Merge pull request #757 from syseleven/support-sensitive

Allow content parameter of concat_fragment to be Sensitive

Author: LukasAud

lib/puppet/type/concat_file.rb

@@ -314,7 +314,7 @@ def fragment_content(r)
 
     if self[:ensure_newline]
       newline = Puppet::Util::Platform.windows? ? "\r\n" : "\n"
-      fragment_content << newline unless %r{#{newline}\Z}.match?(fragment_content)
+      fragment_content = fragment_content.dup << newline unless %r{#{newline}\Z}.match?(fragment_content)
     end
 
     fragment_content

lib/puppet/type/concat_fragment.rb

@@ -94,4 +94,13 @@
     # Check if both are set, if so rais error
     raise Puppet::ParseError, _("Can't use 'source' and 'content' at the same time") if !self[:source].nil? && !self[:content].nil?
   end
+
+  def set_sensitive_parameters(sensitive_parameters)
+    # Respect sensitive https://tickets.puppetlabs.com/browse/PUP-10950
+    if sensitive_parameters.include?(:content)
+      sensitive_parameters.delete(:content)
+      parameter(:content).sensitive = true
+    end
+    super(sensitive_parameters)
+  end
 end

manifests/fragment.pp

@@ -17,10 +17,10 @@
 #   Specifies the destination file of the fragment. Valid options: a string containing the path or title of the parent concat resource.
 #
 define concat::fragment (
-  String                              $target,
-  Optional[Variant[String, Deferred]] $content = undef,
-  Optional[Variant[String, Array]]    $source  = undef,
-  Variant[String, Integer]            $order   = '10',
+  String                                                 $target,
+  Optional[Variant[Sensitive[String], String, Deferred]] $content = undef,
+  Optional[Variant[String, Array]]                       $source  = undef,
+  Variant[String, Integer]                               $order   = '10',
 ) {
   $resource = 'Concat::Fragment'
 

spec/acceptance/fragment_sensitive_content_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'sensitive content' do
+  attr_reader :basedir
+
+  before(:all) do
+    @basedir = setup_test_directory
+  end
+
+  describe 'file' do
+    let(:pp) do
+      <<-MANIFEST
+        concat { '#{basedir}/sensitive_file': }
+
+        concat::fragment { '1':
+          target  => '#{basedir}/sensitive_file',
+          content => 'user=',
+        }
+
+        concat::fragment { '2':
+          target  => '#{basedir}/sensitive_file',
+          content => Sensitive('password'),
+        }
+      MANIFEST
+    end
+
+    it 'idempotent, file matches' do
+      idempotent_apply(pp)
+      expect(file("#{basedir}/sensitive_file")).to be_file
+      expect(file("#{basedir}/sensitive_file").content).to match 'user=password'
+    end
+  end
+end

spec/defines/concat_fragment_spec.rb

@@ -64,12 +64,22 @@
       end
     end
 
+    context 'when Sensitive' do
+      let(:title) { 'authentication' }
+      let(:content) { sensitive('password') }
+      let(:params) { { content: content, target: '/etc/authentication' } }
+
+      it do
+        is_expected.to contain_concat_fragment(title).with(content: content)
+      end
+    end
+
     context 'when false' do
       let(:title) { 'motd_header' }
       let(:params) { { content: false, target: '/etc/motd' } }
 
       it 'fails' do
-        expect { catalogue }.to raise_error(Puppet::Error, %r{expects a value of type Undef( or String|, String, or Deferred), got Boolean})
+        expect { catalogue }.to raise_error(Puppet::Error, %r{expects a value of type Undef, Sensitive\[String\], String, or Deferred, got Boolean})
       end
     end
   end