(GH-95) Wrap hiera return in puppet sensitive data type (#96)

TraGicCode · web-flow · commit ee2fe031033a · 2022-08-14T16:28:16.000-05:00
diff --git a/lib/puppet/functions/azure_key_vault/lookup.rb b/lib/puppet/functions/azure_key_vault/lookup.rb
@@ -5,6 +5,7 @@
     param 'Variant[String, Numeric]', :secret_name
     param 'Struct[{vault_name => String, vault_api_version => String, metadata_api_version => String, confine_to_keys => Array[String], Optional[key_replacement_token] => String}]', :options
     param 'Puppet::LookupContext', :context
+    return_type 'Variant[Sensitive, Undef]'
   end
 
   def lookup_key(secret_name, options, context)
@@ -31,7 +32,7 @@ def lookup_key(secret_name, options, context)
 
     normalized_secret_name = TragicCode::Azure.normalize_object_name(secret_name, options['key_replacement_token'] || '-')
     context.explain { "Using normalized KeyVault secret key for lookup: #{normalized_secret_name}" }
-    return context.cached_value(normalized_secret_name) if context.cache_has_key(normalized_secret_name)
+    return Puppet::Pops::Types::PSensitiveType::Sensitive.new(context.cached_value(normalized_secret_name)) if context.cache_has_key(normalized_secret_name)
     access_token = context.cached_value('access_token')
     if access_token.nil?
       access_token = TragicCode::Azure.get_access_token(options['metadata_api_version'])
@@ -54,6 +55,6 @@ def lookup_key(secret_name, options, context)
       context.not_found
       return
     end
-    context.cache(normalized_secret_name, secret_value)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(context.cache(normalized_secret_name, secret_value))
   end
 end
diff --git a/lib/puppet/functions/azure_key_vault/secret.rb b/lib/puppet/functions/azure_key_vault/secret.rb
@@ -2,7 +2,7 @@
 
 # Retrieves secrets from Azure's Key Vault.
 Puppet::Functions.create_function(:'azure_key_vault::secret', Puppet::Functions::InternalFunction) do
-  # @param vault_name Name of the vault in your Azure subcription.
+  # @param vault_name Name of the vault in your Azure subscription.
   # @param secret_name Name of the secret to be retrieved.
   # @param api_versions_hash A Hash of the exact versions of the metadata_api_version and vault_api_version to use.
   # @param secret_version The version of the secret you want to retrieve.  This parameter is optional and if not passed the default behavior is to retrieve the latest version.
@@ -13,6 +13,7 @@
     required_param 'String', :secret_name
     required_param 'Hash',   :api_versions_hash
     optional_param 'String', :secret_version
+    return_type 'Sensitive[String]'
   end
 
   def secret(cache, vault_name, secret_name, api_versions_hash, secret_version = '')
diff --git a/spec/functions/azure_key_vault_lookup_spec.rb b/spec/functions/azure_key_vault_lookup_spec.rb
@@ -32,13 +32,17 @@
       'profile::windows::sqlserver::sensitive_azure_sql_user_password', { 'key1' => 'value1' }, lookup_context
     ).and_raise_error(ArgumentError)
   end
+
+  # rubocop:disable RSpec/NamedSubject
   it 'uses the cache' do
     expect(lookup_context).to receive(:cache_has_key).with('profile--windows--sqlserver--sensitive-azure-sql-user-password').and_return(true)
     expect(lookup_context).to receive(:cached_value).with('profile--windows--sqlserver--sensitive-azure-sql-user-password').and_return('value')
-    is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context
-    ).and_return('value')
+
+    expect(subject.execute('profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context).unwrap).to eq 'value'
   end
+  # rubocop:enable RSpec/NamedSubject
+
+  # rubocop:disable RSpec/NamedSubject
   it 'caches the access token after a cache miss' do
     access_token_value = 'access_value'
     secret_value = 'secret_value'
@@ -48,10 +52,10 @@
     expect(lookup_context).to receive(:cache).with('access_token', access_token_value).ordered
     expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
     expect(lookup_context).to receive(:cache).and_return(secret_value).ordered
-    is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context
-    ).and_return(secret_value)
+
+    expect(subject.execute('profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context).unwrap).to eq secret_value
   end
+  # rubocop:enable RSpec/NamedSubject
 
   it 'call context.not_found for the lookup_options key' do
     expect(lookup_context).to receive(:not_found)
@@ -60,17 +64,18 @@
     )
   end
 
+  # rubocop:disable RSpec/NamedSubject
   it 'uses - as the default key_replacement_token' do
     secret_name = 'profile::windows::sqlserver::sensitive_azure_sql_user_password'
     access_token_value = 'access_value'
     secret_value = 'secret_value'
     expect(TragicCode::Azure).to receive(:normalize_object_name).with(secret_name, '-')
     expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
     expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
-    is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context
-    ).and_return(secret_value)
+
+    expect(subject.execute('profile::windows::sqlserver::sensitive_azure_sql_user_password', options, lookup_context).unwrap).to eq secret_value
   end
+  # rubocop:enable RSpec/NamedSubject
 
   it 'errors when confine_to_keys is no array' do
     is_expected.to run.with_params(
@@ -84,15 +89,17 @@
     ).and_raise_error(ArgumentError, %r{creating regexp failed with}i)
   end
 
+  # rubocop:disable RSpec/NamedSubject
   it 'returns the key if regex matches confine_to_keys' do
     access_token_value = 'access_value'
     secret_value = 'secret_value'
     expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
     expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
-    is_expected.to run.with_params(
-      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context
-    ).and_return(secret_value)
+
+    expect(subject.execute('profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context).unwrap)
+      .to eq secret_value
   end
+  # rubocop:enable RSpec/NamedSubject
 
   it 'does not return the key if regex does not match confine_to_keys' do
     access_token_value = 'access_value'
@@ -118,4 +125,16 @@
       'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context
     )
   end
+
+  # rubocop:disable RSpec/NamedSubject
+  it 'returns the secret wrapped in the sensitive data type' do
+    access_token_value = 'access_value'
+    secret_value = 'secret_value'
+    expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
+    expect(TragicCode::Azure).to receive(:get_secret).and_return(secret_value)
+
+    expect(subject.execute('profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context))
+      .to be_an_instance_of(Puppet::Pops::Types::PSensitiveType::Sensitive)
+  end
+  # rubocop:enable RSpec/NamedSubject
 end
