From f2f8bc2db50e86905683fca307153dee70473e53 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Mon, 15 Jan 2018 07:23:47 -0800 Subject: [PATCH 1/2] Add Vagrantfile configuration option to register sensitive values --- plugins/kernel_v2/config/vagrant.rb | 18 +++++++++ templates/locales/en.yml | 3 ++ .../plugins/kernel_v2/config/vagrant_test.rb | 39 +++++++++++++++++++ .../docs/vagrantfile/vagrant_settings.html.md | 4 ++ 4 files changed, 64 insertions(+) diff --git a/plugins/kernel_v2/config/vagrant.rb b/plugins/kernel_v2/config/vagrant.rb index 344fd2486..951383db7 100644 --- a/plugins/kernel_v2/config/vagrant.rb +++ b/plugins/kernel_v2/config/vagrant.rb @@ -4,14 +4,32 @@ module VagrantPlugins module Kernel_V2 class VagrantConfig < Vagrant.plugin("2", :config) attr_accessor :host + attr_accessor :sensitive def initialize @host = UNSET_VALUE + @sensitive = UNSET_VALUE end def finalize! @host = :detect if @host == UNSET_VALUE @host = @host.to_sym if @host + @sensitive = nil if @sensitive == UNSET_VALUE + + if @sensitive.is_a?(Array) || @sensitive.is_a?(String) + Array(@sensitive).each do |value| + Vagrant::Util::CredentialScrubber.sensitive(value.to_s) + end + end + end + + def validate(machine) + errors = _detected_errors + + if @sensitive && (!@sensitive.is_a?(Array) && !@sensitive.is_a?(String)) + errors << I18n.t("vagrant.config.root.sensitive_bad_type") + end + {"vagrant" => errors} end def to_s diff --git a/templates/locales/en.yml b/templates/locales/en.yml index d8a6986c0..99f5dad2e 100644 --- a/templates/locales/en.yml +++ b/templates/locales/en.yml @@ -1629,6 +1629,9 @@ en: Unknown configuration section '%{key}'. If this section was part of a Vagrant 1.0.x plugin, note that 1.0.x plugins are incompatible with 1.1+. root: + sensitive_bad_type: |- + Invalid type provided for `sensitive`. The sensitive option expects a string + or an array of strings. bad_key: |- Unknown configuration section '%{key}'. ssh: diff --git a/test/unit/plugins/kernel_v2/config/vagrant_test.rb b/test/unit/plugins/kernel_v2/config/vagrant_test.rb index d3b876942..ece682f51 100644 --- a/test/unit/plugins/kernel_v2/config/vagrant_test.rb +++ b/test/unit/plugins/kernel_v2/config/vagrant_test.rb @@ -5,6 +5,8 @@ require Vagrant.source_root.join("plugins/kernel_v2/config/vagrant") describe VagrantPlugins::Kernel_V2::VagrantConfig do subject { described_class.new } + let(:machine){ double("machine") } + describe "#host" do it "defaults to :detect" do subject.finalize! @@ -17,4 +19,41 @@ describe VagrantPlugins::Kernel_V2::VagrantConfig do expect(subject.host).to eq(:foo) end end + + describe "#sensitive" do + after{ Vagrant::Util::CredentialScrubber.reset! } + + it "accepts string value" do + subject.sensitive = "test" + subject.finalize! + expect(subject.sensitive).to eq("test") + end + + it "accepts array of values" do + subject.sensitive = ["test1", "test2"] + subject.finalize! + expect(subject.sensitive).to eq(["test1", "test2"]) + end + + it "does not accept non-string values" do + subject.sensitive = 1 + subject.finalize! + result = subject.validate(machine) + expect(result).to be_a(Hash) + expect(result.values).not_to be_empty + end + + it "registers single sensitive value to be scrubbed" do + subject.sensitive = "test" + expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test") + subject.finalize! + end + + it "registers multiple sensitive values to be scrubbed" do + subject.sensitive = ["test1", "test2"] + expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test1") + expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test2") + subject.finalize! + end + end end diff --git a/website/source/docs/vagrantfile/vagrant_settings.html.md b/website/source/docs/vagrantfile/vagrant_settings.html.md index 1580fb55b..460f28fbf 100644 --- a/website/source/docs/vagrantfile/vagrant_settings.html.md +++ b/website/source/docs/vagrantfile/vagrant_settings.html.md @@ -21,3 +21,7 @@ Vagrant. By default this is `:detect`, which causes Vagrant to auto-detect the host. Vagrant needs to know this information in order to perform some host-specific things, such as preparing NFS folders if they're enabled. You should only manually set this if auto-detection fails. + +`config.vagrant.sensitive` - (string, array) - Value or list of values that +should not be displayed in Vagrant's output. Value(s) will be removed from +Vagrant's normal UI output as well as logger output. From 3fc293d621a62a43d26cdaffc84c46c3a1e3bafa Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Tue, 16 Jan 2018 16:04:32 -0800 Subject: [PATCH 2/2] Add example for sensitive option --- website/source/docs/vagrantfile/vagrant_settings.html.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/source/docs/vagrantfile/vagrant_settings.html.md b/website/source/docs/vagrantfile/vagrant_settings.html.md index 460f28fbf..e0a9de414 100644 --- a/website/source/docs/vagrantfile/vagrant_settings.html.md +++ b/website/source/docs/vagrantfile/vagrant_settings.html.md @@ -25,3 +25,7 @@ You should only manually set this if auto-detection fails. `config.vagrant.sensitive` - (string, array) - Value or list of values that should not be displayed in Vagrant's output. Value(s) will be removed from Vagrant's normal UI output as well as logger output. + +```ruby +config.vagrant.sensitive = ["MySecretPassword", ENV["MY_TOKEN"]] +```