Merge pull request #9369 from chrisroberts/e-generic-sensitive

Add Vagrantfile configuration option to register sensitive values

plugins/kernel_v2/config/vagrant.rb

@@ -4,14 +4,32 @@ module VagrantPlugins
   module Kernel_V2
     class VagrantConfig < Vagrant.plugin("2", :config)
       attr_accessor :host
+      attr_accessor :sensitive
 
       def initialize
         @host = UNSET_VALUE
+        @sensitive = UNSET_VALUE
       end
 
       def finalize!
         @host = :detect if @host == UNSET_VALUE
         @host = @host.to_sym if @host
+        @sensitive = nil if @sensitive == UNSET_VALUE
+
+        if @sensitive.is_a?(Array) || @sensitive.is_a?(String)
+          Array(@sensitive).each do |value|
+            Vagrant::Util::CredentialScrubber.sensitive(value.to_s)
+          end
+        end
+      end
+
+      def validate(machine)
+        errors = _detected_errors
+
+        if @sensitive && (!@sensitive.is_a?(Array) && !@sensitive.is_a?(String))
+          errors << I18n.t("vagrant.config.root.sensitive_bad_type")
+        end
+        {"vagrant" => errors}
       end
 
       def to_s

templates/locales/en.yml

@@ -1629,6 +1629,9 @@ en:
           Unknown configuration section '%{key}'. If this section was part of
           a Vagrant 1.0.x plugin, note that 1.0.x plugins are incompatible with 1.1+.
       root:
+        sensitive_bad_type: |-
+          Invalid type provided for `sensitive`. The sensitive option expects a string
+          or an array of strings.
         bad_key: |-
           Unknown configuration section '%{key}'.
       ssh:

test/unit/plugins/kernel_v2/config/vagrant_test.rb

@@ -5,6 +5,8 @@ require Vagrant.source_root.join("plugins/kernel_v2/config/vagrant")
 describe VagrantPlugins::Kernel_V2::VagrantConfig do
   subject { described_class.new }
 
+  let(:machine){ double("machine") }
+
   describe "#host" do
     it "defaults to :detect" do
       subject.finalize!
@@ -17,4 +19,41 @@ describe VagrantPlugins::Kernel_V2::VagrantConfig do
       expect(subject.host).to eq(:foo)
     end
   end
+
+  describe "#sensitive" do
+    after{ Vagrant::Util::CredentialScrubber.reset! }
+
+    it "accepts string value" do
+      subject.sensitive = "test"
+      subject.finalize!
+      expect(subject.sensitive).to eq("test")
+    end
+
+    it "accepts array of values" do
+      subject.sensitive = ["test1", "test2"]
+      subject.finalize!
+      expect(subject.sensitive).to eq(["test1", "test2"])
+    end
+
+    it "does not accept non-string values" do
+      subject.sensitive = 1
+      subject.finalize!
+      result = subject.validate(machine)
+      expect(result).to be_a(Hash)
+      expect(result.values).not_to be_empty
+    end
+
+    it "registers single sensitive value to be scrubbed" do
+      subject.sensitive = "test"
+      expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test")
+      subject.finalize!
+    end
+
+    it "registers multiple sensitive values to be scrubbed" do
+      subject.sensitive = ["test1", "test2"]
+      expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test1")
+      expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test2")
+      subject.finalize!
+    end
+  end
 end

website/source/docs/vagrantfile/vagrant_settings.html.md

@@ -21,3 +21,11 @@ Vagrant. By default this is `:detect`, which causes Vagrant to auto-detect
 the host. Vagrant needs to know this information in order to perform some
 host-specific things, such as preparing NFS folders if they're enabled.
 You should only manually set this if auto-detection fails.
+
+`config.vagrant.sensitive` - (string, array) - Value or list of values that
+should not be displayed in Vagrant's output. Value(s) will be removed from
+Vagrant's normal UI output as well as logger output.
+
+```ruby
+config.vagrant.sensitive = ["MySecretPassword", ENV["MY_TOKEN"]]
+```