Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A deferred sensitive token is not unwrapped #201

Open
traylenator opened this issue Aug 19, 2024 · 3 comments
Open

A deferred sensitive token is not unwrapped #201

traylenator opened this issue Aug 19, 2024 · 3 comments

Comments

@traylenator
Copy link
Contributor

traylenator commented Aug 19, 2024
edited
Loading

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.24
  • Ruby: 2.7
  • Distribution:
  • Module version: 5.1.0

How to reproduce (e.g Puppet code you use)

class { 'gitlab_ci_runner':
  runners => {                                   
    'foobar' => {
      'token' => Deferred('myfunc', ['gl'])
    }
  }
}

What are you seeing

Results in the file /etc/gitlab-runner/config.toml

[[runners]]
name = "foobar"
token = #<Sensitive [value redacted]>

What behaviour did you expect instead

The file should contain the the token retrieved in a deferred context.

Output log

Any additional information you'd like to impart

Problem is around here: https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/master/manifests/runner.pp#L108

Where it does:

$content => { 'runners' => [{ 'name' => 'foobar', token => Deferred('myfunc',['gl']}]}

concat::fragment{ ... 
   taget => ...,
   content => Deferred('gitlab_ci_runner::to_toml', [$content]),
}

I believe you need to .unwrap the value of the token before passing it to the ::to_toml function but I'm failing to
understand how to do that.
@traylenator
Copy link
Contributor Author 

$_foo = {
  'x' => 'y',
  'a' => Sensitive('b'),
}

$_bar = $_foo.each | $_k, $_v | { { $_k => $_v.unwrap } }.reduce | $_memo, $_hash | { $_memo + $_hash }

notify{"With Map ${_bar}":}

$_direct = {
  'x' => 'y',
  'a' => Sensitive('b').unwrap,
}

notify{"Direct ${_direct}":}

results in:

Notice: Compiled catalog for aiadm86.cern.ch in environment production in 0.02 seconds
Notice: With Map [x, y, a, Sensitive [value redacted]]
Notice: /Stage[main]/Main/Notify[With Map [x, y, a, Sensitive [value redacted]]]/message: defined 'message' as 'With Map [x, y, a, Sensitive [value redacted]]'
Notice: Direct {x => y, a => b}
Notice: /Stage[main]/Main/Notify[Direct {x => y, a => b}]/message: defined 'message' as 'Direct {x => y, a => b}'
Notice: Applied catalog in 0.01 seconds

why are the two notifies not the same....

@traylenator
Copy link
Contributor Author

I see this is what I am looking for - puppetlabs/puppetlabs-stdlib#1418

@traylenator
Copy link
Contributor Author

traylenator commented Aug 19, 2024
edited
Loading

With this module it is easy to work around since config is already created in concat:

class { 'gitlab_ci_runner':
  runners => {
    'foobar' => {
    }
  }
}
# Work around for https://github.com/voxpupuli/puppet-gitlab_ci_runner/issues/201
Concat_file <| title == '/etc/gitlab-runner/config.toml' |> {                                                
  show_diff => false,
}
concat::fragment{'add_token':
  target  => '/etc/gitlab-runner/config.toml',
  order   => '3',
  content => Deferred('inline_epp',['token = "<%= $token %>"',{ 'token' => Deferred('myfunc', ['gl'])}]),
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@traylenator