(PUP-11326) Make regsubst() sensitive-aware

This commit updates regsubst() to take in Sensitive type targets. Specifically, regsubst() can now take targets that are either Sensitive String, Sensitive arrays that have a combination of String and/or Sensitive[String], or non-Sensitive arrays that have combination of String and/or Sensitive[String]. Co-authored-by: Henrik Lindberg <563066+hlindberg@users.noreply.github.com> Co-authored-by: Aria Li <aria.li@puppet.com>
puppetlabs · Oct 24, 2024 · 0bf1a6b · 0bf1a6b
1 parent ed4eee5
commit 0bf1a6b
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 3 deletions.
diff --git a/lib/puppet/functions/regsubst.rb b/lib/puppet/functions/regsubst.rb
@@ -32,7 +32,7 @@
   #   $i3 = regsubst($ipaddress,'^(\\d+)\\.(\\d+)\\.(\\d+)\\.(\\d+)$','\\3')
   #   ```
   dispatch :regsubst_string do
-    param          'Variant[Array[String],String]',       :target
+    param          'Variant[Array[Variant[String,Sensitive[String]]],Sensitive[Array[Variant[String,Sensitive[String]]]],Variant[String,Sensitive[String]]]', :target
     param          'String',                              :pattern
     param          'Variant[String,Hash[String,String]]', :replacement
     optional_param 'Optional[Pattern[/^[GEIM]*$/]]',      :flags
@@ -69,7 +69,7 @@
   #   $x = regsubst($ipaddress, /([0-9]+)/, '<\\1>', 'G')
   #   ```
   dispatch :regsubst_regexp do
-    param          'Variant[Array[String],String]',       :target
+    param          'Variant[Array[Variant[String,Sensitive[String]]],Sensitive[Array[Variant[String,Sensitive[String]]]],Variant[String,Sensitive[String]]]', :target
     param          'Variant[Regexp,Type[Regexp]]',        :pattern
     param          'Variant[String,Hash[String,String]]', :replacement
     optional_param 'Pattern[/^G?$/]',                     :flags
@@ -97,7 +97,26 @@ def regsubst_regexp(target, pattern, replacement, flags = nil)
   end
 
   def inner_regsubst(target, re, replacement, op)
-    target.respond_to?(op) ? target.send(op, re, replacement) : target.collect { |e| e.send(op, re, replacement) }
+    if target.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) && target.unwrap.is_a?(Array)
+      # this is a Sensitive Array
+      target = target.unwrap
+      target.map do |item|
+        inner_regsubst(item, re, replacement, op)
+      end
+    elsif target.is_a?(Array)
+      # this is an Array
+      target.map do |item|
+        inner_regsubst(item, re, replacement, op)
+      end
+    elsif target.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      # this is a Sensitive
+      target = target.unwrap
+      target = target.respond_to?(op) ? target.send(op, re, replacement) : target.map { |e| e.send(op, re, replacement) }
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(target)
+    else
+      # this should be a String
+      target.respond_to?(op) ? target.send(op, re, replacement) : target.map { |e| e.send(op, re, replacement) }
+    end
   end
   private :inner_regsubst
 end
diff --git a/spec/unit/functions/regsubst_spec.rb b/spec/unit/functions/regsubst_spec.rb
@@ -111,4 +111,34 @@ def regsubst(*args)
     end
 
   end
+
+  context 'when using a Target of Type sensitive String' do
+    it 'should process it' do
+      result = regsubst(Puppet::Pops::Types::PSensitiveType::Sensitive.new('very secret'), 'very', 'top')
+      expect(result).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      expect(result.unwrap).to eq("top secret")
+    end
+  end
+
+  context 'when using a Target of Type Array with mixed String and sensitive String' do
+    it 'should process it' do
+      my_array = ['very down', Puppet::Pops::Types::PSensitiveType::Sensitive.new('very secret')]
+      expect(regsubst(my_array, 'very', 'top')).to be_a(Array)
+      expect(regsubst(my_array, 'very', 'top')[0]).to eq('top down')
+      result = regsubst(my_array, 'very', 'top')[1]
+      expect(result).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      expect(result.unwrap).to eq('top secret')
+    end
+  end
+
+  context 'when using a Target of Type Sensitive Array with mixed String and sensitive String' do
+    it 'should process it' do
+      my_array = Puppet::Pops::Types::PSensitiveType::Sensitive.new(['very down', Puppet::Pops::Types::PSensitiveType::Sensitive.new('very secret')])
+      expect(regsubst(my_array, 'very', 'top')).to be_a(Array)
+      expect(regsubst(my_array, 'very', 'top')[0]).to eq('top down')
+      result = regsubst(my_array, 'very', 'top')[1]
+      expect(result).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      expect(result.unwrap).to eq('top secret')
+    end
+  end
 end