[security] Sensitive type for gitlab_rails#487
Conversation
|
Indeed, updated! |
LDAP crendentials can be passed through gitlab_rails, which will appear in clear in Puppetdb for the class attributes. This commit permits to hide from the class attributes inside PuppetDB, but still renders the password visible inside PuppetDB with the generated content of the template.
| <%- if @gitlab_rails -%> | ||
| <%- | ||
| if @gitlab_rails | ||
| if @gitlab_rails.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) |
There was a problem hiding this comment.
Is this conditional needed? I thought perhaps for some time, unwrap was a noop if the data wasn't Sensitive?
There was a problem hiding this comment.
puppet apply -t -e 'notice("foo".unwrap)'
Notice: Scope(Class[main]): foo
There was a problem hiding this comment.
On a type String it bailed out with an error, none-existing method
edit fails with type Hash, String is fine in ERB as long as you call it through scope.call_function
There was a problem hiding this comment.
Thing is, in a ERB template it fails, in Puppet code it's fine, I think.
There was a problem hiding this comment.
Tested and fails both by calling Puppet function or plain ERB:
gitlab_rails = scope.call_function('unwrap', @gitlab_rails)
Filepath: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb
Line: 40
Detail: 'unwrap' expects 1 argument, got 16
gitlab_rails = @gitlab_rails.unwrap
Filepath: /etc/puppetlabs/code/environments/production/modules/gitlab/templates/gitlab.rb.erb
Line: 68
Detail: undefined method `unwrap' for #<Hash:0x37327d95>
There was a problem hiding this comment.
Tested and fails both by calling Puppet function or plain ERB:
gitlab_rails = scope.call_function('unwrap', @gitlab_rails)
Close! But the second argument needs to be an array of arguments to the function.
ie scope.call_function('unwrap', [@gitlab_rails]) should work I believe.
There was a problem hiding this comment.
Oddly this works fine puppet apply -t -e 'notice({"foo"=>0,"bar"=>1}.unwrap)'
There was a problem hiding this comment.
Works fine through Puppet code only to unwrap a type Hash.
diff --git a/manifests/omnibus_config.pp b/manifests/omnibus_config.pp
index bcef084..1720747 100644
--- a/manifests/omnibus_config.pp
+++ b/manifests/omnibus_config.pp
@@ -27,3 +27,3 @@ class gitlab::omnibus_config (
$gitlab_pages = $gitlab::gitlab_pages
- $gitlab_rails = $gitlab::gitlab_rails
+ $_gitlab_rails = $gitlab::gitlab_rails
$gitlab_sshd = $gitlab::gitlab_sshd
@@ -121,2 +121,3 @@ class gitlab::omnibus_config (
} else {
+ $gitlab_rails = $_gitlab_rails.unwrap
file { $config_file:works fine. I can send a new patch, avoids having type check in ERB
There was a problem hiding this comment.
Close! But the second argument needs to be an array of arguments to the function. ie
scope.call_function('unwrap', [@gitlab_rails])should work I believe.
Ah true, thought about it, and forgot, I prefer this variant. I already sent a different commit, where unwrap is called from the manifest, reused in the template. In the end both are fine, and the odd condition around type checking is not needed.
There was a problem hiding this comment.
Either works for me. I've approved it as-is, but if you wanted to change it, I'm happy to reapprove.
3 participants
Pull Request (PR) description
LDAP crendentials can be passed through gitlab_rails, which will appear in clear in Puppetdb for the class attributes.
This commit permits to hide from the class attributes inside PuppetDB, but still renders the password visible inside PuppetDB with the generated content of the template.
This Pull Request (PR) fixes the following issues
#486