Merge pull request #9369 from chrisroberts/e-generic-sensitive

Add Vagrantfile configuration option to register sensitive values
This commit is contained in:
Chris Roberts 2018-01-16 20:05:37 -08:00 committed by GitHub
commit b5383cffab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 68 additions and 0 deletions

View File

@ -4,14 +4,32 @@ module VagrantPlugins
module Kernel_V2 module Kernel_V2
class VagrantConfig < Vagrant.plugin("2", :config) class VagrantConfig < Vagrant.plugin("2", :config)
attr_accessor :host attr_accessor :host
attr_accessor :sensitive
def initialize def initialize
@host = UNSET_VALUE @host = UNSET_VALUE
@sensitive = UNSET_VALUE
end end
def finalize! def finalize!
@host = :detect if @host == UNSET_VALUE @host = :detect if @host == UNSET_VALUE
@host = @host.to_sym if @host @host = @host.to_sym if @host
@sensitive = nil if @sensitive == UNSET_VALUE
if @sensitive.is_a?(Array) || @sensitive.is_a?(String)
Array(@sensitive).each do |value|
Vagrant::Util::CredentialScrubber.sensitive(value.to_s)
end
end
end
def validate(machine)
errors = _detected_errors
if @sensitive && (!@sensitive.is_a?(Array) && !@sensitive.is_a?(String))
errors << I18n.t("vagrant.config.root.sensitive_bad_type")
end
{"vagrant" => errors}
end end
def to_s def to_s

View File

@ -1629,6 +1629,9 @@ en:
Unknown configuration section '%{key}'. If this section was part of Unknown configuration section '%{key}'. If this section was part of
a Vagrant 1.0.x plugin, note that 1.0.x plugins are incompatible with 1.1+. a Vagrant 1.0.x plugin, note that 1.0.x plugins are incompatible with 1.1+.
root: root:
sensitive_bad_type: |-
Invalid type provided for `sensitive`. The sensitive option expects a string
or an array of strings.
bad_key: |- bad_key: |-
Unknown configuration section '%{key}'. Unknown configuration section '%{key}'.
ssh: ssh:

View File

@ -5,6 +5,8 @@ require Vagrant.source_root.join("plugins/kernel_v2/config/vagrant")
describe VagrantPlugins::Kernel_V2::VagrantConfig do describe VagrantPlugins::Kernel_V2::VagrantConfig do
subject { described_class.new } subject { described_class.new }
let(:machine){ double("machine") }
describe "#host" do describe "#host" do
it "defaults to :detect" do it "defaults to :detect" do
subject.finalize! subject.finalize!
@ -17,4 +19,41 @@ describe VagrantPlugins::Kernel_V2::VagrantConfig do
expect(subject.host).to eq(:foo) expect(subject.host).to eq(:foo)
end end
end end
describe "#sensitive" do
after{ Vagrant::Util::CredentialScrubber.reset! }
it "accepts string value" do
subject.sensitive = "test"
subject.finalize!
expect(subject.sensitive).to eq("test")
end
it "accepts array of values" do
subject.sensitive = ["test1", "test2"]
subject.finalize!
expect(subject.sensitive).to eq(["test1", "test2"])
end
it "does not accept non-string values" do
subject.sensitive = 1
subject.finalize!
result = subject.validate(machine)
expect(result).to be_a(Hash)
expect(result.values).not_to be_empty
end
it "registers single sensitive value to be scrubbed" do
subject.sensitive = "test"
expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test")
subject.finalize!
end
it "registers multiple sensitive values to be scrubbed" do
subject.sensitive = ["test1", "test2"]
expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test1")
expect(Vagrant::Util::CredentialScrubber).to receive(:sensitive).with("test2")
subject.finalize!
end
end
end end

View File

@ -21,3 +21,11 @@ Vagrant. By default this is `:detect`, which causes Vagrant to auto-detect
the host. Vagrant needs to know this information in order to perform some the host. Vagrant needs to know this information in order to perform some
host-specific things, such as preparing NFS folders if they're enabled. host-specific things, such as preparing NFS folders if they're enabled.
You should only manually set this if auto-detection fails. You should only manually set this if auto-detection fails.
`config.vagrant.sensitive` - (string, array) - Value or list of values that
should not be displayed in Vagrant's output. Value(s) will be removed from
Vagrant's normal UI output as well as logger output.
```ruby
config.vagrant.sensitive = ["MySecretPassword", ENV["MY_TOKEN"]]
```