Skip to content

Commit c6b2ebf

Browse files
smortexsmortex
committed
Unwrap sensitive values in error messages
When sensitive values are compared and do not match, the produce error message does not help for debugging: ``` 1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as **** Failure/Error: is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') .with('command' => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''), 'sensitive' => 'true', 'unless' => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"), 'port' => '5432') expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to #<Sensitive [value redacted]>, and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to #<Sensitive [value redacted]> Diff: <The diff is empty, are your objects producing identical `#inspect` output?> # ./spec/defines/server/role_spec.rb:56:in `block (3 levels) in <top (required)>' # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `load' # /usr/home/romain/.gem/ruby/3.0/bin/rspec:25:in `<main>' ``` With this change, the sensitive values are unwrapped and allow to spot the missing unwraps in unit tests: ``` 1) postgresql::server::role with Password Datatype Sensitive[String] has alter role for "test" user with password as **** Failure/Error: is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') .with('command' => sensitive('ALTER ROLE "test" ENCRYPTED PASSWORD \'new-pa$s\''), 'sensitive' => 'true', 'unless' => sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'"), 'port' => '5432') expected that the catalogue would contain Postgresql_psql[ALTER ROLE test ENCRYPTED PASSWORD ****] with command set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") but it is set to Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'"), and parameter unless set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") but it is set to Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'") Diff: @@ -1,4 +1,4 @@ -Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'new-pa$s'") +Sensitive("ALTER ROLE \"test\" ENCRYPTED PASSWORD 'Sensitive [value redacted]'") -Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'new-pa$s'") +Sensitive("SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]'") ```
1 parent 9f93612 commit c6b2ebf

File tree

3 files changed

+30
-0
lines changed

3 files changed

+30
-0
lines changed

lib/rspec-puppet/matchers/parameter_matcher.rb

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,10 @@ def matches?(resource)
2424
actual = resource[@parameter]
2525
expected = @value
2626

27+
if actual.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
28+
actual = RSpec::Puppet::Sensitive.new(actual.unwrap)
29+
end
30+
2731
# Puppet flattens an array with a single value into just the value and
2832
# this can cause confusion when testing as people expect when you put
2933
# an array in, you'll get an array out.

lib/rspec-puppet/sensitive.rb

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ def inspect
2323
"Sensitive(#{@value.inspect})"
2424
end
2525

26+
# @return the unwrapped value (needed to show diff)
27+
def to_s
28+
inspect
29+
end
30+
2631
# Check for equality with another value.
2732
# If compared to Puppet Sensitive type, it compares the wrapped values.
2833

spec/unit/matchers/parameter_matcher_spec.rb

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,5 +93,26 @@
9393
expect(subject.matches?(:foo_parameter => nil)).to be(false)
9494
end
9595
end
96+
97+
context 'with sensitive("foo") expected' do
98+
subject do
99+
described_class.new(:foo_parameter, RSpec::Puppet::Sensitive.new("foo"), :should)
100+
end
101+
102+
it 'matches sensitive("foo")' do
103+
expect(subject.matches?(:foo_parameter => RSpec::Puppet::Sensitive.new("foo"))).to be(true)
104+
expect(subject.errors.size).to eq(0)
105+
end
106+
it 'does not match sensitive("bar")' do
107+
expect(subject.matches?(:foo_parameter => RSpec::Puppet::Sensitive.new("bar"))).to be(false)
108+
expect(subject.errors.size).to eq(1)
109+
expect(subject.errors[0].message).to eq('foo_parameter set to Sensitive("foo") but it is set to Sensitive("bar")')
110+
end
111+
it 'does not matches "foo"' do
112+
expect(subject.matches?(:foo_parameter => "foo")).to be(false)
113+
expect(subject.errors.size).to eq(1)
114+
expect(subject.errors[0].message).to eq('foo_parameter set to Sensitive("foo") but it is set to "foo"')
115+
end
116+
end
96117
end
97118
end

0 commit comments

Comments
 (0)