'sensitive_parameters'
resource['sensitive_parameters'].each do |p|
hash = Digest::SHA256.hexdigest Marshal.dump(resource['parameters'][p])
resource['parameters'][p] = "Sensitive [hash #{hash}]"
end
resource.delete('sensitive_parameters')
resource
else
resource
end
end
end

def clean_nested_sensitive_parameters!(catalog)
# Resources can also contain sensitive data nested deep in hashes/arrays
catalog['resources'].each do |resource|
redact_sensitive(resource['parameters']) if resource.key? 'parameters'
end
end

def redact_sensitive(data)
if data.is_a?(Hash) && data.key?('__ptype')
data[:catalog_diff_hash] = Digest::SHA256.hexdigest Marshal.dump(data['__pvalue'])
data.reject! { |k| k == '__ptype' || k == '__pvalue' }
elsif data.is_a? Hash
data.each do |_k, v|
redact_sensitive(v) if v.is_a?(Hash) || v.is_a?(Array)
end
elsif data.is_a? Array
data.each do |v|
redact_sensitive(v) if v.is_a?(Hash) || v.is_a?(Array)
end
end
end

def save_catalog_to_disk(save_directory, node_name, catalog, extention)
File.open("#{save_directory}/#{node_name}.#{extention}", 'w') do |f|
f.write(catalog)
Expand Down

0 comments on commit fa57725

Please sign in to comment.