consul::config::config_hash "leaks" Sensitive data in Puppet catalog #698
Description
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 8.10.0
- Ruby: 3.2.5
- Distribution: All
- Module version: 9.2.0
What are you seeing
In init.pp $config_hash is unwrapped and merged with $config_defaults:
$_config_hash = $config_hash ? {
Sensitive => $config_hash.unwrap,
default => $config_hash
}
$config_hash_real = deep_merge($config_defaults, $_config_hash)
Class['consul::config'] references the unwrapped hash $config_hash_real:
class consul::config (
Hash $config_hash = $consul::config_hash_real,
...
) {
- The class parameter does not handle Sensitive[Hash]
- Because
$config_hash_realis unwrappedClass['consul::config']does not havesensitive_parametersin Puppet catalog
{
"type": "Class",
"title": "Consul::Config",
"parameters": {
"config_hash": {
"encrypt": "v3Ry_$ecU&3_%$?!"
}
}
}
while Class['consul'] has it
{
"type": "Class",
"title": "Consul",
"parameters": {
"config_hash": {
"encrypt": "v3Ry_$ecU&3_%$?!"
}
},
"sensitive_parameters": [
"config_hash"
]
}
What behaviour did you expect instead
I'd expect the class parameter consul::config::config_hash to be Sensitive as well if consul::config_hash is Sensitive