File: sensitive_spec.rb

package info (click to toggle)
ruby-puppet-resource-api 1.9.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,232 kB
  • sloc: ruby: 9,573; sh: 4; makefile: 2
file content (52 lines) | stat: -rw-r--r-- 2,586 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# frozen_string_literal: true

require 'spec_helper'
require 'tempfile'
require 'open3'

RSpec.describe 'sensitive data' do
  # these common_args *have* to use debug to check *all* log messages for the sensitive value
  let(:common_args) { '--verbose --trace --strict=error --modulepath spec/fixtures  --debug' }

  describe 'using `puppet apply`' do
    it 'is not exposed by notify' do
      stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"notice(Sensitive('sesitive_data'))\"")
      expect(stdout_str).to match %r{redacted}
      expect(stdout_str).not_to match %r{sesitive_data}
      expect(stdout_str).not_to match %r{warn|error}i
    end

    it 'is not exposed by a provider' do
      stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"test_sensitive { test_resource: secret => Sensitive('sesitive_data'), "\
        "optional_secret => Sensitive('optional sesitive_data'), array_secret => [Sensitive('array sesitive_data')] }\"")
      expect(stdout_str).to match %r{redacted}
      expect(stdout_str).not_to match %r{sesitive_data}
      expect(stdout_str).not_to match %r{warn|error}i
    end

    context 'when a sensitive value is not the top level type' do
      it 'is not exposed by a provider' do
        stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"test_sensitive { test_resource: secret => Sensitive('sesitive_data'), "\
          "optional_secret => Sensitive('optional sesitive_data'), variant_secret => [Sensitive('variant sesitive_data')] }\"")
        expect(stdout_str).to match %r{redacted}
        expect(stdout_str).not_to match %r{variant sesitive_data}
        expect(stdout_str).not_to match %r{warn|error}i
      end
      it 'properly validates the sensitive type value' do
        stdout_str, _status = Open3.capture2e("puppet apply #{common_args} -e \"test_sensitive { test_resource: secret => Sensitive('sesitive_data'), "\
          "optional_secret => Sensitive('optional sesitive_data'), variant_secret => [Sensitive(134679)] }\"")
        expect(stdout_str).to match %r{Sensitive\[String\]( value)?, got Sensitive\[Integer\]}
        expect(stdout_str).not_to match %r{134679}
      end
    end
  end

  describe 'using `puppet resource`' do
    it 'is not exposed in the output' do
      stdout_str, _status = Open3.capture2e("puppet resource #{common_args} test_sensitive")
      expect(stdout_str).to match %r{redacted}
      expect(stdout_str).not_to match %r{(sesitive_data|test_resource)secret}
      expect(stdout_str).not_to match %r{warn|error}i
    end
  end
end