Skip to content

Commit 7b029c4

Browse files
smortexsmortex
committed
Unwrap sensitive values in error messages
When sensitive values are compared and do not match, the produce error message does not help for debugging: ``` 1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as **** Failure/Error: is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') .with('command' => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''), 'sensitive' => 'true', 'unless' => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"), 'port' => '5432') expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to #<Sensitive [value redacted]>, and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to #<Sensitive [value redacted]> Diff: <The diff is empty, are your objects producing identical `#inspect` output?> # ./spec/defines/server/role_spec.rb:56:in `block (3 levels) in <top (required)>' # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `load' # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `<main>' ``` With this change, the sensitive values are unwrapped and allow to spot the missing unwraps in unit tests: ``` 1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as **** Failure/Error: is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') .with('command' => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''), 'sensitive' => 'true', 'unless' => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"), 'port' => '5432') expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'"), and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'") Diff: @@ -1,4 +1,4 @@ -Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") +Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'") -Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") +Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'") ```
1 parent b478497 commit 7b029c4

File tree

3 files changed

+30
-0
lines changed

3 files changed

+30
-0
lines changed

lib/rspec-puppet/matchers/parameter_matcher.rb

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ def matches?(resource)
2828
actual = resource[@parameter]
2929
expected = @value
3030

31+
if actual.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
32+
actual = RSpec::Puppet::Sensitive.new(actual.unwrap)
33+
end
34+
3135
# Puppet flattens an array with a single value into just the value and
3236
# this can cause confusion when testing as people expect when you put
3337
# an array in, you'll get an array out.

lib/rspec-puppet/sensitive.rb

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,11 @@ def inspect
2525
"Sensitive(#{@value.inspect})"
2626
end
2727

28+
# @return the unwrapped value (needed to show diff)
29+
def to_s
30+
inspect
31+
end
32+
2833
# Check for equality with another value.
2934
# If compared to Puppet Sensitive type, it compares the wrapped values.
3035

spec/unit/matchers/parameter_matcher_spec.rb

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,5 +108,26 @@
108108
expect(subject.matches?(foo_parameter: nil)).to be(false)
109109
end
110110
end
111+
112+
context 'with sensitive("foo") expected' do
113+
subject do
114+
described_class.new(:foo_parameter, RSpec::Puppet::Sensitive.new("foo"), :should)
115+
end
116+
117+
it 'matches sensitive("foo")' do
118+
expect(subject.matches?(:foo_parameter => RSpec::Puppet::Sensitive.new("foo"))).to be(true)
119+
expect(subject.errors.size).to eq(0)
120+
end
121+
it 'does not match sensitive("bar")' do
122+
expect(subject.matches?(:foo_parameter => RSpec::Puppet::Sensitive.new("bar"))).to be(false)
123+
expect(subject.errors.size).to eq(1)
124+
expect(subject.errors[0].message).to eq('foo_parameter set to Sensitive("foo") but it is set to Sensitive("bar")')
125+
end
126+
it 'does not matches "foo"' do
127+
expect(subject.matches?(:foo_parameter => "foo")).to be(false)
128+
expect(subject.errors.size).to eq(1)
129+
expect(subject.errors[0].message).to eq('foo_parameter set to Sensitive("foo") but it is set to "foo"')
130+
end
131+
end
111132
end
112133
end

0 commit comments

Comments
 (0)